cycbot | 6723e2105e8f015634d802495b04e871bdacacb08faa0faf68eda0bb235b565d

General

Target

ff03531ad8c83399ce5fc9f96c883e70_JaffaCakes118.exe
Size

164KB
MD5

ff03531ad8c83399ce5fc9f96c883e70
SHA1

ccf7eb9e44bb5b95f732c4dcef87760ded5184cd
SHA256

6723e2105e8f015634d802495b04e871bdacacb08faa0faf68eda0bb235b565d
SHA512

0e806b078053fb3e76fe87ab5c52d270ba3d27307bedb28cb6f5684c1d04fc504e155a1811bcc6910cadb0e1f98cb753bceaa54d6e023e6de3cdb94bc30b59b6
SSDEEP

3072:Nq2QaPFCJm5y/MC/ikf4jNDAL0nAftn6s4GAS:NJPF7kMCfM1AeAft6L

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2176-8-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/2176-10-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/684-15-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/684-76-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/2092-80-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/684-194-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	ff03531ad8c83399ce5fc9f96c883e70_JaffaCakes118.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/684-2-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2176-8-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2176-10-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/684-15-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/684-76-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2092-78-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2092-80-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/684-194-0x0000000000400000-0x0000000000445000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ff03531ad8c83399ce5fc9f96c883e70_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ff03531ad8c83399ce5fc9f96c883e70_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ff03531ad8c83399ce5fc9f96c883e70_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 684 wrote to memory of 2176	684	ff03531ad8c83399ce5fc9f96c883e70_JaffaCakes118.exe	30
PID 684 wrote to memory of 2176	684	ff03531ad8c83399ce5fc9f96c883e70_JaffaCakes118.exe	30
PID 684 wrote to memory of 2176	684	ff03531ad8c83399ce5fc9f96c883e70_JaffaCakes118.exe	30
PID 684 wrote to memory of 2176	684	ff03531ad8c83399ce5fc9f96c883e70_JaffaCakes118.exe	30
PID 684 wrote to memory of 2092	684	ff03531ad8c83399ce5fc9f96c883e70_JaffaCakes118.exe	33
PID 684 wrote to memory of 2092	684	ff03531ad8c83399ce5fc9f96c883e70_JaffaCakes118.exe	33
PID 684 wrote to memory of 2092	684	ff03531ad8c83399ce5fc9f96c883e70_JaffaCakes118.exe	33
PID 684 wrote to memory of 2092	684	ff03531ad8c83399ce5fc9f96c883e70_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\ff03531ad8c83399ce5fc9f96c883e70_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ff03531ad8c83399ce5fc9f96c883e70_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:684
- C:\Users\Admin\AppData\Local\Temp\ff03531ad8c83399ce5fc9f96c883e70_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\ff03531ad8c83399ce5fc9f96c883e70_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2176
- C:\Users\Admin\AppData\Local\Temp\ff03531ad8c83399ce5fc9f96c883e70_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\ff03531ad8c83399ce5fc9f96c883e70_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\E182.74E

Filesize
300B

MD5
7e5d5136b8fb172995e19c53d68ea4b4

SHA1
95f31622375f74b50f54677bf56cde3a64a3b300

SHA256
26f3366db380147de603f70548500658558deadb0cb68645b27d55232092c416

SHA512
6142a2ee2a40323f5afa22987d7947d3d577859a650b23ba9932f48f565e62c0609ebbbc60f06bcce2c35b2794ec4f94287299f69303013e2f67c4c7c9afdc39

Download Submit
C:\Users\Admin\AppData\Roaming\E182.74E

Filesize
1KB

MD5
26e33d7a47b6b2fe232c8b372bd0423e

SHA1
2ea1b61cd0a14f7701d03b80a895f6ba25ef112d

SHA256
48e38282b514b34dd10ffb2db27ca24825e3d4f30671519865f91efed1d7a001

SHA512
715b90887103277501169c5987d86f89fca50c726ab7445d48450552c530f3959784d5915be7a0a85a4c367fdad985aa02a36222fd2dc84e564621fe58b91643

Download Submit
C:\Users\Admin\AppData\Roaming\E182.74E

Filesize
600B

MD5
d2451e2dcf55212e1a1de71aef4bcb13

SHA1
0a08190465edd4e153810455159d4853216b7a42

SHA256
f103987f4ea279dbb57515184764ff3d489b1260cf0b6e939e848fa65b4827cf

SHA512
030f3342f96f40e91cd8828bb9b46c7b8117db364910be137e3490cb1d7a05f072b40fa2d930ba6947604257173790b03a222a68aeb89321d06b46d4280487cf

Download Submit
C:\Users\Admin\AppData\Roaming\E182.74E

Filesize
996B

MD5
6343cfad09465dc6c043b77d247ada7f

SHA1
d91df9dad933f85025ab85c92fc7da19853a2162

SHA256
7b9bf7f23e39956820ca5fdfc6ee1861968bed08c79e0ba6176a82dbe8c0d64d

SHA512
4d184e83aeceb51a5c447704c9489972436c0388af2416a2d1a0166e9a801c5842db5d42f179a09517a02f2f4ee5cafc406e8f4fca23d31a131b404b474a40ce

Download Submit
memory/684-2-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/684-1-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/684-194-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/684-15-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/684-76-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2092-80-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2092-78-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2176-10-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2176-8-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads