cycbot | b1a3a33ead038619f7c5a782117e1bf3edbdd175f56f6a5c4d38553dbbb00ba4

General

Target

ff88b544259ec0286281b10e24fadc84_JaffaCakes118.exe
Size

169KB
MD5

ff88b544259ec0286281b10e24fadc84
SHA1

24a85bf9ef26ba1e18af3ce91c4df20df38915e3
SHA256

b1a3a33ead038619f7c5a782117e1bf3edbdd175f56f6a5c4d38553dbbb00ba4
SHA512

716e5c77da72765c07fadd10917668f29de9441a4b537a03d43ac12c696347d96c9a0fb3aced531bfb7c0e132171d84e111284c3b8c85dfa6980710765b9b9bc
SSDEEP

3072:bjpTVvQEK2qgxNhan2MtVpLqd/+ONZnIXkIiPyPgKg7pSkGRipPGs:bjpJnI1NVp2trX6kLqPgnc4FGs

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2432-6-0x0000000000400000-0x000000000043E000-memory.dmp	family_cycbot
behavioral1/memory/2132-13-0x0000000000400000-0x000000000043E000-memory.dmp	family_cycbot
behavioral1/memory/2204-72-0x0000000000400000-0x000000000043E000-memory.dmp	family_cycbot
behavioral1/memory/2132-73-0x0000000000400000-0x000000000043E000-memory.dmp	family_cycbot
behavioral1/memory/2132-166-0x0000000000400000-0x000000000043E000-memory.dmp	family_cycbot
behavioral1/memory/2132-205-0x0000000000400000-0x000000000043E000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	ff88b544259ec0286281b10e24fadc84_JaffaCakes118.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2132-2-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2432-5-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2432-6-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2132-13-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2204-72-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2132-73-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2132-166-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2132-205-0x0000000000400000-0x000000000043E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ff88b544259ec0286281b10e24fadc84_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ff88b544259ec0286281b10e24fadc84_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ff88b544259ec0286281b10e24fadc84_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 2432	2132	ff88b544259ec0286281b10e24fadc84_JaffaCakes118.exe	30
PID 2132 wrote to memory of 2432	2132	ff88b544259ec0286281b10e24fadc84_JaffaCakes118.exe	30
PID 2132 wrote to memory of 2432	2132	ff88b544259ec0286281b10e24fadc84_JaffaCakes118.exe	30
PID 2132 wrote to memory of 2432	2132	ff88b544259ec0286281b10e24fadc84_JaffaCakes118.exe	30
PID 2132 wrote to memory of 2204	2132	ff88b544259ec0286281b10e24fadc84_JaffaCakes118.exe	33
PID 2132 wrote to memory of 2204	2132	ff88b544259ec0286281b10e24fadc84_JaffaCakes118.exe	33
PID 2132 wrote to memory of 2204	2132	ff88b544259ec0286281b10e24fadc84_JaffaCakes118.exe	33
PID 2132 wrote to memory of 2204	2132	ff88b544259ec0286281b10e24fadc84_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\ff88b544259ec0286281b10e24fadc84_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ff88b544259ec0286281b10e24fadc84_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Users\Admin\AppData\Local\Temp\ff88b544259ec0286281b10e24fadc84_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\ff88b544259ec0286281b10e24fadc84_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2432
- C:\Users\Admin\AppData\Local\Temp\ff88b544259ec0286281b10e24fadc84_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\ff88b544259ec0286281b10e24fadc84_JaffaCakes118.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\769F.0DB

Filesize
1KB

MD5
570722ac3da95aeae3ac9fa5b0b20c83

SHA1
985006ac7121117f7dc1e009febd59f393c5a570

SHA256
3871c562a3e130e27d572338ac299ddcc192b42eaa95d99fec23ac5e9c16970a

SHA512
50ef50e9db8941339018472ea3848fd72515958634d4c12584d1a2643395c4371e82444a93f44e0d56bd73f373bd14209ef44bbe59ea4dc013fa27fd153a2ec4

Download Submit
C:\Users\Admin\AppData\Roaming\769F.0DB

Filesize
600B

MD5
698bb6da67bf4a4aa79ffb53910faf34

SHA1
5880dbd190cb15598a12fe06f0b1675948bc0570

SHA256
3c7f445c9d35d67fba6cf7ac63d2d502cc5c70891e07ddc9b03b56f98396e049

SHA512
bf85fa2e9651daacedc7ea9407678ec304f4b79058b62caeedbdc1cc3e10d48f1e569fac83f72ddd4561860f5538fa356d477f9a403482f8b782ad6b79d5bf41

Download Submit
C:\Users\Admin\AppData\Roaming\769F.0DB

Filesize
996B

MD5
88249e5e9d7c591d37d0474385f04e99

SHA1
ac8afdceded294e78d8faa2f651f45f125ba18d4

SHA256
083751ff8ec3f388cf1c4fe21a64cf47440349aab7dd7cc5205b3180ca72efc5

SHA512
633849000e1802997e1bf43f5e6dea7ffd2977705dc8566db5422be3b62d9ae18ae6a468ff2f7b452c3198a07cffa5c2a1991fb277f6533c7d5a4ea9120668e1

Download Submit
memory/2132-1-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2132-2-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2132-13-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2132-73-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2132-166-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2132-205-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2204-72-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2432-5-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2432-6-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads