cycbot | 6a3c0b2f9a5378997508abfc9f5faa733f34c388265594be563fb096fc7937ce

General

Target

JaffaCakes118_148ac484c89df27a5a766c954ae361f9.exe
Size

178KB
MD5

148ac484c89df27a5a766c954ae361f9
SHA1

a76406d0d20bca331b6310d25abd86a0e6c9f2be
SHA256

6a3c0b2f9a5378997508abfc9f5faa733f34c388265594be563fb096fc7937ce
SHA512

e2eee495826673beffd1dff60c37a6ab318ed2676583e52275c2f0ee10b6a7448929e4d3c0d224d776af1d77f0362faebc173688a642a9ca75aa0004e33eb8ab
SSDEEP

3072:s61jUe7LdHTNkbi12FMZ8/R4o4bQpGSOBYamGLd+9q9mLkOkl1kDtq+zIkWd3NIj:swjUoVJz12iu/R4HSOBQGx6krj+z6Nq

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/1228-7-0x0000000000400000-0x0000000000441000-memory.dmp	family_cycbot
behavioral1/memory/2000-14-0x0000000000400000-0x0000000000441000-memory.dmp	family_cycbot
behavioral1/memory/848-72-0x0000000000400000-0x0000000000441000-memory.dmp	family_cycbot
behavioral1/memory/2000-73-0x0000000000400000-0x0000000000441000-memory.dmp	family_cycbot
behavioral1/memory/2000-172-0x0000000000400000-0x0000000000441000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	JaffaCakes118_148ac484c89df27a5a766c954ae361f9.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2000-2-0x0000000000400000-0x0000000000441000-memory.dmp	upx
behavioral1/memory/1228-5-0x0000000000400000-0x0000000000441000-memory.dmp	upx
behavioral1/memory/1228-7-0x0000000000400000-0x0000000000441000-memory.dmp	upx
behavioral1/memory/2000-14-0x0000000000400000-0x0000000000441000-memory.dmp	upx
behavioral1/memory/848-72-0x0000000000400000-0x0000000000441000-memory.dmp	upx
behavioral1/memory/2000-73-0x0000000000400000-0x0000000000441000-memory.dmp	upx
behavioral1/memory/2000-172-0x0000000000400000-0x0000000000441000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_148ac484c89df27a5a766c954ae361f9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_148ac484c89df27a5a766c954ae361f9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_148ac484c89df27a5a766c954ae361f9.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 1228	2000	JaffaCakes118_148ac484c89df27a5a766c954ae361f9.exe	31
PID 2000 wrote to memory of 1228	2000	JaffaCakes118_148ac484c89df27a5a766c954ae361f9.exe	31
PID 2000 wrote to memory of 1228	2000	JaffaCakes118_148ac484c89df27a5a766c954ae361f9.exe	31
PID 2000 wrote to memory of 1228	2000	JaffaCakes118_148ac484c89df27a5a766c954ae361f9.exe	31
PID 2000 wrote to memory of 848	2000	JaffaCakes118_148ac484c89df27a5a766c954ae361f9.exe	33
PID 2000 wrote to memory of 848	2000	JaffaCakes118_148ac484c89df27a5a766c954ae361f9.exe	33
PID 2000 wrote to memory of 848	2000	JaffaCakes118_148ac484c89df27a5a766c954ae361f9.exe	33
PID 2000 wrote to memory of 848	2000	JaffaCakes118_148ac484c89df27a5a766c954ae361f9.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_148ac484c89df27a5a766c954ae361f9.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_148ac484c89df27a5a766c954ae361f9.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_148ac484c89df27a5a766c954ae361f9.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_148ac484c89df27a5a766c954ae361f9.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1228
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_148ac484c89df27a5a766c954ae361f9.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_148ac484c89df27a5a766c954ae361f9.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\029F.EBE

Filesize
1KB

MD5
def33bc3f516fc536252ab0fb476e73d

SHA1
9874a1e41817e4a3faccc26610720e06716b94d4

SHA256
e0d87d45dea889306a0b7939f592ae2c55bd5d54c63b9477624279a0b14545af

SHA512
20ba8ede587865bd32290ae1f2dd5fb8ae14e53342248a2439c9f192744339d5deb5fe8a749813dbef5c25f4ca01f0cb23ecfe5abaf5890a1dcbde74dd7d6277

Download Submit
C:\Users\Admin\AppData\Roaming\029F.EBE

Filesize
600B

MD5
5ed9e8d13e3c4340acb878290718ee78

SHA1
2babcf91793cdc14a1d8b56e5f947c154b6b8688

SHA256
a254544e75c194d57f0eb1d127ae4d30104c9026942c753ffe95bc80f624df40

SHA512
d857d70a0b8de3c1d3484ab1e0fdeda93555623e66f7c90063ec0a89d4a27066449b2506814049abd29c427f023a18661c7ad96295132386068692b0ae1a2ed3

Download Submit
C:\Users\Admin\AppData\Roaming\029F.EBE

Filesize
996B

MD5
4ab24a3488590948c4ebecf5422d6273

SHA1
0197268a74e95a5f2d8bfef16a17307572563c9d

SHA256
5fb808a0fc7c750366e2f78f2c59e94213bdd2ef337c7678cd849a28b7825c8f

SHA512
10a3a761b563a1fec2b359ee8133f132e268566b67bd3f6e8dce3d3bb5f8e68cb0b6405deb3a7467048732e66ae4e6fdf28534b10345c98a6158a451e393c1d2

Download Submit
memory/848-72-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1228-5-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1228-7-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2000-1-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2000-2-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2000-14-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2000-73-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2000-172-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads