cycbot | 7ea55261d63c305789b23fa38856b71434d2b6c5981a4aa7b66215aeb8efff4a

General

Target

JaffaCakes118_30e359c36bb23fcfe3f3e53979f3e682.exe
Size

154KB
MD5

30e359c36bb23fcfe3f3e53979f3e682
SHA1

37982fcd4fcb7c621141fa61041552eac5a429cf
SHA256

7ea55261d63c305789b23fa38856b71434d2b6c5981a4aa7b66215aeb8efff4a
SHA512

9581fd890f9254c08222cc75c605ed0bde67f4e7593715398c9e79b5eab4a1957b3b8462d1313183e84eff7a51598b928ff36cc0a00a9f625d92b8bc17fb534e
SSDEEP

3072:BF283I/QFxUbxq/Kvdj5Mn3jVFuTEW3k2YM73DNoAhowdP3vUf4CrPd:3VAK0xq2ai7klMnmAX3UXrF

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2776-9-0x0000000000400000-0x0000000000442000-memory.dmp	family_cycbot
behavioral1/memory/2396-20-0x0000000000400000-0x0000000000442000-memory.dmp	family_cycbot
behavioral1/memory/2396-73-0x0000000000400000-0x0000000000442000-memory.dmp	family_cycbot
behavioral1/memory/2788-76-0x0000000000400000-0x0000000000442000-memory.dmp	family_cycbot
behavioral1/memory/2396-177-0x0000000000400000-0x0000000000442000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	JaffaCakes118_30e359c36bb23fcfe3f3e53979f3e682.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2396-2-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2776-8-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2776-9-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2396-20-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2396-73-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2788-75-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2788-76-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2396-177-0x0000000000400000-0x0000000000442000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_30e359c36bb23fcfe3f3e53979f3e682.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_30e359c36bb23fcfe3f3e53979f3e682.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_30e359c36bb23fcfe3f3e53979f3e682.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 2776	2396	JaffaCakes118_30e359c36bb23fcfe3f3e53979f3e682.exe	30
PID 2396 wrote to memory of 2776	2396	JaffaCakes118_30e359c36bb23fcfe3f3e53979f3e682.exe	30
PID 2396 wrote to memory of 2776	2396	JaffaCakes118_30e359c36bb23fcfe3f3e53979f3e682.exe	30
PID 2396 wrote to memory of 2776	2396	JaffaCakes118_30e359c36bb23fcfe3f3e53979f3e682.exe	30
PID 2396 wrote to memory of 2788	2396	JaffaCakes118_30e359c36bb23fcfe3f3e53979f3e682.exe	32
PID 2396 wrote to memory of 2788	2396	JaffaCakes118_30e359c36bb23fcfe3f3e53979f3e682.exe	32
PID 2396 wrote to memory of 2788	2396	JaffaCakes118_30e359c36bb23fcfe3f3e53979f3e682.exe	32
PID 2396 wrote to memory of 2788	2396	JaffaCakes118_30e359c36bb23fcfe3f3e53979f3e682.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_30e359c36bb23fcfe3f3e53979f3e682.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_30e359c36bb23fcfe3f3e53979f3e682.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_30e359c36bb23fcfe3f3e53979f3e682.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_30e359c36bb23fcfe3f3e53979f3e682.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2776
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_30e359c36bb23fcfe3f3e53979f3e682.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_30e359c36bb23fcfe3f3e53979f3e682.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\E55E.599

Filesize
297B

MD5
06e1ed5fc8a11f09f9be05608302b269

SHA1
a933c0e60561fff50dc341df874b4fcbbc1993db

SHA256
7cf78cb659f324519680cf81aa6dfe1a300285732f0a27ba5d8f3a395439b9ce

SHA512
5078237c38fa42ab88dca4234d677218b2d23cf9c579fffdc5961ed21a6486e60f553ca9a295ac47ee4ae41949081aba1f9d36a98994dc8e7eadd56a40aa6849

Download Submit
C:\Users\Admin\AppData\Roaming\E55E.599

Filesize
1KB

MD5
86ed878f43f8c486ede86d6ee061ff64

SHA1
b4144b59ab9a5a0dfc6b3ac215090a8ccf93c791

SHA256
488cf9619bf3f73771a902301faa682cccd3f34baec0d70b6dd3878fafd5f930

SHA512
360049822b0539948b4a239a428047fe772fbaafd5c95cb3af0ab5d2dc572b844b267d328fa4aa0f2004dc9aa8fd5ff5f95c9b0c8814ab40fd0e0679486c4d02

Download Submit
C:\Users\Admin\AppData\Roaming\E55E.599

Filesize
897B

MD5
6af13f26e94bf9dacbe8ccd06241f888

SHA1
29d1161431ce244654ce1bd6ec75a92a2a3162fa

SHA256
382feee78addd0f26a5801bd754c6cb99f10b352516c54abbd57057d1bf81da0

SHA512
1cfc2af22024c9e63847aada3e7b66d1a7e089c21a5f97cbebc04f8c8064c4c2c54213d3425e85ed73199005b59a3f0e3e1e22562a7595b379ebdcf7cf44a5ed

Download Submit
C:\Users\Admin\AppData\Roaming\E55E.599

Filesize
1KB

MD5
0b78ecb486d3f1a4843b063fcd22600f

SHA1
d1d9de516e52017f6c7029bcbd16e684614d3a53

SHA256
4a8900e14da1d84e83b38fa9d14121bfc5656ac1ad19edc66e7065d3bbd43cb3

SHA512
5fb7c18df2ead8372d2307801361b01861df166d86c03c84729e49b137ddf6d51be4ec11bd23e6048ddec62930b23b83f0ea265c14075655a42b0a6b4bc91eca

Download Submit
memory/2396-2-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2396-177-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2396-1-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2396-20-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2396-73-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2776-8-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2776-9-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2776-7-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2788-76-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2788-75-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads