cycbot | adbc69392f2228409823e74c54b07934ecd893b482e7cec9d6ef126ea9e7046f

General

Target

JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe
Size

180KB
MD5

3499252c1c101b70e8919d979c85def8
SHA1

be592b22639c963569a6057f99021c13ffd86907
SHA256

adbc69392f2228409823e74c54b07934ecd893b482e7cec9d6ef126ea9e7046f
SHA512

7a70b47b788cf39b8a1549525733b70e486e76d8e7b6e1fce4ffbccaad8f24d5a377c92a006aec51e9da2142c84034ef039e3e937d73e1502d3d7be2831c4d4c
SSDEEP

3072:NjUgWSg0pLFZc2JXbMpCOZNfWcDXm4kn1mt7/r3yyDe3pVRF3siM7NtUGaEBOvQH:NjUqg0pLjcIXmtNfbX9t7/r3GaiYqY4M

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2764-13-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral1/memory/2796-14-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral1/memory/2796-77-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral1/memory/2908-80-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral1/memory/2796-187-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2796-2-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/2764-12-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/2764-13-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/2796-14-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/2796-77-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/2908-79-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/2908-80-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/2796-187-0x0000000000400000-0x000000000044C000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 2764	2796	JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe	31
PID 2796 wrote to memory of 2764	2796	JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe	31
PID 2796 wrote to memory of 2764	2796	JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe	31
PID 2796 wrote to memory of 2764	2796	JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe	31
PID 2796 wrote to memory of 2908	2796	JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe	33
PID 2796 wrote to memory of 2908	2796	JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe	33
PID 2796 wrote to memory of 2908	2796	JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe	33
PID 2796 wrote to memory of 2908	2796	JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  PID:2764
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3499252c1c101b70e8919d979c85def8.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\F534.80B

Filesize
1KB

MD5
8f8be8d3fda3d4f51d5f8825f3346cd3

SHA1
fb312f02241c9451ed64667bb27b89a3f2007904

SHA256
5075f83ce4cf8df727165098d48305b1d2635e6762d4fb1bee3a7b4ab06de7f0

SHA512
f3f9823d622b58ba79893121080e5cdcad801e9c81b880416a7f603ff64d926d6d52708382aa9f6b0159c68e523d484226fbc5223f9aa412c3ba8af425adbd04

Download Submit
C:\Users\Admin\AppData\Roaming\F534.80B

Filesize
600B

MD5
6ab81c743606a37b4a957e8b8bf818ab

SHA1
60d318b8fad433332d20a518815f9325fa82326c

SHA256
61ceadf006e8e3ab490777c1772b0690c32324b0fd56cdc59909cdb5937b21b3

SHA512
402e4c74650302be6438fd309a5e1986a06bae271af832f128fb73b4453caa6fa118b3437951858f31aa707d215a36ffb84f8a2dc17981e3c63b2474f0ada9ae

Download Submit
C:\Users\Admin\AppData\Roaming\F534.80B

Filesize
996B

MD5
5d9041996f5cba0a988c7ed883f8ece7

SHA1
edf084788793be5a98f086ea69c5295573c53a75

SHA256
9cb1a977f949906c3babe26ba3aef5473b9ecc38e043bad8fb930d7c502fe273

SHA512
18d09aee747c45de52810a31bd9ef19f43c94a07bde6a94a61615d38e6846c38750d00b84fa4ae27ef0fae65314301cb41cbe2d4a3c4b9f19fe117ac90df04b2

Download Submit
memory/2764-12-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2764-13-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2796-1-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2796-2-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2796-14-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2796-77-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2796-187-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2908-79-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2908-80-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads