cycbot | 763c1a4a1ccc245e865d8a6a3d35d5465cb7f918ccd995780fa88d8ca50c5834

General

Target

JaffaCakes118_35adbd0f7519da1db22377abc59a75e2.exe
Size

166KB
MD5

35adbd0f7519da1db22377abc59a75e2
SHA1

54d9f096b54c096d94a65b0b8ad74d165c707e20
SHA256

763c1a4a1ccc245e865d8a6a3d35d5465cb7f918ccd995780fa88d8ca50c5834
SHA512

807b4b061acbc792e87a9ab35de8906fbdea967789dc21192c314b32568b9dd4f68f9cd40a5a80ef2aa452cd416b6f7a19ae84aa5dcf6c9c3961c434a9ac9ecf
SSDEEP

3072:QY3CgD7vPijqB4gd3TYuRuu3ymX1aNN6aSJg0RAQs9h6woxNdOkAB:FX7mjiYuRT7X1QNKzRAQnO

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2440-15-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/3040-16-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/2600-84-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/3040-85-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/3040-181-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	JaffaCakes118_35adbd0f7519da1db22377abc59a75e2.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3040-2-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2440-13-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2440-12-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2440-15-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/3040-16-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2600-83-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2600-84-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/3040-85-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/3040-181-0x0000000000400000-0x0000000000445000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_35adbd0f7519da1db22377abc59a75e2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_35adbd0f7519da1db22377abc59a75e2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_35adbd0f7519da1db22377abc59a75e2.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 2440	3040	JaffaCakes118_35adbd0f7519da1db22377abc59a75e2.exe	30
PID 3040 wrote to memory of 2440	3040	JaffaCakes118_35adbd0f7519da1db22377abc59a75e2.exe	30
PID 3040 wrote to memory of 2440	3040	JaffaCakes118_35adbd0f7519da1db22377abc59a75e2.exe	30
PID 3040 wrote to memory of 2440	3040	JaffaCakes118_35adbd0f7519da1db22377abc59a75e2.exe	30
PID 3040 wrote to memory of 2600	3040	JaffaCakes118_35adbd0f7519da1db22377abc59a75e2.exe	32
PID 3040 wrote to memory of 2600	3040	JaffaCakes118_35adbd0f7519da1db22377abc59a75e2.exe	32
PID 3040 wrote to memory of 2600	3040	JaffaCakes118_35adbd0f7519da1db22377abc59a75e2.exe	32
PID 3040 wrote to memory of 2600	3040	JaffaCakes118_35adbd0f7519da1db22377abc59a75e2.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_35adbd0f7519da1db22377abc59a75e2.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_35adbd0f7519da1db22377abc59a75e2.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_35adbd0f7519da1db22377abc59a75e2.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_35adbd0f7519da1db22377abc59a75e2.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2440
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_35adbd0f7519da1db22377abc59a75e2.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_35adbd0f7519da1db22377abc59a75e2.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\51E1.578

Filesize
1KB

MD5
22096477f362266f22098070abc52dec

SHA1
b8bbc46a4fa4fbf7821822fe0e8fe80a6de24d1e

SHA256
d661602fe8b419fc35927932159cfc7a6870a8f2d6be417d1da536dd67d90c2b

SHA512
21f8f246f950a7d4149d94a487b5d1362dc5ce17d3be5d7b4576e9266c5f0a85956fbc00856dbbca250c828b27dd668bf4a58c770436affa224d92f15665bbc5

Download Submit
C:\Users\Admin\AppData\Roaming\51E1.578

Filesize
600B

MD5
36116ea664122967c31918c18cbcd308

SHA1
e84ab5f8d40e3b77e616ff80b49535a0573bdf74

SHA256
c8111078d75eb67f60c37c97a1e260db80087e7446ca262ac9c68b3a90c6dc59

SHA512
40d8a9d960a3618ff3b3097e5df03a59d707728d10c98469f07549c1e6fe2cfc0f4dc357c92d80afd63ef664e1a19f752fc1ca863a09fe5593fc26a0f2331780

Download Submit
C:\Users\Admin\AppData\Roaming\51E1.578

Filesize
996B

MD5
229eaebaac694f362a8685b02613ab42

SHA1
4b4f8eff6ab9addbabd6db8cc8885997a678b433

SHA256
9f36b3d1f68ea920d5293a36e192966920dec312015170ddbabe0a51c9b87710

SHA512
3b337da4cf8237c268529c3a719d61b98185b681dc5daea4b4efe66ca7bc24aaaf0ed89f87e2b5041596385cd38626ffb6731e605f865951f79d821d5d6d97b1

Download Submit
memory/2440-12-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2440-15-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2440-13-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2600-83-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2600-82-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2600-84-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3040-16-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3040-1-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3040-85-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3040-2-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3040-181-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads