cycbot | a300700e9dce1d77f01fa051b91ff95bed573a0cdcc2cdcb3205d1d273f70c33

General

Target

JaffaCakes118_37589e3b306b5e728b35a760684bd078.exe
Size

187KB
MD5

37589e3b306b5e728b35a760684bd078
SHA1

27a7d5567cf64c08871f08f136bed53ced006701
SHA256

a300700e9dce1d77f01fa051b91ff95bed573a0cdcc2cdcb3205d1d273f70c33
SHA512

8da9e3e5f3188fd575f8205afae7ef3084099f96c86dece053e7251825f334005f9d00a02d2d89c318895b554e63fc57c5591fb03d42060958d6238133c45a46
SSDEEP

3072:M3NXk+I8q+ILDUkmdPWenHXN+CUxvxGfQV0ywfVHBo1xcP//icATqAe8zQ:3ZUtWeHcCtfQV0Bfdq1xcPSrTP1

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2944-20-0x0000000000400000-0x0000000000443000-memory.dmp	family_cycbot
behavioral1/memory/2908-21-0x0000000000400000-0x0000000000443000-memory.dmp	family_cycbot
behavioral1/memory/2608-90-0x0000000000400000-0x0000000000443000-memory.dmp	family_cycbot
behavioral1/memory/2608-88-0x0000000000400000-0x0000000000443000-memory.dmp	family_cycbot
behavioral1/memory/2908-91-0x0000000000400000-0x0000000000443000-memory.dmp	family_cycbot
behavioral1/memory/2908-185-0x0000000000400000-0x0000000000443000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	JaffaCakes118_37589e3b306b5e728b35a760684bd078.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2908-2-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2944-18-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2944-20-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2908-21-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2608-90-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2608-88-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2908-91-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2908-185-0x0000000000400000-0x0000000000443000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_37589e3b306b5e728b35a760684bd078.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_37589e3b306b5e728b35a760684bd078.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_37589e3b306b5e728b35a760684bd078.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	JaffaCakes118_37589e3b306b5e728b35a760684bd078.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	JaffaCakes118_37589e3b306b5e728b35a760684bd078.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	JaffaCakes118_37589e3b306b5e728b35a760684bd078.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	JaffaCakes118_37589e3b306b5e728b35a760684bd078.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 2944	2908	JaffaCakes118_37589e3b306b5e728b35a760684bd078.exe	30
PID 2908 wrote to memory of 2944	2908	JaffaCakes118_37589e3b306b5e728b35a760684bd078.exe	30
PID 2908 wrote to memory of 2944	2908	JaffaCakes118_37589e3b306b5e728b35a760684bd078.exe	30
PID 2908 wrote to memory of 2944	2908	JaffaCakes118_37589e3b306b5e728b35a760684bd078.exe	30
PID 2908 wrote to memory of 2608	2908	JaffaCakes118_37589e3b306b5e728b35a760684bd078.exe	32
PID 2908 wrote to memory of 2608	2908	JaffaCakes118_37589e3b306b5e728b35a760684bd078.exe	32
PID 2908 wrote to memory of 2608	2908	JaffaCakes118_37589e3b306b5e728b35a760684bd078.exe	32
PID 2908 wrote to memory of 2608	2908	JaffaCakes118_37589e3b306b5e728b35a760684bd078.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37589e3b306b5e728b35a760684bd078.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37589e3b306b5e728b35a760684bd078.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37589e3b306b5e728b35a760684bd078.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37589e3b306b5e728b35a760684bd078.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2944
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37589e3b306b5e728b35a760684bd078.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_37589e3b306b5e728b35a760684bd078.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabCBEA.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCC3B.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\40F5.B5D

Filesize
597B

MD5
b04be7bca60850dd3591656f7c50d9a5

SHA1
0679d4935ae8f03be0dc38d9c556e1a4260b9f63

SHA256
e2156884f25dc876346d4e841e54994f72e81e0be68eb70cf31eeb8b775bb6fc

SHA512
bd63ae3dd71e7995c16cac545eeef96ddcad0648ca31f45c2df25647c7e2e213c8c307825852cb2e4f907af625134b372fc7d1e4a50740f43b3149693bbbe6b9

Download Submit
C:\Users\Admin\AppData\Roaming\40F5.B5D

Filesize
1KB

MD5
1ed3d72560ca281a807a0e3d51f3ec3b

SHA1
aefaf376ebb23d3442b79f6929af59b57ec92abb

SHA256
4dfdf37f0dbd39afa2a411c38ba0e009741d03dcedfd8a26614cac70564d9fbe

SHA512
c4fda6c8a3bdd22aa38aa718877b8d457b4bf07714a8d40fae2bd671a05b10f469736eb8bd5280483efbec7555f1d3480204d950cc3d47c153f256d4105fa4c9

Download Submit
C:\Users\Admin\AppData\Roaming\40F5.B5D

Filesize
2KB

MD5
e4fb1abe02b3ac517112adfd78b7a1bd

SHA1
fe2f32b158fda2aaf9cf91197bb9bb08c9d7140e

SHA256
c30ecfb8faf1b9e5900a0228e728a69735d7fd16662c8bc3a749921bfca5ff0f

SHA512
998eaa48470533e9e5f02684b79196003da213b7248f132f2d42be6c8bf150db5f28bc4d268b984a1d359b8dc77d774ee171f057574c08e4fdfa1b38f13b0ff7

Download Submit
C:\Users\Admin\AppData\Roaming\40F5.B5D

Filesize
897B

MD5
a5ab68a72449c942af369a408863cf14

SHA1
b0ecc9d835e9dca443413bc0b8e04e1dbaac7cd6

SHA256
093fdb44fdf00637cefa9600813dd73cb4165309b74bf1a67278c0e674a61fcf

SHA512
ec509f2a6946d4cb1d2a4a9b288b306ef881188f117b2e718b417760ed38f3f9f7280e597749fbbfc59fd4e2b9ee3029cc720150595a319b6d91802b84e78ccf

Download Submit
C:\Users\Admin\AppData\Roaming\40F5.B5D

Filesize
1KB

MD5
47520eaaaf2cad581792a2ae2c514dbd

SHA1
935a765686a99cb615a0d909a47acddbaeee8b0a

SHA256
814c26f5a4028ae0ec243fbbb74d564401f93c10d58bd3d4b8cce537437d0c67

SHA512
c8397e0c98c78872a11d01aec73826b6cd3068f20b3519650a8db3ed6d92e6bfd9f1c6a8531e470618767fa42766a7b5e5563aada3ae9cd0b6cab0b1794b1ac3

Download Submit
memory/2608-90-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2608-88-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2908-1-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2908-91-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2908-21-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2908-185-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2908-2-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2944-20-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2944-18-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads