cycbot | 4d588caa39aebb846c7aaee75af9f7b94e694c501abc9bffb848282a65428ed1

General

Target

JaffaCakes118_446817b65e45034384cbdfb6a3cb43ae.exe
Size

159KB
MD5

446817b65e45034384cbdfb6a3cb43ae
SHA1

a3dac85c506e5cea706fa4f52191b0d2fa7ef40c
SHA256

4d588caa39aebb846c7aaee75af9f7b94e694c501abc9bffb848282a65428ed1
SHA512

54b6d4d99a3eaf1a27f03d0bcb6fd50a10bdc6f2f3b4f076d90f0b07b9b85cba688c524c5f171e1ae0a73f34a7464580339145c416cb5840531cbd037af56c8d
SSDEEP

3072:6Wdr954BZiLs1BnSf9TBgMACCkFW/GSqOuPDR9IVT1cmJ:H7k82yTKvw7OuPDeBc

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2384-9-0x0000000000400000-0x0000000000442000-memory.dmp	family_cycbot
behavioral1/memory/2940-20-0x0000000000400000-0x0000000000442000-memory.dmp	family_cycbot
behavioral1/memory/2940-81-0x0000000000400000-0x0000000000442000-memory.dmp	family_cycbot
behavioral1/memory/2556-83-0x0000000000400000-0x0000000000442000-memory.dmp	family_cycbot
behavioral1/memory/2940-192-0x0000000000400000-0x0000000000442000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	JaffaCakes118_446817b65e45034384cbdfb6a3cb43ae.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2940-2-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2384-8-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2384-7-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2384-9-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2940-20-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2940-81-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2556-83-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2940-192-0x0000000000400000-0x0000000000442000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_446817b65e45034384cbdfb6a3cb43ae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_446817b65e45034384cbdfb6a3cb43ae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_446817b65e45034384cbdfb6a3cb43ae.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2940 wrote to memory of 2384	2940	JaffaCakes118_446817b65e45034384cbdfb6a3cb43ae.exe	30
PID 2940 wrote to memory of 2384	2940	JaffaCakes118_446817b65e45034384cbdfb6a3cb43ae.exe	30
PID 2940 wrote to memory of 2384	2940	JaffaCakes118_446817b65e45034384cbdfb6a3cb43ae.exe	30
PID 2940 wrote to memory of 2384	2940	JaffaCakes118_446817b65e45034384cbdfb6a3cb43ae.exe	30
PID 2940 wrote to memory of 2556	2940	JaffaCakes118_446817b65e45034384cbdfb6a3cb43ae.exe	33
PID 2940 wrote to memory of 2556	2940	JaffaCakes118_446817b65e45034384cbdfb6a3cb43ae.exe	33
PID 2940 wrote to memory of 2556	2940	JaffaCakes118_446817b65e45034384cbdfb6a3cb43ae.exe	33
PID 2940 wrote to memory of 2556	2940	JaffaCakes118_446817b65e45034384cbdfb6a3cb43ae.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_446817b65e45034384cbdfb6a3cb43ae.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_446817b65e45034384cbdfb6a3cb43ae.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2940
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_446817b65e45034384cbdfb6a3cb43ae.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_446817b65e45034384cbdfb6a3cb43ae.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2384
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_446817b65e45034384cbdfb6a3cb43ae.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_446817b65e45034384cbdfb6a3cb43ae.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\68A1.2EF

Filesize
597B

MD5
ef8fe7c7645dd3b1fd272aae89e781f8

SHA1
3059dc7c956d706d67e7e0957bda72566d4b862f

SHA256
b066ad34366e5653ef6a81d1def5766bebda812ce1662569021adf7c19da9885

SHA512
c5e175ddc8f8b852aefe157f9ffad9f1747767a197436ccd92c001c457dac98ebb5a05a283a5430a4bca0f2e2e614235b432f9b2a2ad19d3147c364cf32b88fa

Download Submit
C:\Users\Admin\AppData\Roaming\68A1.2EF

Filesize
1KB

MD5
dd379207e621c8d2db91e12493c03ea2

SHA1
48a6c7361a58262ba40b74938757c10a4fa4ac43

SHA256
c6b7a7a6b8ea67aa523ed11ec0712bc2f49569d71a99d43445d7f62da139779d

SHA512
eddb5b0ca6e1951efa3218c3675350919dfa3fc9ece484d37b3c578401f1c36ef71abb0096e03e3fa637ab65ff6fe04db241887c69b362d31f3bd1b5c3703ed0

Download Submit
C:\Users\Admin\AppData\Roaming\68A1.2EF

Filesize
897B

MD5
e6eb9f75019719df2426acf3f0e86f97

SHA1
6403f38041b6efb3d2a47cf3968a22e74f546e33

SHA256
2656b0ee8b83794a1c6f1ff49bfca1aab419bd1e80c035aeb75a48c64fda4554

SHA512
6081de651050d481bcd21869058de3f6571fb0a9d6223173d22eafb60d58ccee3f7c45893e4de2ffd45300327c264aaf4d7b962bd0cb95dbd9eb0d11c43b8b69

Download Submit
C:\Users\Admin\AppData\Roaming\68A1.2EF

Filesize
1KB

MD5
7b33c070a915a98c8d60c00aa386d2a6

SHA1
905a46adc38ed4ed5259573fc4df420a7969a166

SHA256
41acc629092c1ba956cf89c84a83fb44bf23948c8a2f5e52cbb5d188b98425bc

SHA512
b2933eff6b559ccf411ebed029a0f37b698b1584e8024bd9a486a3d652e0d010d1916cc1e18b1b805e5a54eb61a3da4fa46bc9beb294ba26212ca913facc3561

Download Submit
memory/2384-8-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2384-7-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2384-9-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2556-83-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2940-20-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2940-81-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2940-2-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2940-1-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2940-192-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads