cycbot | 76f691e1e1ea35faa8f3b4db03695dbf493453cf66e92e15cd58489d246ceeaa

General

Target

JaffaCakes118_4871ce3f9bd807b9e71afb7a1cbd067f.exe
Size

155KB
MD5

4871ce3f9bd807b9e71afb7a1cbd067f
SHA1

ff42237f0c07c4d8e15beeb8f10b60082bcb68f1
SHA256

76f691e1e1ea35faa8f3b4db03695dbf493453cf66e92e15cd58489d246ceeaa
SHA512

03255e7104b42ca5433bc54f4a7f472985fc105b10d61f7d807a4c9bb8095e38a4d5cd4763c35f56cf0faa326fa92f843ef7637ca12d62fa11bd2b84d9b62496
SSDEEP

3072:vw/9LWqGjWmpYCMg9kQyaW6ywE8LU/1Bd8A9GRikTlqZkWMwrw7DuC:vwpWqPmuCMg9kdIU/1oA98JWMw+

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2548-10-0x0000000000400000-0x0000000000442000-memory.dmp	family_cycbot
behavioral1/memory/2376-21-0x0000000000400000-0x0000000000442000-memory.dmp	family_cycbot
behavioral1/memory/2376-82-0x0000000000400000-0x0000000000442000-memory.dmp	family_cycbot
behavioral1/memory/2156-86-0x0000000000400000-0x0000000000442000-memory.dmp	family_cycbot
behavioral1/memory/2376-185-0x0000000000400000-0x0000000000442000-memory.dmp	family_cycbot
behavioral1/memory/2376-188-0x0000000000400000-0x0000000000442000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	JaffaCakes118_4871ce3f9bd807b9e71afb7a1cbd067f.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2376-2-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2548-10-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2548-9-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2376-21-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2376-82-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2156-84-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2156-86-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2376-185-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2376-188-0x0000000000400000-0x0000000000442000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4871ce3f9bd807b9e71afb7a1cbd067f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4871ce3f9bd807b9e71afb7a1cbd067f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4871ce3f9bd807b9e71afb7a1cbd067f.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 2548	2376	JaffaCakes118_4871ce3f9bd807b9e71afb7a1cbd067f.exe	31
PID 2376 wrote to memory of 2548	2376	JaffaCakes118_4871ce3f9bd807b9e71afb7a1cbd067f.exe	31
PID 2376 wrote to memory of 2548	2376	JaffaCakes118_4871ce3f9bd807b9e71afb7a1cbd067f.exe	31
PID 2376 wrote to memory of 2548	2376	JaffaCakes118_4871ce3f9bd807b9e71afb7a1cbd067f.exe	31
PID 2376 wrote to memory of 2156	2376	JaffaCakes118_4871ce3f9bd807b9e71afb7a1cbd067f.exe	33
PID 2376 wrote to memory of 2156	2376	JaffaCakes118_4871ce3f9bd807b9e71afb7a1cbd067f.exe	33
PID 2376 wrote to memory of 2156	2376	JaffaCakes118_4871ce3f9bd807b9e71afb7a1cbd067f.exe	33
PID 2376 wrote to memory of 2156	2376	JaffaCakes118_4871ce3f9bd807b9e71afb7a1cbd067f.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4871ce3f9bd807b9e71afb7a1cbd067f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4871ce3f9bd807b9e71afb7a1cbd067f.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4871ce3f9bd807b9e71afb7a1cbd067f.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4871ce3f9bd807b9e71afb7a1cbd067f.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2548
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4871ce3f9bd807b9e71afb7a1cbd067f.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4871ce3f9bd807b9e71afb7a1cbd067f.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\341A.314

Filesize
597B

MD5
6c012ed4ac863de95c81e7d835d128b6

SHA1
9f8e78be69dc330ea8f852be0ba8163a222f4bd4

SHA256
48f3e9c1fede10589cfc7d4c51ca1193185e190427d85a54655d578d3774eb73

SHA512
0372c3a1c52003866ca034ba9f4aa1f228f4f148a9af1173e5fca2105567c1b6709e431adf29526c053739852464476f626f2e879a5fb5ed842c1e29ab4ddb7a

Download Submit
C:\Users\Admin\AppData\Roaming\341A.314

Filesize
1KB

MD5
ca63a2a7e98d9822b9bb3e1fcf03d65a

SHA1
0a557c9e0bbd757a8f745ba54db2be20fa8f8e78

SHA256
de539b447478f1115426696080b10601f9fa2b683dd5cc6fc134545615adec7b

SHA512
713fadc64ae92de8d1137170997068d0b8f3ed9e65825fd354a189382f0e1ec1d3e7e1a0f6f2893e55d8247c5c05a51fb3c82879c247d94cfd4afb1f98ddd664

Download Submit
C:\Users\Admin\AppData\Roaming\341A.314

Filesize
897B

MD5
e15d5a1e2b0b3a5267f692216c5d1bdb

SHA1
fba65ba9cbade35d5d29856e85b21354583a865f

SHA256
07019161e73b30f9ce8bc9471ee495d1dc69e7e11a05619828ad612de7ea0a95

SHA512
bfba03518972e8372bb72ca1a87829c46ad0e8401c61775f4511e59814c5e390493e54468eeaaa4df2857ee9a5a4b7adeee85a51d1debbd52d6543d8cfcabd57

Download Submit
C:\Users\Admin\AppData\Roaming\341A.314

Filesize
1KB

MD5
6ac6fd531b27292b180a79ff73d1d057

SHA1
c040aac1716326024acf674f41023a59b3b43805

SHA256
6826d09316f714fd57ee643f21c47116398252326e9f31eb91538d5114b5a745

SHA512
1bfe8cc60bdd767ae9523742164ee5bcc468b7fd4d17c3c826341ef63350267eed16d9e6650c6ee3b16fa9896968fbb71051948eccf3bf1518e6f873d446aad3

Download Submit
memory/2156-84-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2156-86-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2376-21-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2376-82-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2376-1-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2376-2-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2376-185-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2376-188-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2548-9-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2548-10-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2548-7-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads