cycbot | 4eff75216c70a650d55c321b5a527c4ec31ef984290d029d15615f1c5dea048d

General

Target

JaffaCakes118_48732361dbca44f4fea0dc6f80f4112e.exe
Size

174KB
MD5

48732361dbca44f4fea0dc6f80f4112e
SHA1

34104b9ca0e2c4c59b632bf5b21968c05cfa58b6
SHA256

4eff75216c70a650d55c321b5a527c4ec31ef984290d029d15615f1c5dea048d
SHA512

6b3384624948cb5a6ea60a3cc1f1905b3849e0d3bf90e3e95df91bd8ebbfcf35d0a22cce6a8d3c6a9a6f27f824c877934eb042ed5b24c163878b75da325698ab
SSDEEP

3072:f/cb5sIxw3xWpzHyXOctXE5Aad1HHTUyVY1JBCzpI6quIJZtUd6RW68dX:f/cb5sIxwstcZGAt3X4IFuatUd6RW68

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/352-7-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/1668-18-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/1668-89-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/1556-93-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/1668-163-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/1668-200-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1668-2-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/352-7-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1668-18-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1668-89-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1556-91-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1556-93-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1668-163-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1668-200-0x0000000000400000-0x000000000044B000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_48732361dbca44f4fea0dc6f80f4112e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_48732361dbca44f4fea0dc6f80f4112e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_48732361dbca44f4fea0dc6f80f4112e.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	JaffaCakes118_48732361dbca44f4fea0dc6f80f4112e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	JaffaCakes118_48732361dbca44f4fea0dc6f80f4112e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	JaffaCakes118_48732361dbca44f4fea0dc6f80f4112e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	JaffaCakes118_48732361dbca44f4fea0dc6f80f4112e.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 352	1668	JaffaCakes118_48732361dbca44f4fea0dc6f80f4112e.exe	31
PID 1668 wrote to memory of 352	1668	JaffaCakes118_48732361dbca44f4fea0dc6f80f4112e.exe	31
PID 1668 wrote to memory of 352	1668	JaffaCakes118_48732361dbca44f4fea0dc6f80f4112e.exe	31
PID 1668 wrote to memory of 352	1668	JaffaCakes118_48732361dbca44f4fea0dc6f80f4112e.exe	31
PID 1668 wrote to memory of 1556	1668	JaffaCakes118_48732361dbca44f4fea0dc6f80f4112e.exe	33
PID 1668 wrote to memory of 1556	1668	JaffaCakes118_48732361dbca44f4fea0dc6f80f4112e.exe	33
PID 1668 wrote to memory of 1556	1668	JaffaCakes118_48732361dbca44f4fea0dc6f80f4112e.exe	33
PID 1668 wrote to memory of 1556	1668	JaffaCakes118_48732361dbca44f4fea0dc6f80f4112e.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_48732361dbca44f4fea0dc6f80f4112e.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_48732361dbca44f4fea0dc6f80f4112e.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_48732361dbca44f4fea0dc6f80f4112e.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_48732361dbca44f4fea0dc6f80f4112e.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:352
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_48732361dbca44f4fea0dc6f80f4112e.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_48732361dbca44f4fea0dc6f80f4112e.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab3E2B.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3E4D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\9412.CB1

Filesize
597B

MD5
8cf5b436f23cfa8ae22137b960007b41

SHA1
84fce411920e36db0e6cccb1f001e894c596b1f4

SHA256
e689bb488b4ffb1dd5811891b54c5a9076b0f04983c8af83965fde736c3a7840

SHA512
cff95c51706937f1c109fa500de3eef4702974c7ab3681734ea5a46e7c53e0e2ca46f72d0d08d7bc81edf5439f7ef6482f29b28d03392274cc8cfca8a10af6a6

Download Submit
C:\Users\Admin\AppData\Roaming\9412.CB1

Filesize
1KB

MD5
2cc83f0571b34b5c51f2c5fcab61af84

SHA1
8a1cce2a821b47f6c6c4db4ac2f86b0ad86f2e50

SHA256
661d04340293a260b60614845985e27dee939542f40ede6feffd79d714853627

SHA512
c97e47cdaa209840b9f4cc6f3fdec4591355a4d0a5b47ced0f6cf0c1ffe74db4b8c097b86e0dc76f7da8c83804963c5ada02c78e26b8bc9c3c3e2120d8e51724

Download Submit
C:\Users\Admin\AppData\Roaming\9412.CB1

Filesize
897B

MD5
15cd508fbee6984c65c1db45b376ef2a

SHA1
961848a32283f446987fb17b6582e18f8755a2df

SHA256
20c2ebfb91a7cd5e079071765782d5c7d6bb1c8c54a6a09bdfeefc0a8009ede6

SHA512
dedc5bf25252b9f1f914021c3318198eb26ff60b9634d643a0c61bb6bbc2610acc066f7624a4028746e52d646151b45c034af1d40f7a0eb15602ca579e47cb52

Download Submit
C:\Users\Admin\AppData\Roaming\9412.CB1

Filesize
1KB

MD5
61ea305cd48c0c3bc8af1b176ef4ed57

SHA1
af3508b7ce87bb0090ed4ae59a539eda9da26130

SHA256
3f8b2cb9791404dc6e92367c41468b3da99e81f90d925c9a9f79b597499ad733

SHA512
064435f298e2e4a10c9ed008b651de12a9ee527d15bbf082ee7c462fd0b90756a036181840bd95cabaeec6cdc19b2d9ee8fae117bd507ab835ca15a81a94f3e0

Download Submit
memory/352-7-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1556-91-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1556-93-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1668-1-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1668-89-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1668-18-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1668-163-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1668-200-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1668-2-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download

Analysis

Sharing