cycbot | ae81fee6aa8eb428f282471db50b348b22f0f399d5e9c97a6721f74ad6788b46

General

Target

JaffaCakes118_48c15e2fa6716f40bbe47d31106d7767.exe
Size

172KB
MD5

48c15e2fa6716f40bbe47d31106d7767
SHA1

abd8edafa983c34dbf7961a96106fecbcd603dda
SHA256

ae81fee6aa8eb428f282471db50b348b22f0f399d5e9c97a6721f74ad6788b46
SHA512

7e35e63e71f06a5d2ba0e42f9b800e67fa12c9a7a1ed186d83a733b53b18420b9c410d9b218e76618a6ca50269274fc14d879aa6abf5cd92a44c44880614b73d
SSDEEP

3072:29OqKsgTwk7/5ePtqWIwIax1xEyhUGRjTc2A+WgoW+QxZiFpO2Q2D6:dbwU0cWIPaDxThUKTAcv+QxZi3G

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2868-15-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/1228-16-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/1228-79-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/264-82-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/1228-197-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	JaffaCakes118_48c15e2fa6716f40bbe47d31106d7767.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1228-2-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2868-13-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2868-15-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2868-12-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/1228-16-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/1228-79-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/264-81-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/264-82-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/1228-197-0x0000000000400000-0x0000000000445000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_48c15e2fa6716f40bbe47d31106d7767.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_48c15e2fa6716f40bbe47d31106d7767.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_48c15e2fa6716f40bbe47d31106d7767.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1228 wrote to memory of 2868	1228	JaffaCakes118_48c15e2fa6716f40bbe47d31106d7767.exe	30
PID 1228 wrote to memory of 2868	1228	JaffaCakes118_48c15e2fa6716f40bbe47d31106d7767.exe	30
PID 1228 wrote to memory of 2868	1228	JaffaCakes118_48c15e2fa6716f40bbe47d31106d7767.exe	30
PID 1228 wrote to memory of 2868	1228	JaffaCakes118_48c15e2fa6716f40bbe47d31106d7767.exe	30
PID 1228 wrote to memory of 264	1228	JaffaCakes118_48c15e2fa6716f40bbe47d31106d7767.exe	32
PID 1228 wrote to memory of 264	1228	JaffaCakes118_48c15e2fa6716f40bbe47d31106d7767.exe	32
PID 1228 wrote to memory of 264	1228	JaffaCakes118_48c15e2fa6716f40bbe47d31106d7767.exe	32
PID 1228 wrote to memory of 264	1228	JaffaCakes118_48c15e2fa6716f40bbe47d31106d7767.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_48c15e2fa6716f40bbe47d31106d7767.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_48c15e2fa6716f40bbe47d31106d7767.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_48c15e2fa6716f40bbe47d31106d7767.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_48c15e2fa6716f40bbe47d31106d7767.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2868
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_48c15e2fa6716f40bbe47d31106d7767.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_48c15e2fa6716f40bbe47d31106d7767.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\1C5A.C25

Filesize
1KB

MD5
0217feab6f35c324f5544be97da17af2

SHA1
7d52e1528e78b6fae5d4114bced145a52b603bae

SHA256
7794592b72141ca74c53ded47fb1186f51ec834ae96279639984ca3f0e58275e

SHA512
b5e9e7121831596380592e69466d14d64c11fa89c40f871ca11319b73714761ebf9b180f9e5450dce7c71485f64fc1aba2bf42c6e64ca2f5a3b696f2265b27b9

Download Submit
C:\Users\Admin\AppData\Roaming\1C5A.C25

Filesize
600B

MD5
e2bb6090906c4dd45fea834c6791047c

SHA1
9e935aa829df2ab61a00e0d4159c2e04edd31969

SHA256
86d7cf3f85923cf240e834fd0a0ac12fd6ffd004eb183c414d547f647a54a809

SHA512
6c59d314f3ea2fd0a2ecbb3a122e2f0c8bff611f680c1845b0825115f41362aa670b567ff311ce0ad45b23f43e54c61f070a449037884cfd97bd052efc584f39

Download Submit
C:\Users\Admin\AppData\Roaming\1C5A.C25

Filesize
996B

MD5
9d7d5578d88b347f4a07e494919ce34e

SHA1
b8965adcbcf8a25a7b08515310fd01397791cb43

SHA256
6b47ef16931730264c7dd080dd3c291096891769e1818c7be96aa30f0824ce95

SHA512
79afe4d90cb766fd87d14bd8bbd7d8d2c3ae259dbfeab6defd038af84a355bc0680f0ee8f2c6671160d982539b7dcafed68bfa6b4bbb403682118a4b130cd01a

Download Submit
memory/264-82-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/264-81-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1228-16-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1228-79-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1228-1-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1228-2-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1228-197-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2868-12-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2868-15-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2868-13-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads