cycbot | 4dfe59ecb62e857148462091f0d55cf42866e895c184a22c12e54221f02770b0

General

Target

JaffaCakes118_5fdddb58eff27abfc378771fbe002469.exe
Size

157KB
MD5

5fdddb58eff27abfc378771fbe002469
SHA1

61af536b1ad31d6944fef4f05e476a848adf66d8
SHA256

4dfe59ecb62e857148462091f0d55cf42866e895c184a22c12e54221f02770b0
SHA512

4d66ff64d2f976672cdf1fd78971ab32347c2d709672a4b1a1177eff2a7f915cfb95de0de9815573d04f42edea16e9bd777209fc978c80172115e1d15433ee1f
SSDEEP

3072:gKOHaunuo8yRlPyPqKukSrpyXhd3fScjzpC:gxaguohRlPRjrmhcgo

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2080-6-0x0000000000400000-0x0000000000442000-memory.dmp	family_cycbot
behavioral1/memory/348-14-0x0000000000400000-0x0000000000442000-memory.dmp	family_cycbot
behavioral1/memory/348-87-0x0000000000400000-0x0000000000442000-memory.dmp	family_cycbot
behavioral1/memory/3020-90-0x0000000000400000-0x0000000000442000-memory.dmp	family_cycbot
behavioral1/memory/348-202-0x0000000000400000-0x0000000000442000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	JaffaCakes118_5fdddb58eff27abfc378771fbe002469.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/348-2-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2080-5-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2080-6-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/348-14-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/348-87-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/3020-89-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/3020-90-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/348-202-0x0000000000400000-0x0000000000442000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5fdddb58eff27abfc378771fbe002469.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5fdddb58eff27abfc378771fbe002469.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5fdddb58eff27abfc378771fbe002469.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 348 wrote to memory of 2080	348	JaffaCakes118_5fdddb58eff27abfc378771fbe002469.exe	30
PID 348 wrote to memory of 2080	348	JaffaCakes118_5fdddb58eff27abfc378771fbe002469.exe	30
PID 348 wrote to memory of 2080	348	JaffaCakes118_5fdddb58eff27abfc378771fbe002469.exe	30
PID 348 wrote to memory of 2080	348	JaffaCakes118_5fdddb58eff27abfc378771fbe002469.exe	30
PID 348 wrote to memory of 3020	348	JaffaCakes118_5fdddb58eff27abfc378771fbe002469.exe	33
PID 348 wrote to memory of 3020	348	JaffaCakes118_5fdddb58eff27abfc378771fbe002469.exe	33
PID 348 wrote to memory of 3020	348	JaffaCakes118_5fdddb58eff27abfc378771fbe002469.exe	33
PID 348 wrote to memory of 3020	348	JaffaCakes118_5fdddb58eff27abfc378771fbe002469.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5fdddb58eff27abfc378771fbe002469.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5fdddb58eff27abfc378771fbe002469.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:348
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5fdddb58eff27abfc378771fbe002469.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5fdddb58eff27abfc378771fbe002469.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2080
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5fdddb58eff27abfc378771fbe002469.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5fdddb58eff27abfc378771fbe002469.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\CC61.8BE

Filesize
1KB

MD5
954902e166feef0b34753a159edeac67

SHA1
c063493a1e06e9ec53ff8a7fa0d544df1786c165

SHA256
d88938f251314e4f2fe54cc33a666cfa961e39d7ade2ae06bc80671f913594e8

SHA512
16db3f3eaf76ceeb38349345443c43b0c565aa208105dd80cee4bbbfbafff5752180a1784e8bf3e95017726041cd98da713114348e4f745917e47bd8d02dd10a

Download Submit
C:\Users\Admin\AppData\Roaming\CC61.8BE

Filesize
600B

MD5
80df3e6792c5400e3b125c9a34198c7e

SHA1
968087e98b29bfa4a597def2f5ae2afbc601e933

SHA256
4b53a5679f51d708f1eb76c20f40e630c90657316fbbae5ad1689bf6a6ce6af3

SHA512
eafd4236e25e91e961cc99a3718f41363afcd5b4426e324a3baa7ad86e627fb6e54b455a804785c318c52074675deb8afff460df92406fbcf04cde0f272e77eb

Download Submit
C:\Users\Admin\AppData\Roaming\CC61.8BE

Filesize
996B

MD5
ea1bf7f58257ab950a99baffe95bed8a

SHA1
2ae738f17aeed924b5e0f0255e9a75687de03434

SHA256
f75ef3cbfcee117e28df0eccf1c421edd466000def24023fe351cd5dc2fdb9ba

SHA512
5ca1ce252748228717adbb2c9f3655c1074abfe9fbebca380f2f797d5d40a0a419656a1e74a311627154969b4b9795a3b89ff92e49d20bac9222d1700cab29f4

Download Submit
memory/348-1-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/348-2-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/348-14-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/348-87-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/348-202-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2080-5-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2080-6-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3020-89-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3020-90-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads