cycbot | a055e7bd3122488576a187d94c8f143deaeb26e69cefce7a77d7f0cefd70c46e

General

Target

JaffaCakes118_84d20c9b907273cd1bee3778034db024.exe
Size

164KB
MD5

84d20c9b907273cd1bee3778034db024
SHA1

9d51720641e9e8f256a834f20d1a41fe9af18884
SHA256

a055e7bd3122488576a187d94c8f143deaeb26e69cefce7a77d7f0cefd70c46e
SHA512

ed6fb8e0f1608fa7c82428e294310d230e04c36eeecc17cdfef2fffed8a976c2c5b4ed1d4bd240f4d664b3c96267c313ac8da70432790cb4e2c795de201ea32f
SSDEEP

3072:toyZUHc9NkVLSgbYvox+MEOINCbHr61bx3Ti1MwgRF1YGFG:W/HcTch0v7MEFNCHUbx3+Mwg2GI

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2824-6-0x0000000000400000-0x000000000043D000-memory.dmp	family_cycbot
behavioral1/memory/2336-13-0x0000000000400000-0x000000000043D000-memory.dmp	family_cycbot
behavioral1/memory/2336-73-0x0000000000400000-0x000000000043D000-memory.dmp	family_cycbot
behavioral1/memory/2724-76-0x0000000000400000-0x000000000043D000-memory.dmp	family_cycbot
behavioral1/memory/2336-77-0x0000000000400000-0x000000000043D000-memory.dmp	family_cycbot
behavioral1/memory/2336-160-0x0000000000400000-0x000000000043D000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	JaffaCakes118_84d20c9b907273cd1bee3778034db024.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2336-1-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/2824-5-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/2824-4-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/2824-6-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/2336-13-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/2336-73-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/2724-76-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/2336-77-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/2336-160-0x0000000000400000-0x000000000043D000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_84d20c9b907273cd1bee3778034db024.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_84d20c9b907273cd1bee3778034db024.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_84d20c9b907273cd1bee3778034db024.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2824	2336	JaffaCakes118_84d20c9b907273cd1bee3778034db024.exe	29
PID 2336 wrote to memory of 2824	2336	JaffaCakes118_84d20c9b907273cd1bee3778034db024.exe	29
PID 2336 wrote to memory of 2824	2336	JaffaCakes118_84d20c9b907273cd1bee3778034db024.exe	29
PID 2336 wrote to memory of 2824	2336	JaffaCakes118_84d20c9b907273cd1bee3778034db024.exe	29
PID 2336 wrote to memory of 2724	2336	JaffaCakes118_84d20c9b907273cd1bee3778034db024.exe	31
PID 2336 wrote to memory of 2724	2336	JaffaCakes118_84d20c9b907273cd1bee3778034db024.exe	31
PID 2336 wrote to memory of 2724	2336	JaffaCakes118_84d20c9b907273cd1bee3778034db024.exe	31
PID 2336 wrote to memory of 2724	2336	JaffaCakes118_84d20c9b907273cd1bee3778034db024.exe	31

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_84d20c9b907273cd1bee3778034db024.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_84d20c9b907273cd1bee3778034db024.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_84d20c9b907273cd1bee3778034db024.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_84d20c9b907273cd1bee3778034db024.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2824
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_84d20c9b907273cd1bee3778034db024.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_84d20c9b907273cd1bee3778034db024.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\A121.B4A

Filesize
1KB

MD5
f580590d523f499bb5b730910c64bbba

SHA1
07c205134305258326889bc4ef30fdff44112ce2

SHA256
1991113a4665cceaacd05447083cf397fa87ac6130aea08d38016f99471d7d56

SHA512
f6be2263eca066ffdffe10ab9bfb276b32ed1755cfa83a85bf8962e920df42766179dcbd59125e34f1938dd77dbfc56d5a8951f61ff0a5f55b4441546523273e

Download Submit
C:\Users\Admin\AppData\Roaming\A121.B4A

Filesize
600B

MD5
40efddaa357055618b9558844da3972b

SHA1
e49ab8b9655c9a00a0cbfac6d4105784a50e6f99

SHA256
1d3658901d8285e440314429837be713c0fe5d79f7445df0afe80ab2f778e0f7

SHA512
9e62f2029c7c0b8a81e7fe61ebb133431b2d4de480a1f2e3bb09e66ab97c6791aa7d415354d569597a0e6d7ef416f403c07cdfbddf543c50fb3f631c127e439e

Download Submit
C:\Users\Admin\AppData\Roaming\A121.B4A

Filesize
996B

MD5
0dc92ab3f87848d37d6b419588c6af5e

SHA1
9681507937ca5510ae24468ff004e4351307bfd6

SHA256
01d99f3a8b5d75497a5f24036a766ab64463bd354dbeb5ad910e09c8e5716561

SHA512
245c68673a2051a079e3f9b7298fb9cc9f15103b994ee838a7ed26ce6308a416b03f51faf166411b593449f547d5d6942879bc42ebb5adf87d863ffd34465ac4

Download Submit
memory/2336-77-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2336-13-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2336-73-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2336-1-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2336-160-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2724-75-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2724-76-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2824-6-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2824-4-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2824-5-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads