cycbot | 6bdca351c24268bcb1f5d4a77110a3a784f7457a14ca10d55193c53c74849495

General

Target

JaffaCakes118_69d940b56984523d3a925fed11a815d7.exe
Size

185KB
MD5

69d940b56984523d3a925fed11a815d7
SHA1

1a50ba4a4c814b38f0044ef22131f549083f22f6
SHA256

6bdca351c24268bcb1f5d4a77110a3a784f7457a14ca10d55193c53c74849495
SHA512

9cb4a4d9ee82cdb57cbc5cfeadd46149b69e1ea237d9085d3271c1a14e5b2ffe68b2322b40a9b84e05dc913084bf181139b770dd694d3700323f8d2b605c872f
SSDEEP

3072:YsTu51gCPP9FJ8Nitr8YDyoM9fXR4tKH9meeeAL26aLxxQAN4KVFLkO9V6:YsTu5r9oNkwz1fXR0kme7AaRlbeKPkOH

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2104-13-0x0000000000400000-0x0000000000442000-memory.dmp	family_cycbot
behavioral1/memory/1860-14-0x0000000000400000-0x0000000000442000-memory.dmp	family_cycbot
behavioral1/memory/1860-73-0x0000000000400000-0x0000000000442000-memory.dmp	family_cycbot
behavioral1/memory/2084-75-0x0000000000400000-0x0000000000442000-memory.dmp	family_cycbot
behavioral1/memory/1860-184-0x0000000000400000-0x0000000000442000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	JaffaCakes118_69d940b56984523d3a925fed11a815d7.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1860-2-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2104-12-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2104-13-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/1860-14-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/1860-73-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2084-75-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/1860-184-0x0000000000400000-0x0000000000442000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_69d940b56984523d3a925fed11a815d7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_69d940b56984523d3a925fed11a815d7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_69d940b56984523d3a925fed11a815d7.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1860 wrote to memory of 2104	1860	JaffaCakes118_69d940b56984523d3a925fed11a815d7.exe	30
PID 1860 wrote to memory of 2104	1860	JaffaCakes118_69d940b56984523d3a925fed11a815d7.exe	30
PID 1860 wrote to memory of 2104	1860	JaffaCakes118_69d940b56984523d3a925fed11a815d7.exe	30
PID 1860 wrote to memory of 2104	1860	JaffaCakes118_69d940b56984523d3a925fed11a815d7.exe	30
PID 1860 wrote to memory of 2084	1860	JaffaCakes118_69d940b56984523d3a925fed11a815d7.exe	33
PID 1860 wrote to memory of 2084	1860	JaffaCakes118_69d940b56984523d3a925fed11a815d7.exe	33
PID 1860 wrote to memory of 2084	1860	JaffaCakes118_69d940b56984523d3a925fed11a815d7.exe	33
PID 1860 wrote to memory of 2084	1860	JaffaCakes118_69d940b56984523d3a925fed11a815d7.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_69d940b56984523d3a925fed11a815d7.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_69d940b56984523d3a925fed11a815d7.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1860
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_69d940b56984523d3a925fed11a815d7.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_69d940b56984523d3a925fed11a815d7.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2104
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_69d940b56984523d3a925fed11a815d7.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_69d940b56984523d3a925fed11a815d7.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\69D3.F2A

Filesize
1KB

MD5
b36c33cfeefca588e227b005786dab9a

SHA1
d2b3466e1d61c87e07c4670a289a12228511398d

SHA256
5824f776dcd1fa0c22ce39a2612764c597198c71ed54eb40241d97153a257851

SHA512
8d56cf2082df3d47150e0d23264c8825f94ae01bbd2455782cdf749b5a7fb732b6a0b7750204163546138622c9e9ee7c2d3cae8150e83d9719489b77b0422176

Download Submit
C:\Users\Admin\AppData\Roaming\69D3.F2A

Filesize
600B

MD5
d92c5eccffa619cca287f171bcd20391

SHA1
048599af748e35b5356a2c19e0373308c445e8af

SHA256
743353655631fd857568abd494b4ddb8c5216dd046161eadc0e8beae81f1f781

SHA512
bf134486a2414bb3bb9697e51f927e614136bc8d49d01a4c89b6e5115072b9f0ab2c59dad1bc7d6b615a28730e1e99f7d598766d18b40b5775518836ba57efca

Download Submit
C:\Users\Admin\AppData\Roaming\69D3.F2A

Filesize
996B

MD5
60752e5163fbd83b3424a8688c4dfb61

SHA1
3dfc0353ce8a2515cd84203a8a72bcf917f55c50

SHA256
a3b3b02e40c4ae125af56b56072c66f54a3965977c02fb23cde08d35336c8f78

SHA512
d8693325ec9a715a9f91fcc97d4d4a6a71b5dad48f77de1212115ccd439261b9abba6db5b0a467a5e64283e56ad0f1ce92b8ba0aaffd2f0beffb5db5c955e1b8

Download Submit
memory/1860-1-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1860-2-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1860-14-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1860-73-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1860-184-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2084-75-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2104-12-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2104-13-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads