cycbot | 711546c4a73e555d03231da10dc51251b561de9cf393facca4b3eac262b466f7

General

Target

JaffaCakes118_6cda8b56c8cdb26667912f50a234258f.exe
Size

179KB
MD5

6cda8b56c8cdb26667912f50a234258f
SHA1

a46a2d98553482ef729be3cfbfc4366241304e3e
SHA256

711546c4a73e555d03231da10dc51251b561de9cf393facca4b3eac262b466f7
SHA512

8c3e7e417edab76045406772ecf5bc9a4c7be37bb3765cb41a4be5e9d1e7a073dd2c1e3aaa15e481b400488ec50904deb5b8eb810ae1f23fd13c34e2317c971b
SSDEEP

3072:k0FXNJPY9XjMnklHpMNDWsia4P9Vz8Aji8zVg5zGFcti19D/WcWKEmzr9c:k0lPwNjMnklmWNa4f8AjiKS5qF4i19jK

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2240-14-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/2384-15-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/2384-80-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/1288-84-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/2384-185-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	JaffaCakes118_6cda8b56c8cdb26667912f50a234258f.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2384-2-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2240-12-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2240-14-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2384-15-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2384-80-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1288-84-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1288-82-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2384-185-0x0000000000400000-0x000000000044B000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6cda8b56c8cdb26667912f50a234258f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6cda8b56c8cdb26667912f50a234258f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6cda8b56c8cdb26667912f50a234258f.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2240	2384	JaffaCakes118_6cda8b56c8cdb26667912f50a234258f.exe	30
PID 2384 wrote to memory of 2240	2384	JaffaCakes118_6cda8b56c8cdb26667912f50a234258f.exe	30
PID 2384 wrote to memory of 2240	2384	JaffaCakes118_6cda8b56c8cdb26667912f50a234258f.exe	30
PID 2384 wrote to memory of 2240	2384	JaffaCakes118_6cda8b56c8cdb26667912f50a234258f.exe	30
PID 2384 wrote to memory of 1288	2384	JaffaCakes118_6cda8b56c8cdb26667912f50a234258f.exe	33
PID 2384 wrote to memory of 1288	2384	JaffaCakes118_6cda8b56c8cdb26667912f50a234258f.exe	33
PID 2384 wrote to memory of 1288	2384	JaffaCakes118_6cda8b56c8cdb26667912f50a234258f.exe	33
PID 2384 wrote to memory of 1288	2384	JaffaCakes118_6cda8b56c8cdb26667912f50a234258f.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6cda8b56c8cdb26667912f50a234258f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6cda8b56c8cdb26667912f50a234258f.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6cda8b56c8cdb26667912f50a234258f.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6cda8b56c8cdb26667912f50a234258f.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2240
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6cda8b56c8cdb26667912f50a234258f.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6cda8b56c8cdb26667912f50a234258f.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\5C35.F18

Filesize
1KB

MD5
858fdd55b2b2201bbbf2c28a8cc47614

SHA1
6ecc2a81af3ce902bf295bba4b2b3ffa55d2bc23

SHA256
e5768c9f5d1c7d03d4c9d9c4daee59957e7c7ba418b1b35e56a0158baae43e37

SHA512
46bf8fd2e655659de4e488a87d5e4c966fc75274138dd9a16e40a38b10c37c6269518e12e3d2941885cb4a0e045da0d5931fd8c59794da81ab650cb527973489

Download Submit
C:\Users\Admin\AppData\Roaming\5C35.F18

Filesize
600B

MD5
8110e0a90d09c7d23942490b5f12f84f

SHA1
762d5a8a7a4824f045d4790e437c483304de6727

SHA256
1e262cfb857c14fd50930a8f13bd764fef57f6dacdc21e094ea6b4bae3c7fe96

SHA512
61385fbc5b389e628c5bb0673140fa7d674e6320547e0d933652f0ec9b72947fcd81c6d17173eaf901ddcc50c4007000375c1d0d7730e39314f5c79efd9b9bf3

Download Submit
C:\Users\Admin\AppData\Roaming\5C35.F18

Filesize
996B

MD5
4a26beab3fcb02ea5c7138953c4389dc

SHA1
5d9c54505512612e87162fe1624240cd8e11fbea

SHA256
30486d7fffd0fa92b5433df75c10cd4825b3aebefdc48b0e62f5f06f50f1bba1

SHA512
84dc9d7c0b764a4926ffd22740791b5828fb16e104ef0827ade57450b15b77ee808bf85a320bd7eea47a7bb1b48c68142a43b134533b64aad284ab6131ec81ba

Download Submit
memory/1288-84-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1288-82-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2240-12-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2240-14-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2384-1-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2384-2-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2384-15-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2384-80-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2384-185-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads