cycbot | 5b3462bea319a6caff97418313eb9852d276ca419330ac07ec5421fd0c06ca0c

General

Target

JaffaCakes118_7656f3c27387917026b4b6faa424be4b.exe
Size

182KB
MD5

7656f3c27387917026b4b6faa424be4b
SHA1

a5581d13c6c76f7e57373d45960d93d8d14e86c4
SHA256

5b3462bea319a6caff97418313eb9852d276ca419330ac07ec5421fd0c06ca0c
SHA512

95013eee1c570682ad188ee62bc41c78d74a5475440b7e3f5fabb55ff9bf2b6a7ba26e36f8b83a1504c3b87afa92e22ab7d589116ce197094cb6489bb007ba65
SSDEEP

3072:MlFKJnKOSSMpeTGpPFygYK95MsVk1JQ0GiP/SPx42el+LA51/3oE:kFqnkJNMYVunPK62RuBoE

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/1056-9-0x0000000000400000-0x0000000000443000-memory.dmp	family_cycbot
behavioral1/memory/1056-7-0x0000000000400000-0x0000000000443000-memory.dmp	family_cycbot
behavioral1/memory/1236-14-0x0000000000400000-0x0000000000443000-memory.dmp	family_cycbot
behavioral1/memory/2656-75-0x0000000000400000-0x0000000000443000-memory.dmp	family_cycbot
behavioral1/memory/1236-128-0x0000000000400000-0x0000000000443000-memory.dmp	family_cycbot
behavioral1/memory/1236-173-0x0000000000400000-0x0000000000443000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	JaffaCakes118_7656f3c27387917026b4b6faa424be4b.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1236-1-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/1056-9-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/1056-7-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/1236-14-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2656-74-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2656-75-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/1236-128-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/1236-173-0x0000000000400000-0x0000000000443000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7656f3c27387917026b4b6faa424be4b.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1236 wrote to memory of 1056	1236	JaffaCakes118_7656f3c27387917026b4b6faa424be4b.exe	30
PID 1236 wrote to memory of 1056	1236	JaffaCakes118_7656f3c27387917026b4b6faa424be4b.exe	30
PID 1236 wrote to memory of 1056	1236	JaffaCakes118_7656f3c27387917026b4b6faa424be4b.exe	30
PID 1236 wrote to memory of 1056	1236	JaffaCakes118_7656f3c27387917026b4b6faa424be4b.exe	30
PID 1236 wrote to memory of 2656	1236	JaffaCakes118_7656f3c27387917026b4b6faa424be4b.exe	33
PID 1236 wrote to memory of 2656	1236	JaffaCakes118_7656f3c27387917026b4b6faa424be4b.exe	33
PID 1236 wrote to memory of 2656	1236	JaffaCakes118_7656f3c27387917026b4b6faa424be4b.exe	33
PID 1236 wrote to memory of 2656	1236	JaffaCakes118_7656f3c27387917026b4b6faa424be4b.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7656f3c27387917026b4b6faa424be4b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7656f3c27387917026b4b6faa424be4b.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1236
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7656f3c27387917026b4b6faa424be4b.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7656f3c27387917026b4b6faa424be4b.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  PID:1056
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7656f3c27387917026b4b6faa424be4b.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7656f3c27387917026b4b6faa424be4b.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\F5A7.35F

Filesize
600B

MD5
49c569169884fe065b5b7b4230bde8e8

SHA1
fe6805b5c638ce40fd3eb53ac08152de59f1e29a

SHA256
6579f03038f0adc474b4afa9507d55848265bd71afa47371e163300905a625fb

SHA512
71b2659f96ae897b33ab733e9182fc46cddc5c2a9a11575febcb51bcbbb64d5463e6bc0f68c13a338e1d7690ad4cde9e06bc42b0d989ede3b0b10c6a878fa368

Download Submit
C:\Users\Admin\AppData\Roaming\F5A7.35F

Filesize
1KB

MD5
fde8e160dc5d45ab2e6e58e9c01ed73e

SHA1
28ca297e3732619d081fbc270ae9b340e48c4bfe

SHA256
abbd8963f97c9ece58c95bdda673c29d47798c881baa84e1cf24cfd1b663545a

SHA512
fca4e44484dc1306d5c954fc1b527d4d9cd4f693189573b5ab99d5d873965edf9145cfa698ecb108860a8a271d50df915bdfa8e37db6aa0713136c8b6ff7bf9c

Download Submit
C:\Users\Admin\AppData\Roaming\F5A7.35F

Filesize
996B

MD5
b2797e2acf42053b6afaafcf1815adc0

SHA1
b173e446fd876ebf17f5b653e9dc43703cf43f44

SHA256
c5ebb2340a168ca07ac6517b0f2bf3a34386f74d844076a79a9605c6e20a48c3

SHA512
3f91abc5b921448c57b5d1bdbc23843c5012d71d441cab5d7342c02d6c64573287957a6d3197a32fe5a2ef19038e612e38f867c0b012a9035d6c225c826bc629

Download Submit
memory/1056-6-0x0000000000510000-0x0000000000610000-memory.dmp

Filesize
1024KB

Download
memory/1056-9-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1056-7-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1056-8-0x0000000000554000-0x0000000000570000-memory.dmp

Filesize
112KB

Download
memory/1236-14-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1236-128-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1236-1-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1236-173-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2656-73-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2656-75-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2656-74-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads