cycbot | 6872916843425ef3efd3350709666d9f402e97885a542c5b0b1b69f3f24196b6

General

Target

JaffaCakes118_80ce5561165f342addcfc1016ef35cca.exe
Size

292KB
MD5

80ce5561165f342addcfc1016ef35cca
SHA1

0a0432cd85c3f58632402247d206577eda174300
SHA256

6872916843425ef3efd3350709666d9f402e97885a542c5b0b1b69f3f24196b6
SHA512

dc8100bdde2dabf28843a87e2739315a10e6d3b569bc685423845791a6261c97b48d50ae9d43992ec4c63c304adcdac2bf749c5c8229005e2fd7dc1aa328cd7c
SSDEEP

3072:KZmpgG33H1u5F79GNgPrnw+fg+UbH8eIA6EfI73VrarwObkeLpp+RuDN4oXUyCkC:KzwHobkCbw+fAmdzLparwWLpgSGockl8

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/3032-8-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral1/memory/2384-16-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral1/memory/2384-17-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/3020-89-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral1/memory/2384-91-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral1/memory/2384-199-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	JaffaCakes118_80ce5561165f342addcfc1016ef35cca.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2384-3-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/3032-7-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/3032-8-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/2384-16-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/2384-17-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/3020-87-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/3020-88-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/3020-89-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/2384-91-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/2384-199-0x0000000000400000-0x000000000044C000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_80ce5561165f342addcfc1016ef35cca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_80ce5561165f342addcfc1016ef35cca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_80ce5561165f342addcfc1016ef35cca.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 3032	2384	JaffaCakes118_80ce5561165f342addcfc1016ef35cca.exe	30
PID 2384 wrote to memory of 3032	2384	JaffaCakes118_80ce5561165f342addcfc1016ef35cca.exe	30
PID 2384 wrote to memory of 3032	2384	JaffaCakes118_80ce5561165f342addcfc1016ef35cca.exe	30
PID 2384 wrote to memory of 3032	2384	JaffaCakes118_80ce5561165f342addcfc1016ef35cca.exe	30
PID 2384 wrote to memory of 3020	2384	JaffaCakes118_80ce5561165f342addcfc1016ef35cca.exe	33
PID 2384 wrote to memory of 3020	2384	JaffaCakes118_80ce5561165f342addcfc1016ef35cca.exe	33
PID 2384 wrote to memory of 3020	2384	JaffaCakes118_80ce5561165f342addcfc1016ef35cca.exe	33
PID 2384 wrote to memory of 3020	2384	JaffaCakes118_80ce5561165f342addcfc1016ef35cca.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_80ce5561165f342addcfc1016ef35cca.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_80ce5561165f342addcfc1016ef35cca.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_80ce5561165f342addcfc1016ef35cca.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_80ce5561165f342addcfc1016ef35cca.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3032
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_80ce5561165f342addcfc1016ef35cca.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_80ce5561165f342addcfc1016ef35cca.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\CB3A.795

Filesize
1KB

MD5
cf58b9f5383932b0b8294c6dde162e66

SHA1
0f795843d00b500a29e9c0e503eafb9e342e40a5

SHA256
6a100d702e97e3e54f33a1b55059f8249c3c0731d3cac209a4aa47025af1824b

SHA512
c60d942bb8090d357a0353866beb0bcea0a90cd930fec5fc2e23ba60bd2004022a1eb02f2d90104f2c2f5b3cf56578f98ed6aee95726246b7e615286808da728

Download Submit
C:\Users\Admin\AppData\Roaming\CB3A.795

Filesize
600B

MD5
c4a17b61d2c45d3fbbc794cbf1adc576

SHA1
5fd9ffd25cba3a067c8d47a003a8f14bae9994c2

SHA256
65b188004201e29d8a4cd48c1529e8b69a3ae9d7598d34fd19fe0e1a8b8a56f1

SHA512
4bed10c6bd18e0c9691d1a4e08a6d7859ca3c15162587d04ac05e49eff30164edf862b862a73a3ea44b26916385d0e9c7d3960220dbe974325a3ed9f79b09d4b

Download Submit
C:\Users\Admin\AppData\Roaming\CB3A.795

Filesize
996B

MD5
4976f6181ab6ed4151a606f1a4ef8a27

SHA1
76a0f3e350604045e2b0e0080613f6c49d1b8f1e

SHA256
49bb66c0229accc0ef8e3591b28ac123a0611334fae172ea4e654870fa0959e0

SHA512
47be77fd411e9c08911a4cc2dc14119a67cebd4416467c085e1bac1322a6989378862b44a4f559e592bbf03ec7d641d9921b407a75135df7838ef83d59bca8e9

Download Submit
memory/2384-5-0x00000000024B0000-0x00000000024FC000-memory.dmp

Filesize
304KB

Download
memory/2384-199-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2384-90-0x0000000003260000-0x00000000032AC000-memory.dmp

Filesize
304KB

Download
memory/2384-16-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2384-17-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2384-3-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2384-2-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2384-85-0x0000000003260000-0x00000000032AC000-memory.dmp

Filesize
304KB

Download
memory/2384-91-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2384-0-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3020-88-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3020-89-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3020-87-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3032-8-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3032-7-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads