cycbot | 1fe1dcf18660cbe9cc1493193c00f120a50ba0bb6bedfa7d5798f4a5dc86574a

General

Target

JaffaCakes118_87de8717484a061e9550bb201f235e85.exe
Size

187KB
MD5

87de8717484a061e9550bb201f235e85
SHA1

5cf29b0e66fa023fbc50998d9a882c1362087125
SHA256

1fe1dcf18660cbe9cc1493193c00f120a50ba0bb6bedfa7d5798f4a5dc86574a
SHA512

537b1e882bcdb2712b5831f3e4c4a354f4b82e4c957eb66f0ac444e2d4fee3fb701a76da6958ee8bcdeb37b20e092842f8060aaf307454aaa88c26bd95e6de2e
SSDEEP

3072:F9v+GBLTFMP2/xlWj+/AoShRf3euX81gxclOmEZv7NuksBepLpKfFWfFqb:rv+GNMP2p24cRrXAgxBTsBeBpJfc

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2572-48-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/2460-49-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/2460-112-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/1680-115-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/2460-222-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	JaffaCakes118_87de8717484a061e9550bb201f235e85.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2460-2-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2572-48-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2460-49-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2460-112-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1680-114-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1680-115-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2460-222-0x0000000000400000-0x000000000044B000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_87de8717484a061e9550bb201f235e85.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 2572	2460	JaffaCakes118_87de8717484a061e9550bb201f235e85.exe	31
PID 2460 wrote to memory of 2572	2460	JaffaCakes118_87de8717484a061e9550bb201f235e85.exe	31
PID 2460 wrote to memory of 2572	2460	JaffaCakes118_87de8717484a061e9550bb201f235e85.exe	31
PID 2460 wrote to memory of 2572	2460	JaffaCakes118_87de8717484a061e9550bb201f235e85.exe	31
PID 2460 wrote to memory of 1680	2460	JaffaCakes118_87de8717484a061e9550bb201f235e85.exe	33
PID 2460 wrote to memory of 1680	2460	JaffaCakes118_87de8717484a061e9550bb201f235e85.exe	33
PID 2460 wrote to memory of 1680	2460	JaffaCakes118_87de8717484a061e9550bb201f235e85.exe	33
PID 2460 wrote to memory of 1680	2460	JaffaCakes118_87de8717484a061e9550bb201f235e85.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_87de8717484a061e9550bb201f235e85.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_87de8717484a061e9550bb201f235e85.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_87de8717484a061e9550bb201f235e85.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_87de8717484a061e9550bb201f235e85.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  PID:2572
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_87de8717484a061e9550bb201f235e85.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_87de8717484a061e9550bb201f235e85.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:1680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\D04F.6AC

Filesize
1KB

MD5
2b47db842d7f41f6e7115529ebcb767b

SHA1
3fb50d17a0b0a6a72bff3274c39bddce56e6b43e

SHA256
c4e07cd0b86846255e6c86a763f1461ff0d8967cf57fbe96678d7e82603f6222

SHA512
1e3842e52dacd580f69b4deccf6daae59fa735b24e02da11a480767ac48cb5c424bf628499aa73f6f0f295abf2084b5f7e14d50577fb9d2c7eaee926e6c5228e

Download Submit
C:\Users\Admin\AppData\Roaming\D04F.6AC

Filesize
1KB

MD5
ad12c3c8e2c07189d875e46192aebda5

SHA1
0b3518436f65d99d9598881369641628e75bb502

SHA256
2b86ae73301d7ebc8b1cd6c5c99f604f6d2c8bd8009c03146d27ab8a33d760ed

SHA512
f1090cc9adf224cb5cb7469b1397d0b33de43e835f7bd3e67aa3fad4765472302511c106ba091c162a7b998434e29df681eb6dccd91fc2481ae773e17dc79e00

Download Submit
C:\Users\Admin\AppData\Roaming\D04F.6AC

Filesize
597B

MD5
ee4b7ecbdfd63149e879034185ef241a

SHA1
eed4443157ed4f93b75c82ff211247640ca80714

SHA256
1c94645071cc4b2e2a800706e68fc60a1823a5e30eb8b1835152c1017f6c7363

SHA512
36d99783c7e66a14dd223ea4a4a26940844abaff855a71dd00acc1c3878d96ce4478ccc4eda7707f37dbe6db6d0da45873a621c86d5e2edc7d38b41f2b76e1f3

Download Submit
C:\Users\Admin\AppData\Roaming\D04F.6AC

Filesize
897B

MD5
8f32ec5c0ebb8be760cc4f35da1bb903

SHA1
1fb455bda556c11ee4c4afe614a3ec4f8ac77e80

SHA256
f50729626e01f44a2358a5e271ce50cee9993acd4cef3c96c5f8c7caf1fa50fd

SHA512
5dd7551a0abf7da0be75c249f9daf6baa9902c381bfa04926d66470d20428bc662101c583d325888c64b0664ef54cc89f75d2501847c331729a59300adb4d833

Download Submit
C:\Users\Admin\AppData\Roaming\D04F.6AC

Filesize
297B

MD5
b2076c57f76a7ab7b762bbc247623ccb

SHA1
ffb438828febe641939e0a9614a3ff2ebef95ea5

SHA256
2123628ac562bd6ae12bd318d3bac5ca036bbaba73201c146c5181e6b9c5abf0

SHA512
8bf04cb0aa00677c254c1f189360040666281abb1c8f153b4a17754ab958eaf08f5d7bc26f071764fdb79ad3ceec4342b20ff2e2a66924f90ed0c976b5b50575

Download Submit
memory/1680-114-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1680-115-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2460-49-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2460-1-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2460-112-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2460-2-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2460-222-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2572-48-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads