cycbot | 4fcad03902e6b1b9cf79ad94c6780611a635983003ae85600c3909439a6a05f3

General

Target

JaffaCakes118_90e49675e9eb0d3d0af176e3aa6a85c6.exe
Size

168KB
MD5

90e49675e9eb0d3d0af176e3aa6a85c6
SHA1

d75e624ab4301b5b0a2b993ae834e18ba06e317a
SHA256

4fcad03902e6b1b9cf79ad94c6780611a635983003ae85600c3909439a6a05f3
SHA512

a9060ce37a43749710f4cef2b49981fe05e08b5c21eaf3762ddbea73565ef1ca6d96d5273e8beb3994f04643285ba1b265329279402d7b6df9cbcb90c46a2831
SSDEEP

3072:1AIGitAdeif0HeJESbLnocTNB3qjwEvVm+DL67KAIau3UBjL60z0i:mIGG2f0HwEiLDTv3qE8HiKAXu3Kjt

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2784-12-0x0000000000400000-0x0000000000446000-memory.dmp	family_cycbot
behavioral1/memory/2736-13-0x0000000000400000-0x0000000000446000-memory.dmp	family_cycbot
behavioral1/memory/2348-82-0x0000000000400000-0x0000000000446000-memory.dmp	family_cycbot
behavioral1/memory/2736-83-0x0000000000400000-0x0000000000446000-memory.dmp	family_cycbot
behavioral1/memory/2736-155-0x0000000000400000-0x0000000000446000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	JaffaCakes118_90e49675e9eb0d3d0af176e3aa6a85c6.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2736-2-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2784-12-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2736-13-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2348-80-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2348-82-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2736-83-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2736-155-0x0000000000400000-0x0000000000446000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_90e49675e9eb0d3d0af176e3aa6a85c6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_90e49675e9eb0d3d0af176e3aa6a85c6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_90e49675e9eb0d3d0af176e3aa6a85c6.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 2784	2736	JaffaCakes118_90e49675e9eb0d3d0af176e3aa6a85c6.exe	30
PID 2736 wrote to memory of 2784	2736	JaffaCakes118_90e49675e9eb0d3d0af176e3aa6a85c6.exe	30
PID 2736 wrote to memory of 2784	2736	JaffaCakes118_90e49675e9eb0d3d0af176e3aa6a85c6.exe	30
PID 2736 wrote to memory of 2784	2736	JaffaCakes118_90e49675e9eb0d3d0af176e3aa6a85c6.exe	30
PID 2736 wrote to memory of 2348	2736	JaffaCakes118_90e49675e9eb0d3d0af176e3aa6a85c6.exe	32
PID 2736 wrote to memory of 2348	2736	JaffaCakes118_90e49675e9eb0d3d0af176e3aa6a85c6.exe	32
PID 2736 wrote to memory of 2348	2736	JaffaCakes118_90e49675e9eb0d3d0af176e3aa6a85c6.exe	32
PID 2736 wrote to memory of 2348	2736	JaffaCakes118_90e49675e9eb0d3d0af176e3aa6a85c6.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_90e49675e9eb0d3d0af176e3aa6a85c6.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_90e49675e9eb0d3d0af176e3aa6a85c6.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_90e49675e9eb0d3d0af176e3aa6a85c6.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_90e49675e9eb0d3d0af176e3aa6a85c6.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2784
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_90e49675e9eb0d3d0af176e3aa6a85c6.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_90e49675e9eb0d3d0af176e3aa6a85c6.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\A854.53F

Filesize
600B

MD5
58ebdf101b34523031368f5999eb530d

SHA1
625873a25b270fb0405d42960df9b02bfc517f46

SHA256
67bb3d8150742a0009ec4fb295f810bc7104e28bf4bef621d4393973ee262db9

SHA512
bd8c268dd11f29af883eaee283a28730782863df13ef6e29f6ae285e00f877616f884961ced29b292a2538dd49400b613266645c3cf75920b671b26a8cffd736

Download Submit
C:\Users\Admin\AppData\Roaming\A854.53F

Filesize
1KB

MD5
ff84d9f0f0b5ae9429a9aaa404cffd4a

SHA1
28f770c1b6c70b600b8f4ba8b345d708158a52d0

SHA256
b51c245e022f157e838def6bafe65d6f48798cf3f447f773d26c2ee9ca2c101d

SHA512
11b75fb7fc9459e2d576dfdb4e346d0fe09274f6242212a8d23063836af11e42d4f8f33fa5d526c4039113bcdfae3e9a2aaf0ee8a69f2da619ca40c6588b259c

Download Submit
C:\Users\Admin\AppData\Roaming\A854.53F

Filesize
996B

MD5
d12c3601a86153b69e65c1ae4c680542

SHA1
7b23f1dadc85d0e3a22a46547236d36066bff1b5

SHA256
c660fd283162e8ebb71670470805d7e6eb70517061b832f67170338f430b6473

SHA512
e26a8e44e2350c7292ff386a8655411cc12f86b785a6301639c71c1d6cbdb09ab7912d3eccdcc8c73ad67e37a93a67c492e1679afcb46b9dc76177b4908fe48b

Download Submit
memory/2348-80-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2348-82-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2736-1-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2736-2-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2736-13-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2736-83-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2736-155-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2784-12-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads