cycbot | 764e162e3b5b6eea459286575442cc2a06878db1acdd87426392b896662e3700

General

Target

JaffaCakes118_b54658f1fa7b95bbc1ad9779e9df0d7a.exe
Size

156KB
MD5

b54658f1fa7b95bbc1ad9779e9df0d7a
SHA1

847b723bf079145616811ad8d774524606057e8a
SHA256

764e162e3b5b6eea459286575442cc2a06878db1acdd87426392b896662e3700
SHA512

cd5812cfe2335d39a4400035888ca450947a9ea7b6f82013f6e823fb2a6aa8beb24d13da128aa37cf007e079c21cb2616bc8a22fe270d786b4590d9cc81e0365
SSDEEP

3072:h1AV61tuPhQI6oJu0Dwv5n+qrKw/ZwTGARKCL5Mfk1DTRX5hffsnz+pTi:LbtuPheR5vpnmcQRJL0ADTRJ9fszR

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2420-8-0x0000000000400000-0x0000000000442000-memory.dmp	family_cycbot
behavioral1/memory/2676-16-0x0000000000400000-0x0000000000442000-memory.dmp	family_cycbot
behavioral1/memory/2716-76-0x0000000000400000-0x0000000000442000-memory.dmp	family_cycbot
behavioral1/memory/2676-77-0x0000000000400000-0x0000000000442000-memory.dmp	family_cycbot
behavioral1/memory/2676-183-0x0000000000400000-0x0000000000442000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	JaffaCakes118_b54658f1fa7b95bbc1ad9779e9df0d7a.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2676-2-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2420-5-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2420-6-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2420-8-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2676-16-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2716-75-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2716-76-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2676-77-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2676-183-0x0000000000400000-0x0000000000442000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b54658f1fa7b95bbc1ad9779e9df0d7a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b54658f1fa7b95bbc1ad9779e9df0d7a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b54658f1fa7b95bbc1ad9779e9df0d7a.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 2420	2676	JaffaCakes118_b54658f1fa7b95bbc1ad9779e9df0d7a.exe	30
PID 2676 wrote to memory of 2420	2676	JaffaCakes118_b54658f1fa7b95bbc1ad9779e9df0d7a.exe	30
PID 2676 wrote to memory of 2420	2676	JaffaCakes118_b54658f1fa7b95bbc1ad9779e9df0d7a.exe	30
PID 2676 wrote to memory of 2420	2676	JaffaCakes118_b54658f1fa7b95bbc1ad9779e9df0d7a.exe	30
PID 2676 wrote to memory of 2716	2676	JaffaCakes118_b54658f1fa7b95bbc1ad9779e9df0d7a.exe	33
PID 2676 wrote to memory of 2716	2676	JaffaCakes118_b54658f1fa7b95bbc1ad9779e9df0d7a.exe	33
PID 2676 wrote to memory of 2716	2676	JaffaCakes118_b54658f1fa7b95bbc1ad9779e9df0d7a.exe	33
PID 2676 wrote to memory of 2716	2676	JaffaCakes118_b54658f1fa7b95bbc1ad9779e9df0d7a.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b54658f1fa7b95bbc1ad9779e9df0d7a.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b54658f1fa7b95bbc1ad9779e9df0d7a.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b54658f1fa7b95bbc1ad9779e9df0d7a.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b54658f1fa7b95bbc1ad9779e9df0d7a.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2420
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b54658f1fa7b95bbc1ad9779e9df0d7a.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b54658f1fa7b95bbc1ad9779e9df0d7a.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\3A5D.E0F

Filesize
1KB

MD5
498d00b51c518b2df22863d66718c5d7

SHA1
c119b00d6e3554c6c0b479c329ce1ea3a23758eb

SHA256
b7154587d4760f0c5a9e8607d2ae61bc5b65290b6fc13440a9f6aff5b443570f

SHA512
27d5bc209ef5f169109decabab0cfbff62c518478a70de6c4a1c4ec042561b8c910cf0d99a5b4c406b8ae4231bba521574bab4a5477dff95a5212f088d7f6454

Download Submit
C:\Users\Admin\AppData\Roaming\3A5D.E0F

Filesize
300B

MD5
6b333101d50d4b564af5738daf399312

SHA1
562219f018f1192bbc59ad9a799e7d04cdb27cc1

SHA256
92b93234e9a6d8f56c1c66ca61bb8793972404446f99503f619e97b3c2fdc817

SHA512
aa01c7f5ae4936bc3dd207b529eafe722dc17b1c820f042b5d4d8daaa0b70e51e333c6f599875f8bc1d0692fca4f4ab43836e1112bc0eee1e2c328260fbb2390

Download Submit
C:\Users\Admin\AppData\Roaming\3A5D.E0F

Filesize
600B

MD5
cbfa8298511743d213f63eb2a2e34c49

SHA1
015f526c2a6dfa936a56b4bb08c867cc223e331a

SHA256
460c292ae5e3c2eda2c8d5b0b46b14e97178bd37ac309a7bd95e7dd722a8e477

SHA512
ae90790cd2633c2ecbcb592baba405fd75bab0dd9e2f65442f9fbdfa17b1a3440eccb6ba88a3507fec89c5c9b1f989e2afcedd639d93096dd2b740ff130e7455

Download Submit
C:\Users\Admin\AppData\Roaming\3A5D.E0F

Filesize
996B

MD5
fffa48f07534fd89bfafd609ac929e8e

SHA1
be6f2bc3f2a398ec506ddbde5c8ccfe31d2991de

SHA256
bbff7bbc7c557ac4b9b9d5ec11edc8cb3b9636bb70e82785aaaf38cbe7d564e7

SHA512
5cfc8e700218ba426f628dcbce542bbd06efcdfa6ce731c616cffd93258b03d03872a2ae884b6c6ff168b0a33073a176b51eb9039f41dc138e76bacadee2ba53

Download Submit
memory/2420-5-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2420-6-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2420-8-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2676-16-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2676-1-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2676-77-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2676-2-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2676-183-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2716-75-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2716-76-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads