cycbot | 20018b30057a9f5d885dadf9b227388272cdd5954603606feaf3fd4428a89d92

General

Target

JaffaCakes118_aaa9728f232ce790507a974c92400969.exe
Size

155KB
MD5

aaa9728f232ce790507a974c92400969
SHA1

2b8859157bfe1443f98d88cff9c0cee68f11f304
SHA256

20018b30057a9f5d885dadf9b227388272cdd5954603606feaf3fd4428a89d92
SHA512

18ac712e87d8a0e909a5df37ae36eb591736723c2084c455523cfdd4dbef10b3013f39279e5c799aec827c69c15769142866d9cd3fc379ee9d02f2f766ee237a
SSDEEP

3072:aG2Ijl2W/sfpK2EN91X6L7shNw68dcZMfkNB4KBOjS8LDFFENC:7XkZ0PKMhNLCyMfuZOjS8NFEN

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2760-8-0x0000000000400000-0x0000000000442000-memory.dmp	family_cycbot
behavioral1/memory/2756-19-0x0000000000400000-0x0000000000442000-memory.dmp	family_cycbot
behavioral1/memory/2756-86-0x0000000000400000-0x0000000000442000-memory.dmp	family_cycbot
behavioral1/memory/2868-89-0x0000000000400000-0x0000000000442000-memory.dmp	family_cycbot
behavioral1/memory/2756-193-0x0000000000400000-0x0000000000442000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	JaffaCakes118_aaa9728f232ce790507a974c92400969.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2756-2-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2760-7-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2760-8-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2756-19-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2756-86-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2868-88-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2868-89-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2756-193-0x0000000000400000-0x0000000000442000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_aaa9728f232ce790507a974c92400969.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_aaa9728f232ce790507a974c92400969.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_aaa9728f232ce790507a974c92400969.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 2760	2756	JaffaCakes118_aaa9728f232ce790507a974c92400969.exe	30
PID 2756 wrote to memory of 2760	2756	JaffaCakes118_aaa9728f232ce790507a974c92400969.exe	30
PID 2756 wrote to memory of 2760	2756	JaffaCakes118_aaa9728f232ce790507a974c92400969.exe	30
PID 2756 wrote to memory of 2760	2756	JaffaCakes118_aaa9728f232ce790507a974c92400969.exe	30
PID 2756 wrote to memory of 2868	2756	JaffaCakes118_aaa9728f232ce790507a974c92400969.exe	32
PID 2756 wrote to memory of 2868	2756	JaffaCakes118_aaa9728f232ce790507a974c92400969.exe	32
PID 2756 wrote to memory of 2868	2756	JaffaCakes118_aaa9728f232ce790507a974c92400969.exe	32
PID 2756 wrote to memory of 2868	2756	JaffaCakes118_aaa9728f232ce790507a974c92400969.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_aaa9728f232ce790507a974c92400969.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_aaa9728f232ce790507a974c92400969.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_aaa9728f232ce790507a974c92400969.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_aaa9728f232ce790507a974c92400969.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2760
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_aaa9728f232ce790507a974c92400969.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_aaa9728f232ce790507a974c92400969.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\D441.E55

Filesize
297B

MD5
391a2842117881efb91731c1c45cf493

SHA1
c829cd607f96f8f852d468c9441467028d542859

SHA256
683e08b405ad9e70ef4552b141309c3a927e1f403b7f222f8e93b25d88c56347

SHA512
8de0b711c77bb2e0626c4cbe8ab9e8ee5a2d03f198367c7a316f13718e4c8b1cf6c6a3089e940ee4f9ca2470e996df88bdcf088cead4f1ed186e7e580be5fa34

Download Submit
C:\Users\Admin\AppData\Roaming\D441.E55

Filesize
1KB

MD5
62171b92b26083c1714e796ce8117822

SHA1
58b78b89407a5e5b7c7d413249608def71cffd27

SHA256
590163704d95da04ad49761c1497d50a55c1d60f2bf94c9026dfa3975ee0be1b

SHA512
4e359407f3cf74a54647e707c63ff9c8ab5bdd2f01a3ef3fe023296c800e23b03dda58bb66545dfd311a51b3b97814c40b7511198393b70aedd244a1a813ae99

Download Submit
C:\Users\Admin\AppData\Roaming\D441.E55

Filesize
897B

MD5
95e4ed299d6c4d9a199bc2f757ed7153

SHA1
feed7e7a64bb04a51ce0e42f606492423b8ee77f

SHA256
61ed4c266d0acff8b2127966d762be4ee44ea9adc72575bcc12b6530c913b34b

SHA512
f8991846eeda85b5db05c8e249b22285b49d3326c09ab4c0c12cb95a658f612cae4901644db402dde4f9149f91fad896a5f113ded51383d88df91c03edeb8fde

Download Submit
C:\Users\Admin\AppData\Roaming\D441.E55

Filesize
1KB

MD5
f1096a892b65daf02d8b094fdd61c43e

SHA1
53e39efe833858d77cd54cd21649067d01d919c4

SHA256
31738fa9e3bb7b077c10ff89f9e0764f286e18ec240b3cbb62fb72dac6efbe31

SHA512
b82047778e79409806ef1bb495a31518bab70739cab2f36e3ccc29d6eb3bf95f9ceee0c5d40b2ae57c72b9bd452d4adcd9e2ab04152ad4845e558cd99c3c1f3c

Download Submit
memory/2756-2-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2756-193-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2756-1-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2756-19-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2756-86-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2760-8-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2760-7-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2868-89-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2868-88-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads