cycbot | 9fb15f6118304c71476152829e6169957cef35ba95a56ce666f4bb4ce7b85f4e

General

Target

JaffaCakes118_b35cf5b598b133c83bfc1e9a092c679a.exe
Size

164KB
MD5

b35cf5b598b133c83bfc1e9a092c679a
SHA1

a4f3682f149737bdc29151bd11df8efbe9b3ed2f
SHA256

9fb15f6118304c71476152829e6169957cef35ba95a56ce666f4bb4ce7b85f4e
SHA512

d0c91ae75c24d41e2b3ae964347f42d71af01ae0c2df4bb629e35d1edd4b78be89339fbdbb56696c981649b587bf7f639fc8b6061740ae67e19dbe6772ef7fb5
SSDEEP

3072:toyZUHc9NkVLSgbYvox+MEOINCbHr61bx3Ti1MwgRF1YGFG:W/HcTch0v7MEFNCHUbx3+Mwg2GI

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2072-6-0x0000000000400000-0x000000000043D000-memory.dmp	family_cycbot
behavioral1/memory/3052-13-0x0000000000400000-0x000000000043D000-memory.dmp	family_cycbot
behavioral1/memory/1064-81-0x0000000000400000-0x000000000043D000-memory.dmp	family_cycbot
behavioral1/memory/3052-80-0x0000000000400000-0x000000000043D000-memory.dmp	family_cycbot
behavioral1/memory/3052-168-0x0000000000400000-0x000000000043D000-memory.dmp	family_cycbot
behavioral1/memory/3052-209-0x0000000000400000-0x000000000043D000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	JaffaCakes118_b35cf5b598b133c83bfc1e9a092c679a.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3052-1-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/2072-5-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/2072-4-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/2072-6-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/3052-13-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/1064-81-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/3052-80-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/3052-168-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/3052-209-0x0000000000400000-0x000000000043D000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b35cf5b598b133c83bfc1e9a092c679a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b35cf5b598b133c83bfc1e9a092c679a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b35cf5b598b133c83bfc1e9a092c679a.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 2072	3052	JaffaCakes118_b35cf5b598b133c83bfc1e9a092c679a.exe	30
PID 3052 wrote to memory of 2072	3052	JaffaCakes118_b35cf5b598b133c83bfc1e9a092c679a.exe	30
PID 3052 wrote to memory of 2072	3052	JaffaCakes118_b35cf5b598b133c83bfc1e9a092c679a.exe	30
PID 3052 wrote to memory of 2072	3052	JaffaCakes118_b35cf5b598b133c83bfc1e9a092c679a.exe	30
PID 3052 wrote to memory of 1064	3052	JaffaCakes118_b35cf5b598b133c83bfc1e9a092c679a.exe	32
PID 3052 wrote to memory of 1064	3052	JaffaCakes118_b35cf5b598b133c83bfc1e9a092c679a.exe	32
PID 3052 wrote to memory of 1064	3052	JaffaCakes118_b35cf5b598b133c83bfc1e9a092c679a.exe	32
PID 3052 wrote to memory of 1064	3052	JaffaCakes118_b35cf5b598b133c83bfc1e9a092c679a.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b35cf5b598b133c83bfc1e9a092c679a.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b35cf5b598b133c83bfc1e9a092c679a.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b35cf5b598b133c83bfc1e9a092c679a.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b35cf5b598b133c83bfc1e9a092c679a.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2072
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b35cf5b598b133c83bfc1e9a092c679a.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b35cf5b598b133c83bfc1e9a092c679a.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\F2BB.CBA

Filesize
1KB

MD5
87535383bbafb198b75436195b606066

SHA1
b0b8f2d069db1c186deeaa4df063f093c4ee4b99

SHA256
437ea33705bd9abfc2718099a4dacc1354d153a3dbf1098942212146dcefe215

SHA512
42be0730f63a68e914bed1940e7609afea1a78f409f5841e493011058a9f4379bd92dc0e1c249c56d7b1765d79c5b8832c00ce7637450f0547109341c88b13df

Download Submit
C:\Users\Admin\AppData\Roaming\F2BB.CBA

Filesize
600B

MD5
53eac7c29d70b2c57393954d93e6f0a0

SHA1
84420377521b2ff72d11766d6ff45a81c3ad0b6e

SHA256
620aa7ca47a3ea80d7f989290cdbb3df7d96d5eaf7887a52015cbd181bcae668

SHA512
a2bdb09a90daa9064fed103f15cd1ba14ac69bd2c6708392eb77bfaf63e6b12b0f5961446abc9ce03b1a9456ad646aa2eb7dc0e04cb2f531de732a426d77d3f7

Download Submit
C:\Users\Admin\AppData\Roaming\F2BB.CBA

Filesize
996B

MD5
7f630d67f61a2d9de05ee203f34e2a84

SHA1
730b162a6b7fd5e13b67f0cd95530ab311b86ca9

SHA256
162bd6397440fcc0461d649ec0887eb5c0d5d6db326d65f86d383122fc8955cc

SHA512
6adcbdd63af359979226385471a99f5911a71e2f6bfd9c67b18f45483d91385e3306a4d5c89ad56422cb99d0f4c6b4e5343de82e00ea5a49d158da55d22ed370

Download Submit
memory/1064-81-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2072-5-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2072-4-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2072-6-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3052-1-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3052-13-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3052-80-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3052-168-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3052-209-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads