cycbot | aadc5c952ed0e7d852f51d46f18c38a8bdd983947d6a6a5b7c3d86152bff10fa

General

Target

JaffaCakes118_cbc900f175b111c2c802f2a61428fce3.exe
Size

157KB
MD5

cbc900f175b111c2c802f2a61428fce3
SHA1

25cf850b4b59d263ee1d9c184ae1c909b16575f4
SHA256

aadc5c952ed0e7d852f51d46f18c38a8bdd983947d6a6a5b7c3d86152bff10fa
SHA512

3f67c588d2a52283eb3a52e8f6a8bb736f3e3cb7f6b863939092a70de9b1fe6797f5c53b94bb02db02b6cb3d8f6ae3cadebe68399afbfe89ed9245f608d54206
SSDEEP

3072:tRkNRHsTF+Tkjj7dP9HdHOA0SUUqTr5kwFe6BZAmJVbeNdg:tRMfkP7dP99HOMFi5Je6BZAm3eNdg

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/1956-7-0x0000000000400000-0x0000000000442000-memory.dmp	family_cycbot
behavioral1/memory/2348-18-0x0000000000400000-0x0000000000442000-memory.dmp	family_cycbot
behavioral1/memory/2348-85-0x0000000000400000-0x0000000000442000-memory.dmp	family_cycbot
behavioral1/memory/688-88-0x0000000000400000-0x0000000000442000-memory.dmp	family_cycbot
behavioral1/memory/2348-201-0x0000000000400000-0x0000000000442000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	JaffaCakes118_cbc900f175b111c2c802f2a61428fce3.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2348-2-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/1956-7-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2348-18-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2348-85-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/688-87-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/688-88-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2348-201-0x0000000000400000-0x0000000000442000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_cbc900f175b111c2c802f2a61428fce3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_cbc900f175b111c2c802f2a61428fce3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_cbc900f175b111c2c802f2a61428fce3.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 1956	2348	JaffaCakes118_cbc900f175b111c2c802f2a61428fce3.exe	30
PID 2348 wrote to memory of 1956	2348	JaffaCakes118_cbc900f175b111c2c802f2a61428fce3.exe	30
PID 2348 wrote to memory of 1956	2348	JaffaCakes118_cbc900f175b111c2c802f2a61428fce3.exe	30
PID 2348 wrote to memory of 1956	2348	JaffaCakes118_cbc900f175b111c2c802f2a61428fce3.exe	30
PID 2348 wrote to memory of 688	2348	JaffaCakes118_cbc900f175b111c2c802f2a61428fce3.exe	33
PID 2348 wrote to memory of 688	2348	JaffaCakes118_cbc900f175b111c2c802f2a61428fce3.exe	33
PID 2348 wrote to memory of 688	2348	JaffaCakes118_cbc900f175b111c2c802f2a61428fce3.exe	33
PID 2348 wrote to memory of 688	2348	JaffaCakes118_cbc900f175b111c2c802f2a61428fce3.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cbc900f175b111c2c802f2a61428fce3.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cbc900f175b111c2c802f2a61428fce3.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cbc900f175b111c2c802f2a61428fce3.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cbc900f175b111c2c802f2a61428fce3.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1956
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cbc900f175b111c2c802f2a61428fce3.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cbc900f175b111c2c802f2a61428fce3.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\E81D.99A

Filesize
597B

MD5
aed9cecf56dd547c4fbbce8f7d0c9286

SHA1
ac62e5791982c8b0f8bbdee14884d366e0857ecf

SHA256
1cb407e98cd7592eb683020bb621782b71d776d005313bfd26eca7723aec6a36

SHA512
45907b37ca6d3e338d30d9c478aa1ff5468cd5c9d027a3d83fb85dac1a3ee3169564bc30d95fd4ea4ea3aede3b293d8dbb43167dcb5e8f40e42ff4e2ee3e356f

Download Submit
C:\Users\Admin\AppData\Roaming\E81D.99A

Filesize
1KB

MD5
5a93091ca7879b6709921712a3c4c76a

SHA1
2c7b5ec6387dc41efac2e24883846695b8b0a991

SHA256
f4b70adde3170d237859c9d1231cd44f9140f7900ce6fbafe0534f8d1e380d1e

SHA512
311e837405647bec64926bb4316ce854308e8777aa430c6a95061401200c3f61aaad394dc95e7310de9834c100eff4bacc9693d0330df45af53097eba77b70f6

Download Submit
C:\Users\Admin\AppData\Roaming\E81D.99A

Filesize
897B

MD5
83ac39a1ddb3707f46a81b589123b1eb

SHA1
22fd0c81bbf896607ca7fc936d47a00ae54a4503

SHA256
d1b47631dbde001484db5c88e797b211c17f34e55beb68d90651dbd0d84ce712

SHA512
0584be81d587163289bf0cb20cb47ab1d9360eb83f1c18324a72d7b38c0c17aab450e1ab66f889aabe6aba5d88778935f4f22fb3d43049f427a2aecbdd765643

Download Submit
C:\Users\Admin\AppData\Roaming\E81D.99A

Filesize
1KB

MD5
4a575fe35d4d14c116ba413e3f42b4ef

SHA1
014ab8b3aff53071e84dea451ed669ac6b8c2720

SHA256
dc37451ed7ade0f96c5d63a8e232efd5d752a29fe5473efac0aa00dfd32f6110

SHA512
ec1ae1acc3ceacfe56a5490d7c7ef09bd3648865728bd2c9b2026a502b821a5d607606d0313de17cee0ca23cb4a818f1c2f7fcc1ced02e6152969354c18aba8d

Download Submit
memory/688-87-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/688-88-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1956-7-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2348-1-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2348-2-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2348-18-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2348-85-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2348-201-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads