cycbot | 2bfa9bac08223b802bd1fcce56c8a8d0e2df609658c5e6c84f0910e7b12fa4fd

General

Target

JaffaCakes118_e6c71130597fda963ac0528307de759f.exe
Size

178KB
MD5

e6c71130597fda963ac0528307de759f
SHA1

1b39189db375112568a7ba703d070dd52593776b
SHA256

2bfa9bac08223b802bd1fcce56c8a8d0e2df609658c5e6c84f0910e7b12fa4fd
SHA512

f2803de602cc2cef0621ec75f6696c9ef79e24e5c62886c94a8c9868f3b285430d4db9304516d6190438af18edc229acd2ca99061799169ec04c07213d5f1346
SSDEEP

3072:hl4ke/fmNZuo0eMGuIA2i5KUU6bBfsxwRvqaz5OXLhblsBRFGGhNMhqRs1sjx:hle2ND0ebAGf6l0uTVOXnsPEW6qRs1sd

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2696-13-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/2324-14-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/1748-71-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/2324-72-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/2324-135-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	JaffaCakes118_e6c71130597fda963ac0528307de759f.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2324-2-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2696-12-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2696-13-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2324-14-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1748-71-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2324-72-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2324-135-0x0000000000400000-0x000000000044B000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_e6c71130597fda963ac0528307de759f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_e6c71130597fda963ac0528307de759f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_e6c71130597fda963ac0528307de759f.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 2696	2324	JaffaCakes118_e6c71130597fda963ac0528307de759f.exe	30
PID 2324 wrote to memory of 2696	2324	JaffaCakes118_e6c71130597fda963ac0528307de759f.exe	30
PID 2324 wrote to memory of 2696	2324	JaffaCakes118_e6c71130597fda963ac0528307de759f.exe	30
PID 2324 wrote to memory of 2696	2324	JaffaCakes118_e6c71130597fda963ac0528307de759f.exe	30
PID 2324 wrote to memory of 1748	2324	JaffaCakes118_e6c71130597fda963ac0528307de759f.exe	32
PID 2324 wrote to memory of 1748	2324	JaffaCakes118_e6c71130597fda963ac0528307de759f.exe	32
PID 2324 wrote to memory of 1748	2324	JaffaCakes118_e6c71130597fda963ac0528307de759f.exe	32
PID 2324 wrote to memory of 1748	2324	JaffaCakes118_e6c71130597fda963ac0528307de759f.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e6c71130597fda963ac0528307de759f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e6c71130597fda963ac0528307de759f.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e6c71130597fda963ac0528307de759f.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e6c71130597fda963ac0528307de759f.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2696
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e6c71130597fda963ac0528307de759f.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e6c71130597fda963ac0528307de759f.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\0473.927

Filesize
600B

MD5
4cb8b7899bc70832be9815d6b2083bea

SHA1
68df741e7231b131c78ecf07df42426fe237180f

SHA256
3ea6376d6e3585412b224aa7ce852e6ec8186addfbfb2fdd04568a626fec888c

SHA512
e58d5f71e9402f73e14ecde5ddaac2cdfe83d5006ef2401d7397773f425767b8a2eac1c4749ff051dd588f4ef4ddd1d4ac54253bedeccdaeddaa0815f116388b

Download Submit
C:\Users\Admin\AppData\Roaming\0473.927

Filesize
996B

MD5
863195192b97130b3fa2d7e3a1d4fd66

SHA1
e6cb8b9c7a96578ba8f2bc0d508712f59888f659

SHA256
5086d663042559d0949765c29b7ee1cff50d27f099734c5ea1d8b41f9d9c9c91

SHA512
07616c1244bc8f67123ab6e552889808177607ff6dfc8bd5a91a6ccb2186c3a41f3e6ca4d554cdd1bec6676d1fa5b2ba70b82522ddda08020091711e3141bda4

Download Submit
memory/1748-71-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2324-1-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2324-2-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2324-14-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2324-72-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2324-135-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2696-12-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2696-13-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads