cycbot | f9617b39bf8edbd43d2953d102a3ffe065641635e7f95e9b10757ad17cd082fe

General

Target

JaffaCakes118_1c689c04d55a8bf2f3c82fa91494c4d1.exe
Size

184KB
MD5

1c689c04d55a8bf2f3c82fa91494c4d1
SHA1

118f3c57b22da48fe68652499720b7a80f3066dd
SHA256

f9617b39bf8edbd43d2953d102a3ffe065641635e7f95e9b10757ad17cd082fe
SHA512

14d019e3fe1228176f5347e109319de8cf15b3dfb3244dade27c23d58516cad250a6dc74c025671daeb0e0adcef579854a9f6722426e1a36555ff098d03b0fe3
SSDEEP

3072:Dr4Y23xyhDFDYOemKxcAHbhsAHbE7NfNlFqzdUF2tVLIR+tqzl/ooqmCTGXSnADy:Dr4Y23xsNyH6AwZf8zd37IR+0zJ/ByGI

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2228-3-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/2860-7-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/2228-15-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/2228-74-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/1932-76-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot
behavioral1/memory/2228-188-0x0000000000400000-0x0000000000445000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	JaffaCakes118_1c689c04d55a8bf2f3c82fa91494c4d1.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2228-2-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2228-3-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2860-7-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2860-6-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2228-15-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2228-74-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/1932-76-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2228-188-0x0000000000400000-0x0000000000445000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1c689c04d55a8bf2f3c82fa91494c4d1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1c689c04d55a8bf2f3c82fa91494c4d1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1c689c04d55a8bf2f3c82fa91494c4d1.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 2860	2228	JaffaCakes118_1c689c04d55a8bf2f3c82fa91494c4d1.exe	30
PID 2228 wrote to memory of 2860	2228	JaffaCakes118_1c689c04d55a8bf2f3c82fa91494c4d1.exe	30
PID 2228 wrote to memory of 2860	2228	JaffaCakes118_1c689c04d55a8bf2f3c82fa91494c4d1.exe	30
PID 2228 wrote to memory of 2860	2228	JaffaCakes118_1c689c04d55a8bf2f3c82fa91494c4d1.exe	30
PID 2228 wrote to memory of 1932	2228	JaffaCakes118_1c689c04d55a8bf2f3c82fa91494c4d1.exe	32
PID 2228 wrote to memory of 1932	2228	JaffaCakes118_1c689c04d55a8bf2f3c82fa91494c4d1.exe	32
PID 2228 wrote to memory of 1932	2228	JaffaCakes118_1c689c04d55a8bf2f3c82fa91494c4d1.exe	32
PID 2228 wrote to memory of 1932	2228	JaffaCakes118_1c689c04d55a8bf2f3c82fa91494c4d1.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c689c04d55a8bf2f3c82fa91494c4d1.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c689c04d55a8bf2f3c82fa91494c4d1.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c689c04d55a8bf2f3c82fa91494c4d1.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c689c04d55a8bf2f3c82fa91494c4d1.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2860
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c689c04d55a8bf2f3c82fa91494c4d1.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c689c04d55a8bf2f3c82fa91494c4d1.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\0A06.BCD

Filesize
596B

MD5
58b39e8fcfb44afa2fab2474d9f464d8

SHA1
8dcb3a66dbf1602f2edf0d1eee2947ce46f6bf87

SHA256
895b429702026de01aad6ca40c616cc43531ff78e1f1c8d1dcd3441c10fbdd2b

SHA512
ed64479f4494d04023df5217aeb00549f062db0ca8dc7f3e96ac1518ae122be958d57082c82de5ef812bd9c1b41976f1cd8536c921ad9828501d37a8629ca1a3

Download Submit
C:\Users\Admin\AppData\Roaming\0A06.BCD

Filesize
1KB

MD5
0c006ff621cd16c39667e43bf997adae

SHA1
5fd1ec695932815b126d86192a2e8ef9932b65b7

SHA256
cf6ff2312e06d4aba0a6aca18acddbaab1c5ee17b376e245535a467d2733aea8

SHA512
7f4511ad4dfd24cbc1c1b00e5ff676c277fd65db80e183bcfd96c3128e5555fa4ddcd56b24486039dfb65d009796b31cfff909993312c96c60c3b992673c55ee

Download Submit
C:\Users\Admin\AppData\Roaming\0A06.BCD

Filesize
600B

MD5
7d7899c3ffb631c79d096984c721655f

SHA1
fc9335791790909e98a4d9dd602b89fb6e544659

SHA256
6a339cc8a92173a7ee60fad7f1ffa509fb71c8f05d0fd81806902809c2370118

SHA512
e9a8797b1b56d21027e488c632559000d079a8356e8146156b37a2bd0a17d52d3b7d31145ab4239cbef90871679fb43bd62a78fac3cc6637061b7a4ca210418f

Download Submit
C:\Users\Admin\AppData\Roaming\0A06.BCD

Filesize
996B

MD5
07dc87545467317af1e3d07808afcd48

SHA1
927c2659707018958891d4e3969bacffbe02dc39

SHA256
0b663c1eeabb75bd02155e491fcd183687c86d0aba08d4b5e0f6895a48b991b8

SHA512
d5ab6a1fe186925b18184b71ee8815ae4299cb71b485c6c83261a54ec09308df16b27239acffb1ba078ee73d8904b6f9b08f5eb2df622e8131e2f752db673c58

Download Submit
memory/1932-76-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2228-15-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2228-2-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2228-74-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2228-3-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2228-188-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2860-5-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2860-6-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2860-7-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads