cycbot | 003ba757647f9533ec5a35c620f8bbca52844caeb7cc75e49499af4bb752a1d2

General

Target

JaffaCakes118_2b200d36c66ff147402fb1ff3dcfa68a.exe
Size

290KB
MD5

2b200d36c66ff147402fb1ff3dcfa68a
SHA1

326964207cba04795cc1d652b25af358deaabd2d
SHA256

003ba757647f9533ec5a35c620f8bbca52844caeb7cc75e49499af4bb752a1d2
SHA512

822abea5411a22f4ade4c623cbc58c6ad20259b49ab205cbb9291f5227524a3b1beb4e326caea9cde67e5e458433a778db993e3866a92a6b71a6701f5e32a490
SSDEEP

3072:2a/gW6HEmZjS8yGGXYjRQEDYXy48Vf8S5xu40hI5qOwgjGZGYj4iX+jpFeA:rgHHmGGXYy9tGfz240huqOxc1j4G+lF

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2804-13-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral1/memory/2440-14-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/2440-15-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral1/memory/1408-90-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral1/memory/2440-91-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral1/memory/2440-168-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	JaffaCakes118_2b200d36c66ff147402fb1ff3dcfa68a.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2440-2-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/2804-12-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/2804-13-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/2440-14-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2440-15-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/1408-89-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/1408-90-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/2440-91-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/2440-168-0x0000000000400000-0x000000000044C000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2b200d36c66ff147402fb1ff3dcfa68a.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 2804	2440	JaffaCakes118_2b200d36c66ff147402fb1ff3dcfa68a.exe	30
PID 2440 wrote to memory of 2804	2440	JaffaCakes118_2b200d36c66ff147402fb1ff3dcfa68a.exe	30
PID 2440 wrote to memory of 2804	2440	JaffaCakes118_2b200d36c66ff147402fb1ff3dcfa68a.exe	30
PID 2440 wrote to memory of 2804	2440	JaffaCakes118_2b200d36c66ff147402fb1ff3dcfa68a.exe	30
PID 2440 wrote to memory of 1408	2440	JaffaCakes118_2b200d36c66ff147402fb1ff3dcfa68a.exe	32
PID 2440 wrote to memory of 1408	2440	JaffaCakes118_2b200d36c66ff147402fb1ff3dcfa68a.exe	32
PID 2440 wrote to memory of 1408	2440	JaffaCakes118_2b200d36c66ff147402fb1ff3dcfa68a.exe	32
PID 2440 wrote to memory of 1408	2440	JaffaCakes118_2b200d36c66ff147402fb1ff3dcfa68a.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2b200d36c66ff147402fb1ff3dcfa68a.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2b200d36c66ff147402fb1ff3dcfa68a.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2b200d36c66ff147402fb1ff3dcfa68a.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2b200d36c66ff147402fb1ff3dcfa68a.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  PID:2804
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2b200d36c66ff147402fb1ff3dcfa68a.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2b200d36c66ff147402fb1ff3dcfa68a.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  PID:1408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\B939.B6E

Filesize
1KB

MD5
f2d3401ac8ab1a93275e7b689b14358a

SHA1
4e5c571ad4f0646ad8dcd6e9ae990dde91f17827

SHA256
1c480ed22a6aae3165370b087c97d0df8fe8490b668400a2160cfbe171ee1df4

SHA512
ddc3ceaac68ca499b31115c2d91c12091e350fe9a85361dcd902869a17300f2339ba3308e96c52bae1c991737ccac5a1ce51530427e63c07e68a351018a9b19b

Download Submit
C:\Users\Admin\AppData\Roaming\B939.B6E

Filesize
600B

MD5
80cfcef1edb92caa2cd5590d90a6396b

SHA1
59db08ca80c0158cfe80f0f0dc30db2c6d08ae9f

SHA256
7fb81bc768822dfe1ffe1f6c9857e70fea42f0336f87e472f9aec3edd9e7166f

SHA512
07d8775eb89c3bd54b4b6fe0da26896a8fcfe47b9996c2caf1d89b083a6d5b1b5432ceba619fe7f2da011918d57889fb3aa8a954f0dda05e407f408baf0e9458

Download Submit
C:\Users\Admin\AppData\Roaming\B939.B6E

Filesize
996B

MD5
b9632f1cd767551171f5a794f07d376e

SHA1
bac63ab45cf90676ea1471d0b8f41140f4514696

SHA256
e790cc55b53c06347daddec593f1965835a0a9a29fb159839c348e96dafc4cfa

SHA512
2df89d816ac7af6f37d37edde193b9ea398b8e24d0b768a6929869f8bef075546042b1557688ec1c1ad113838dd7913ec3516c7bff90d810331e4fb776756d7a

Download Submit
memory/1408-89-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1408-88-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1408-90-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2440-14-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2440-15-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2440-1-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2440-91-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2440-2-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2440-168-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2804-13-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2804-12-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads