cycbot | 94e0ae35a67926f9788b763eb426d3d888429bd728f30d79e4903b3df4c4de6d

General

Target

JaffaCakes118_3ac376da24fbc88db2a86b01c07b8d26.exe
Size

187KB
MD5

3ac376da24fbc88db2a86b01c07b8d26
SHA1

2c71344a9ccb30977216177dd36915992746d267
SHA256

94e0ae35a67926f9788b763eb426d3d888429bd728f30d79e4903b3df4c4de6d
SHA512

b84101627fe3d537dd806e02cc4ac9948d3457112e949602d4c90488149694b8ad132644c1281f396cc0a3cecff2fca7c0bf6d0099b05cfaea69aacebea5b452
SSDEEP

3072:HjW1apu5JUQ3F1XoExEhW58axcoQvFnLw9kNv9zRNrWXq6WE3wFbHpRP5AwSu:JuvtDXF5XDQvxyqvPNrWXFWEgFP5Cu

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2088-5-0x0000000000400000-0x0000000000443000-memory.dmp	family_cycbot
behavioral1/memory/2396-14-0x0000000000400000-0x0000000000443000-memory.dmp	family_cycbot
behavioral1/memory/1480-88-0x0000000000400000-0x0000000000443000-memory.dmp	family_cycbot
behavioral1/memory/2396-89-0x0000000000400000-0x0000000000443000-memory.dmp	family_cycbot
behavioral1/memory/2396-203-0x0000000000400000-0x0000000000443000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	JaffaCakes118_3ac376da24fbc88db2a86b01c07b8d26.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2396-2-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2088-5-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2396-14-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/1480-86-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/1480-88-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2396-89-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2396-203-0x0000000000400000-0x0000000000443000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3ac376da24fbc88db2a86b01c07b8d26.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3ac376da24fbc88db2a86b01c07b8d26.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3ac376da24fbc88db2a86b01c07b8d26.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 2088	2396	JaffaCakes118_3ac376da24fbc88db2a86b01c07b8d26.exe	30
PID 2396 wrote to memory of 2088	2396	JaffaCakes118_3ac376da24fbc88db2a86b01c07b8d26.exe	30
PID 2396 wrote to memory of 2088	2396	JaffaCakes118_3ac376da24fbc88db2a86b01c07b8d26.exe	30
PID 2396 wrote to memory of 2088	2396	JaffaCakes118_3ac376da24fbc88db2a86b01c07b8d26.exe	30
PID 2396 wrote to memory of 1480	2396	JaffaCakes118_3ac376da24fbc88db2a86b01c07b8d26.exe	33
PID 2396 wrote to memory of 1480	2396	JaffaCakes118_3ac376da24fbc88db2a86b01c07b8d26.exe	33
PID 2396 wrote to memory of 1480	2396	JaffaCakes118_3ac376da24fbc88db2a86b01c07b8d26.exe	33
PID 2396 wrote to memory of 1480	2396	JaffaCakes118_3ac376da24fbc88db2a86b01c07b8d26.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3ac376da24fbc88db2a86b01c07b8d26.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3ac376da24fbc88db2a86b01c07b8d26.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3ac376da24fbc88db2a86b01c07b8d26.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3ac376da24fbc88db2a86b01c07b8d26.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2088
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3ac376da24fbc88db2a86b01c07b8d26.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3ac376da24fbc88db2a86b01c07b8d26.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\D2AF.DDD

Filesize
600B

MD5
abd1715cc905d7b7c86b2ab8160fc059

SHA1
f778527e2859bc79e99699faf982bc9889f916db

SHA256
f784e8908ec5e15e8f89908b330d6df0d65d861a5865fcd3540d19b7f27f0b34

SHA512
98edfa0140a41cf94cb3317142c8c58f28f08e7ce568f7c167d08dae133d1eaec6446da83093c7cd7066569db4f374711dc8343e7f6b217a33eb1533e99bae35

Download Submit
C:\Users\Admin\AppData\Roaming\D2AF.DDD

Filesize
1KB

MD5
4b756fda127a70bd730f456f1461c541

SHA1
a436fe7d39fb005db2a20c3df9c6a57208a8d1ba

SHA256
594200386439544b814cb8640c459e38a065fd0b44d595dad27b73a8a9b80905

SHA512
4790ababbd52d7dc091acb10aeb5cf7dc00df80957da30097270f483f7595f8d8b3a0ad4869866e7ca7b14ad31d26a0cde8a21b2609f267bca5f92071c6b8325

Download Submit
C:\Users\Admin\AppData\Roaming\D2AF.DDD

Filesize
1KB

MD5
88d00c2d0ceb5ff71059313f378d1944

SHA1
8e6a592351cbc26b47cadc46e2c1d197bbe80e59

SHA256
bac915b98c4ba9cdd100528de901b60bcbf21a6a92b051fd37173b456fa06a3a

SHA512
fcba3f4d41b955a5e1d6cb61075a46b7df2e8992233d5278be3b487b2635d5a1a28e36a3083dfc3bd7ac25741508c7c80b998d68c35cf92c970cc5bcad2d3479

Download Submit
memory/1480-86-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1480-88-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2088-5-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2396-1-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2396-2-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2396-14-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2396-89-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2396-203-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads