cycbot | e70233090319a7f3b2ec38b9e0e4adcf2b1de6ccbab08f2df3a3c3b3ba20f86f

General

Target

JaffaCakes118_5d234a83071efb794c6dbe950a38451e.exe
Size

187KB
MD5

5d234a83071efb794c6dbe950a38451e
SHA1

38b13dc2c0c2552214f31b95f94de2e0db58c2c3
SHA256

e70233090319a7f3b2ec38b9e0e4adcf2b1de6ccbab08f2df3a3c3b3ba20f86f
SHA512

4f4522fab202cd186290a1e0c1f34b6f1f676ee90f033bc274aa39b371e29f7e341863085a3da37eff83604e4b56258b2db0cf575637b8b3cd2438cc52c39fd2
SSDEEP

3072:v8jRKI846gBwNe8+q/rIg/CU/IaXRdhhmZ1Odf8Www+cDHAbdOcnn06hKZpg9:vmwp9TrImCQI8rhG1OiXRXbYZ6h0p

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/3060-7-0x0000000000400000-0x0000000000443000-memory.dmp	family_cycbot
behavioral1/memory/1344-16-0x0000000000400000-0x0000000000443000-memory.dmp	family_cycbot
behavioral1/memory/2812-92-0x0000000000400000-0x0000000000443000-memory.dmp	family_cycbot
behavioral1/memory/1344-93-0x0000000000400000-0x0000000000443000-memory.dmp	family_cycbot
behavioral1/memory/1344-186-0x0000000000400000-0x0000000000443000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	JaffaCakes118_5d234a83071efb794c6dbe950a38451e.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1344-2-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/3060-5-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/3060-7-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/1344-16-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2812-90-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2812-92-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/1344-93-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/1344-186-0x0000000000400000-0x0000000000443000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5d234a83071efb794c6dbe950a38451e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5d234a83071efb794c6dbe950a38451e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5d234a83071efb794c6dbe950a38451e.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1344 wrote to memory of 3060	1344	JaffaCakes118_5d234a83071efb794c6dbe950a38451e.exe	28
PID 1344 wrote to memory of 3060	1344	JaffaCakes118_5d234a83071efb794c6dbe950a38451e.exe	28
PID 1344 wrote to memory of 3060	1344	JaffaCakes118_5d234a83071efb794c6dbe950a38451e.exe	28
PID 1344 wrote to memory of 3060	1344	JaffaCakes118_5d234a83071efb794c6dbe950a38451e.exe	28
PID 1344 wrote to memory of 2812	1344	JaffaCakes118_5d234a83071efb794c6dbe950a38451e.exe	30
PID 1344 wrote to memory of 2812	1344	JaffaCakes118_5d234a83071efb794c6dbe950a38451e.exe	30
PID 1344 wrote to memory of 2812	1344	JaffaCakes118_5d234a83071efb794c6dbe950a38451e.exe	30
PID 1344 wrote to memory of 2812	1344	JaffaCakes118_5d234a83071efb794c6dbe950a38451e.exe	30

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5d234a83071efb794c6dbe950a38451e.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5d234a83071efb794c6dbe950a38451e.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1344
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5d234a83071efb794c6dbe950a38451e.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5d234a83071efb794c6dbe950a38451e.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3060
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5d234a83071efb794c6dbe950a38451e.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5d234a83071efb794c6dbe950a38451e.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\6842.8A8

Filesize
1KB

MD5
3d90130dee84d51bf48d1befaf8e248c

SHA1
f3e0aa005d0c64c65a6aaaf3eae3e3466bb5cdaf

SHA256
9c8c010898440ebb68e548fd2529d139808bca8eac506ca530140871e0db77a9

SHA512
c011a7504f69521437692fc5cdfe8c1210c7b70e686db47ae3ffc82fae9bb607133d33ef9bfc18e9b9da50fcf755006671773cd291fa2cc0edc233a648245e19

Download Submit
C:\Users\Admin\AppData\Roaming\6842.8A8

Filesize
600B

MD5
81d91c1be20b8ffc214f6cbb51b39227

SHA1
6851b045e84cbe0f90d29dc65a98b2e1a41525a1

SHA256
2e8e01f50e958a18836db80d28934b7cef305c01bf2df6520af5d32afc672dcd

SHA512
b3782f9650562c54dcfede67d84355bdad8d701d2369505e8f6921834607bc141271b6251749efaf18f1e62182bdc011a09f45fcd1a1eb5abc6329f4b4640bd5

Download Submit
C:\Users\Admin\AppData\Roaming\6842.8A8

Filesize
900B

MD5
c58d1e86a3504a4c499f781673e4c09e

SHA1
387cf12260140149ed682a816ea39dee0c048982

SHA256
2c3ddecfd7bdb45630687fe06b5edc801e3abd06ea4f8a6aaf3d1450c0a2cae4

SHA512
d59ccd59d6185fd0325eaa5df6dccc2df107c72771e3c2cf1300a34f4b29a92dc6b1a4be4eca93cfc62b6dbb5143fb3ddaefefbf9d9966b3fbeadecb06ffa9ee

Download Submit
C:\Users\Admin\AppData\Roaming\6842.8A8

Filesize
1KB

MD5
79d160adc3f0b85a6a727c2a82d9a1c3

SHA1
e72dab8bd65e0dd5ff5c5482046d6c21a035fca8

SHA256
a1f527b4bb4c1622bb3066a04c47d1fdf6993395f3e24bed1d26e08a99c4c7eb

SHA512
22c5f915ba8cccbe2f03789c2e6592057e25140f9b0ba499f0bd819154a033ece3b45285a88abe13c0353d597d5a1e5a6fbddbb05e2a1ee2314599d20662c311

Download Submit
memory/1344-93-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1344-16-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1344-1-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1344-2-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1344-186-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2812-90-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2812-92-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3060-7-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3060-5-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads