cycbot | 0ecf62862fb2c43caec23aa07c4a7e8339b461750b402d5f92101b934497d012

General

Target

JaffaCakes118_6d50e3e5b728e6a1036095f31950953d.exe
Size

178KB
MD5

6d50e3e5b728e6a1036095f31950953d
SHA1

bf573e5fef48a2476ba6c7f41386a7b9067b7259
SHA256

0ecf62862fb2c43caec23aa07c4a7e8339b461750b402d5f92101b934497d012
SHA512

e42a85ded67954a0099934faefc3a4e53e8d41e9d979a2c6e5b4bbac983d3755bf96e9069ebdd75cf9b289b3bc4a7afe2d4fc62b242ee55864cdddaa6e8b1c9b
SSDEEP

3072:hNfHD70bB9pNUSBXSx6hfo7x8mCRSdGfmQGAokKveqgEWltHssi+NMeoah2w://XyNUSBSxcJyGuZkysEWltvMEhp

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2796-9-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/2796-11-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/3064-16-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/2300-79-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/3064-80-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/3064-196-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	JaffaCakes118_6d50e3e5b728e6a1036095f31950953d.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3064-2-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2796-9-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2796-11-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/3064-16-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2300-79-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/3064-80-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/3064-196-0x0000000000400000-0x000000000044B000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6d50e3e5b728e6a1036095f31950953d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6d50e3e5b728e6a1036095f31950953d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6d50e3e5b728e6a1036095f31950953d.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 2796	3064	JaffaCakes118_6d50e3e5b728e6a1036095f31950953d.exe	30
PID 3064 wrote to memory of 2796	3064	JaffaCakes118_6d50e3e5b728e6a1036095f31950953d.exe	30
PID 3064 wrote to memory of 2796	3064	JaffaCakes118_6d50e3e5b728e6a1036095f31950953d.exe	30
PID 3064 wrote to memory of 2796	3064	JaffaCakes118_6d50e3e5b728e6a1036095f31950953d.exe	30
PID 3064 wrote to memory of 2300	3064	JaffaCakes118_6d50e3e5b728e6a1036095f31950953d.exe	32
PID 3064 wrote to memory of 2300	3064	JaffaCakes118_6d50e3e5b728e6a1036095f31950953d.exe	32
PID 3064 wrote to memory of 2300	3064	JaffaCakes118_6d50e3e5b728e6a1036095f31950953d.exe	32
PID 3064 wrote to memory of 2300	3064	JaffaCakes118_6d50e3e5b728e6a1036095f31950953d.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d50e3e5b728e6a1036095f31950953d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d50e3e5b728e6a1036095f31950953d.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d50e3e5b728e6a1036095f31950953d.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d50e3e5b728e6a1036095f31950953d.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2796
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d50e3e5b728e6a1036095f31950953d.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d50e3e5b728e6a1036095f31950953d.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\A4FE.3D8

Filesize
600B

MD5
ce7bcf545b00b1c12e90df49d6fe1941

SHA1
abdeab18448595392992ce5a59322b6ce9b582c5

SHA256
96204fa0f223943d1595dd120daa820e0ab8286836b00eace4503dac0fc92643

SHA512
16c564a71a9e7383d5caebc9f1f3b6249a7e28cd082bf4416ea9cf3d5f5cab4dd03842617c393d95caf3e11f21be41c520ea86f4addb51823ae4971d1deee47d

Download Submit
C:\Users\Admin\AppData\Roaming\A4FE.3D8

Filesize
1KB

MD5
4d7d0be53d21c4ebd37ca73bb48b8f17

SHA1
0abc681c390b4a7b8bb35fceaf78b5a3fc8f1e6e

SHA256
80c2811a6cf0b9cf4335a90b4a907ccfbe209acc56066b80552c24c43b1ee084

SHA512
1a3b44287c3e58acfe525dad13c916b07ae592ba2873e33df7e1ab4ba9c70b4f39a7ba2ddc74d2f448b06e82916e1bf13dea90deae941d65e1baf481579ec290

Download Submit
C:\Users\Admin\AppData\Roaming\A4FE.3D8

Filesize
996B

MD5
06058c51f6ddf9e74bb04ca6ac49c0bc

SHA1
c50b5a37c075f2eafc2ce24b3fb5b96b4b2e7882

SHA256
014bfd90cf5694ab291de9dc11e51c8832cb680177b24233a1728f0dfe0ab617

SHA512
51ef3a5c25c38f0d0d958c7835b251cf42743e9b79b28a5b196c7a8445362167c73617d7376a5402e01547414f8c32e7819ee223ee6d4c90ecdd929c429e3eef

Download Submit
memory/2300-77-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2300-79-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2796-9-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2796-11-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2796-8-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3064-16-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3064-1-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3064-80-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3064-2-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3064-196-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads