cycbot | 0f927f660eaeeee88472564ae89a7080e6849fc958c2350e7b59462cfecb2982

General

Target

JaffaCakes118_78d233a201325ab8b9dff94258ef1e16.exe
Size

166KB
MD5

78d233a201325ab8b9dff94258ef1e16
SHA1

01acef9f4f70c85c012d32a6ece398b29fb738e6
SHA256

0f927f660eaeeee88472564ae89a7080e6849fc958c2350e7b59462cfecb2982
SHA512

818d168fdae912579ae3b21150dd6c0ef3166158f4fb86e5c0d8a5858f3627e81633d9f26502d88bb552239c87d714f54d69e2036597175768589b8491a494fb
SSDEEP

3072:3kChAFZXBoWC1sg+/hieTJSWu+X5bRDwUKOch2fRBBKvAB2cO7job/6NTZYc:3kPoWC1sg+/MeTB5twUKtKdccO7je

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/1956-6-0x0000000000400000-0x000000000043E000-memory.dmp	family_cycbot
behavioral1/memory/2936-13-0x0000000000400000-0x000000000043E000-memory.dmp	family_cycbot
behavioral1/memory/2936-71-0x0000000000400000-0x000000000043E000-memory.dmp	family_cycbot
behavioral1/memory/2876-75-0x0000000000400000-0x000000000043E000-memory.dmp	family_cycbot
behavioral1/memory/2936-159-0x0000000000400000-0x000000000043E000-memory.dmp	family_cycbot
behavioral1/memory/2936-192-0x0000000000400000-0x000000000043E000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	JaffaCakes118_78d233a201325ab8b9dff94258ef1e16.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2936-2-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/1956-5-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/1956-6-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2936-13-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2936-71-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2876-73-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2876-75-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2936-159-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2936-192-0x0000000000400000-0x000000000043E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_78d233a201325ab8b9dff94258ef1e16.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_78d233a201325ab8b9dff94258ef1e16.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_78d233a201325ab8b9dff94258ef1e16.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 1956	2936	JaffaCakes118_78d233a201325ab8b9dff94258ef1e16.exe	30
PID 2936 wrote to memory of 1956	2936	JaffaCakes118_78d233a201325ab8b9dff94258ef1e16.exe	30
PID 2936 wrote to memory of 1956	2936	JaffaCakes118_78d233a201325ab8b9dff94258ef1e16.exe	30
PID 2936 wrote to memory of 1956	2936	JaffaCakes118_78d233a201325ab8b9dff94258ef1e16.exe	30
PID 2936 wrote to memory of 2876	2936	JaffaCakes118_78d233a201325ab8b9dff94258ef1e16.exe	33
PID 2936 wrote to memory of 2876	2936	JaffaCakes118_78d233a201325ab8b9dff94258ef1e16.exe	33
PID 2936 wrote to memory of 2876	2936	JaffaCakes118_78d233a201325ab8b9dff94258ef1e16.exe	33
PID 2936 wrote to memory of 2876	2936	JaffaCakes118_78d233a201325ab8b9dff94258ef1e16.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_78d233a201325ab8b9dff94258ef1e16.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_78d233a201325ab8b9dff94258ef1e16.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_78d233a201325ab8b9dff94258ef1e16.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_78d233a201325ab8b9dff94258ef1e16.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1956
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_78d233a201325ab8b9dff94258ef1e16.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_78d233a201325ab8b9dff94258ef1e16.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\49A5.564

Filesize
1KB

MD5
dc3d74b047d523f6f8bf3b1346f6ce54

SHA1
881e1f8146d0e0773d49902edc7e458ada8bef45

SHA256
19994b618b8a613d751829f40c2ddb2589e437b83d8e44a530f4377e99ecb7dc

SHA512
180149dd852cddac2e01bcbc847d90758a981cc0c0a7e6ece955ee1ba1b184a2b6728b9e92dbeaeecf128705fb1ba92bdcd79167b5cca785a8914759fdc94bb3

Download Submit
C:\Users\Admin\AppData\Roaming\49A5.564

Filesize
600B

MD5
f6d3599e80640730406e11144b75cc46

SHA1
20fa069b04936bfd9a3a199d8c88e19497150315

SHA256
f6d5d90441db9479a0532299056e13c5604db730fc3862c6e2163640ca0ec117

SHA512
12a3fc998f20b4c2cb17f428adbf93c7f86d5008737d1700167c01205ba259a470322d57c9798104bbd1fc0834405e4029a951a8e728f3fec86b67a5d14a1864

Download Submit
C:\Users\Admin\AppData\Roaming\49A5.564

Filesize
996B

MD5
326534cfa6f442708d51b70aecb63431

SHA1
3a8a41a1d735d7313667f98fdde6c63714e351e5

SHA256
d77d77293d7270e015f0c7c7f4db8a4049b8bd73e5f37b657ab6b5c2f161a36b

SHA512
aa1beaf57081bbe62dbc41ee978f34bd5f7093666976fba747e1ddbdeddea020c615b3d1607067c9c2567a97ab0ce7933afe08fd7245a56d9f64df4c4e161daf

Download Submit
memory/1956-6-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1956-5-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2876-73-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2876-75-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2936-13-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2936-1-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2936-71-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2936-2-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2936-159-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2936-192-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads