cycbot | 79e42dbb5febaba9532b531145e70a910f0019b505f5909ae49d24333434f559

General

Target

JaffaCakes118_979b6f89bd5e28f9d747361f914c5b51.exe
Size

176KB
MD5

979b6f89bd5e28f9d747361f914c5b51
SHA1

b3e1e65aadeac329fd81282647e7888c76b9f5f1
SHA256

79e42dbb5febaba9532b531145e70a910f0019b505f5909ae49d24333434f559
SHA512

4e7c997dcd212773026fe5b7e64396534613b8b4f12284ed98bb7bf4f0c70dc48360f0e513263888e0500156dd984ccc93c7a17da4e799f9ea4b1c716da166b6
SSDEEP

3072:ffPf5ZS37V242C9A3B8jv0lkpkPT/C0jqIZoyhXt/LJ8ZpepH5Pqn:ffvS37Y4H9A3B84mkTC02IZ7hXBLupQZ

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2336-49-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/1560-50-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/1560-121-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/408-123-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/1560-227-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	JaffaCakes118_979b6f89bd5e28f9d747361f914c5b51.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1560-2-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2336-48-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2336-49-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1560-50-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1560-121-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/408-123-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1560-227-0x0000000000400000-0x000000000044B000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_979b6f89bd5e28f9d747361f914c5b51.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_979b6f89bd5e28f9d747361f914c5b51.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_979b6f89bd5e28f9d747361f914c5b51.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2916	explorer.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2916	explorer.exe
Token: SeShutdownPrivilege	2916	explorer.exe
Token: SeShutdownPrivilege	2916	explorer.exe
Token: SeShutdownPrivilege	2916	explorer.exe
Token: SeShutdownPrivilege	2916	explorer.exe
Token: SeShutdownPrivilege	2916	explorer.exe
Token: SeShutdownPrivilege	2916	explorer.exe
Token: SeShutdownPrivilege	2916	explorer.exe
Token: SeShutdownPrivilege	2916	explorer.exe
Token: SeShutdownPrivilege	2916	explorer.exe
Token: SeShutdownPrivilege	2916	explorer.exe
Token: SeShutdownPrivilege	2916	explorer.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe
2916	explorer.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1560 wrote to memory of 2336	1560	JaffaCakes118_979b6f89bd5e28f9d747361f914c5b51.exe	29
PID 1560 wrote to memory of 2336	1560	JaffaCakes118_979b6f89bd5e28f9d747361f914c5b51.exe	29
PID 1560 wrote to memory of 2336	1560	JaffaCakes118_979b6f89bd5e28f9d747361f914c5b51.exe	29
PID 1560 wrote to memory of 2336	1560	JaffaCakes118_979b6f89bd5e28f9d747361f914c5b51.exe	29
PID 1560 wrote to memory of 408	1560	JaffaCakes118_979b6f89bd5e28f9d747361f914c5b51.exe	33
PID 1560 wrote to memory of 408	1560	JaffaCakes118_979b6f89bd5e28f9d747361f914c5b51.exe	33
PID 1560 wrote to memory of 408	1560	JaffaCakes118_979b6f89bd5e28f9d747361f914c5b51.exe	33
PID 1560 wrote to memory of 408	1560	JaffaCakes118_979b6f89bd5e28f9d747361f914c5b51.exe	33

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_979b6f89bd5e28f9d747361f914c5b51.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_979b6f89bd5e28f9d747361f914c5b51.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1560
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_979b6f89bd5e28f9d747361f914c5b51.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_979b6f89bd5e28f9d747361f914c5b51.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2336
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_979b6f89bd5e28f9d747361f914c5b51.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_979b6f89bd5e28f9d747361f914c5b51.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:408

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Active Setup

1

T1547.014

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\66ED.664

Filesize
1KB

MD5
846fb651efaf8bc78d21873ccf1bf756

SHA1
cd019d13127e81eac856575bad2912d48571f313

SHA256
b72b915524e0873cb764a078a88155a7e916954f77c39e2fd598af9c4cf958cf

SHA512
74742e666d46862fb712da4bc333f98777aa9c8f6a1493e5851feadf7a212bea7e22e1da6889d479c91e056b49cf92c1172d6d9485cf7285ec3fde2ab3e7a2a5

Download Submit
C:\Users\Admin\AppData\Roaming\66ED.664

Filesize
1KB

MD5
05a6f16d48e1b5eae8d3aaa29a75e245

SHA1
33ab7347cce729283bb2988ebbeda36e7aff58d8

SHA256
79304c500ecf8a48620777da2f14ad5cfd4dc00802a25308c3573358786be133

SHA512
983c84fdd7ddd9e85dee779831f95a419cddc55c6d34ed7932c06bb8e713d9e1b438da4187efe02ff66edabf2767382d4564d87c4ebaacc6dc6261c4306223c3

Download Submit
C:\Users\Admin\AppData\Roaming\66ED.664

Filesize
597B

MD5
011bbcabdd4b30d122e2ffbd8fa7bfb2

SHA1
bd0475acafa7a6b16b687047b59403bc01bfe26b

SHA256
7eb091a4850f17ba1f198f1ee1f02abb0aec2bb20e350c472fb67ed8cf39f256

SHA512
ae66a98a6960ebfa2d434582431cf7c0e4405eb05a46f360eb5483d7d99573ed6a874f42b720b446a637bd0089de52860b8c135997f6251a229e0ec1036a2a9e

Download Submit
C:\Users\Admin\AppData\Roaming\66ED.664

Filesize
897B

MD5
f4577911a900432d6993ccc16f0b30f6

SHA1
1a0ac257d1cbd4d919737d8ada177842756c543d

SHA256
5ee5e450e61df50d6a1f7d4c7f57645d8d2c7892b41e3c17c22edcfd3420579d

SHA512
8b8ae7aa43267ad2de60d8dfb831111ee57a9e327bb3d7d16d6cb799676f02bbdf4b556737aac371765e70c19a89378eac6ab7551eb8ff3cb31de66a1590731a

Download Submit
C:\Users\Admin\AppData\Roaming\66ED.664

Filesize
297B

MD5
b2076c57f76a7ab7b762bbc247623ccb

SHA1
ffb438828febe641939e0a9614a3ff2ebef95ea5

SHA256
2123628ac562bd6ae12bd318d3bac5ca036bbaba73201c146c5181e6b9c5abf0

SHA512
8bf04cb0aa00677c254c1f189360040666281abb1c8f153b4a17754ab958eaf08f5d7bc26f071764fdb79ad3ceec4342b20ff2e2a66924f90ed0c976b5b50575

Download Submit
memory/408-123-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1560-50-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1560-1-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1560-121-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1560-2-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1560-227-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2336-49-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2336-48-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2916-234-0x0000000002E70000-0x0000000002E80000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads