cycbot | e1316573f8db5a63dc2b4e00ee807ab87ea56548f2007b1b75890238096f60bf

General

Target

JaffaCakes118_6877d8ce9130e13096d0626d03fc0f10.exe
Size

176KB
MD5

6877d8ce9130e13096d0626d03fc0f10
SHA1

13043b5488d398c06439291c3f29930e8637e2e4
SHA256

e1316573f8db5a63dc2b4e00ee807ab87ea56548f2007b1b75890238096f60bf
SHA512

949fd8ddec19b7462a567b1d095463d372b22a004c7f11a47af95af0577af3587104990448766f4220a10279b64eac40328a894a8b78501e8aa999a73027321f
SSDEEP

3072:NY0z6yXJfDu4sThhOrjdxFH5jEMycV2Y7Ow/33iFMMww1+:PzBJIThhWj/jEMn9Ow3

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/1812-17-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot
behavioral1/memory/2340-19-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot
behavioral1/memory/1676-84-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot
behavioral1/memory/1676-83-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot
behavioral1/memory/2340-199-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2340-2-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/1812-17-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2340-19-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/1676-84-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/1676-83-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2340-199-0x0000000000400000-0x000000000046B000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6877d8ce9130e13096d0626d03fc0f10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6877d8ce9130e13096d0626d03fc0f10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6877d8ce9130e13096d0626d03fc0f10.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 1812	2340	JaffaCakes118_6877d8ce9130e13096d0626d03fc0f10.exe	30
PID 2340 wrote to memory of 1812	2340	JaffaCakes118_6877d8ce9130e13096d0626d03fc0f10.exe	30
PID 2340 wrote to memory of 1812	2340	JaffaCakes118_6877d8ce9130e13096d0626d03fc0f10.exe	30
PID 2340 wrote to memory of 1812	2340	JaffaCakes118_6877d8ce9130e13096d0626d03fc0f10.exe	30
PID 2340 wrote to memory of 1676	2340	JaffaCakes118_6877d8ce9130e13096d0626d03fc0f10.exe	33
PID 2340 wrote to memory of 1676	2340	JaffaCakes118_6877d8ce9130e13096d0626d03fc0f10.exe	33
PID 2340 wrote to memory of 1676	2340	JaffaCakes118_6877d8ce9130e13096d0626d03fc0f10.exe	33
PID 2340 wrote to memory of 1676	2340	JaffaCakes118_6877d8ce9130e13096d0626d03fc0f10.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6877d8ce9130e13096d0626d03fc0f10.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6877d8ce9130e13096d0626d03fc0f10.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6877d8ce9130e13096d0626d03fc0f10.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6877d8ce9130e13096d0626d03fc0f10.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1812
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6877d8ce9130e13096d0626d03fc0f10.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6877d8ce9130e13096d0626d03fc0f10.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\F362.8BB

Filesize
597B

MD5
ef1a07ce7b48009ee4ba91a76d574102

SHA1
ab59eb26c3b369f6316e44e6c777b1e36471e0ff

SHA256
4840ca1169448a2dcccfe75903fd2d3e938a2c04748591818ef959369119776d

SHA512
c55f42a0f22618f10883965310f979618863274a82509942d3a072768262f04391c451de32e49d501abe254df5531667739fb93548e303652f565c3970fa529b

Download Submit
C:\Users\Admin\AppData\Roaming\F362.8BB

Filesize
1KB

MD5
07dd945e3839b04a0f9733a905098261

SHA1
48ea6f1d52dac14350a1eb77a1f4a0af4326e8c1

SHA256
9253d7b67a450a26339d27a9ae41080a97f06cd65607f309ec2698fca7e17f1e

SHA512
a1ac866401b3d1c54a49291ba69058938ff2a7a76d6fbcceef840447adc9cd067e9be130901b9ba7754b23f30249a2df758516cbf698693d1e2cc3fbf6e207e2

Download Submit
C:\Users\Admin\AppData\Roaming\F362.8BB

Filesize
897B

MD5
143b3f44753e31badf106ac0afc72e52

SHA1
21b9ef103df7587cb9e2408cf077ba6da3b940c1

SHA256
839126be177dc8b4817f011291838978d96de508faf80ae4ad69b07433c39673

SHA512
44338f831f48a3d9071836eeb17c507348435aba7c6ea9652487b81f05d257dc20506eb731b7a545d6e895b782afa7397f60dd21af9bc519490fd49442be6e2b

Download Submit
C:\Users\Admin\AppData\Roaming\F362.8BB

Filesize
1KB

MD5
00c8492f7756cdce9eb889d84722156c

SHA1
1074c2a655c106c234f14679ee22f0826b070a4f

SHA256
2eb435e06987def66e856c0cc7e43779c22a729edc12f7ca5a860cb7574daa75

SHA512
2e2bc691ad1a029c7883be8a0fb01b2da41e5e0dddcac5900f2e96cc7a16ac7d7e24a33b24c353cdf8768c812ff91a2069a4a0456df8d3a7a1dc529ea45d3cd4

Download Submit
memory/1676-84-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1676-83-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1812-17-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2340-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2340-2-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2340-19-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2340-199-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing