cycbot | cff9b7d9b4a76d76c4f17647e0f9ea642b9022c29c8f35ec2feb0d2e98caed98

General

Target

JaffaCakes118_6df47399832469092d93a843afe8a801.exe
Size

159KB
MD5

6df47399832469092d93a843afe8a801
SHA1

907084fd9859df90912f3d4a1326f36f7016578f
SHA256

cff9b7d9b4a76d76c4f17647e0f9ea642b9022c29c8f35ec2feb0d2e98caed98
SHA512

7b7d8f48f5f283a8d558a4db84b46baf30cc71fb28520643bfc5cb10a1ddf3c3e0539ff6cdeb86030ee482fe3f72d3922d45bdceb3a3f97e39d75d51630428a1
SSDEEP

3072:z/VuDWDCXNuM+LAK/T3XBneCb33g88EkbezmBnA/2AltHLsRqX:zwDWEN9oJr3VX9qbQmBnA/Nbv

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/1984-8-0x0000000000400000-0x0000000000468000-memory.dmp	family_cycbot
behavioral1/memory/2376-16-0x0000000000400000-0x0000000000468000-memory.dmp	family_cycbot
behavioral1/memory/3028-81-0x0000000000400000-0x0000000000468000-memory.dmp	family_cycbot
behavioral1/memory/3028-80-0x0000000000400000-0x0000000000468000-memory.dmp	family_cycbot
behavioral1/memory/2376-146-0x0000000000400000-0x0000000000468000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2376-2-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/1984-5-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/1984-6-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/1984-8-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2376-16-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/3028-81-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/3028-80-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2376-146-0x0000000000400000-0x0000000000468000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6df47399832469092d93a843afe8a801.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6df47399832469092d93a843afe8a801.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6df47399832469092d93a843afe8a801.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 1984	2376	JaffaCakes118_6df47399832469092d93a843afe8a801.exe	30
PID 2376 wrote to memory of 1984	2376	JaffaCakes118_6df47399832469092d93a843afe8a801.exe	30
PID 2376 wrote to memory of 1984	2376	JaffaCakes118_6df47399832469092d93a843afe8a801.exe	30
PID 2376 wrote to memory of 1984	2376	JaffaCakes118_6df47399832469092d93a843afe8a801.exe	30
PID 2376 wrote to memory of 3028	2376	JaffaCakes118_6df47399832469092d93a843afe8a801.exe	33
PID 2376 wrote to memory of 3028	2376	JaffaCakes118_6df47399832469092d93a843afe8a801.exe	33
PID 2376 wrote to memory of 3028	2376	JaffaCakes118_6df47399832469092d93a843afe8a801.exe	33
PID 2376 wrote to memory of 3028	2376	JaffaCakes118_6df47399832469092d93a843afe8a801.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6df47399832469092d93a843afe8a801.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6df47399832469092d93a843afe8a801.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6df47399832469092d93a843afe8a801.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6df47399832469092d93a843afe8a801.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1984
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6df47399832469092d93a843afe8a801.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6df47399832469092d93a843afe8a801.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\A8D3.0C0

Filesize
600B

MD5
1e499de815c8c1c725e8c9001b2154ad

SHA1
4897f1e1204d5a307b2dec093a78805c9853e7c6

SHA256
03996d2b132a622a1857a8fcb9e79e4dc30ad816c9425ec431288125dde50fe1

SHA512
3e776002307d3fc019e21a26e50fc37231cb2fd95faf2290eb6f071910e4a1eb96013639e90d4abfa211153f7d72f26d52781947b0aee1de5b0fa2983ebc5f1b

Download Submit
C:\Users\Admin\AppData\Roaming\A8D3.0C0

Filesize
996B

MD5
782c18a82685b4b3988fffab34c43a5a

SHA1
6b43d9bd6cafbb01a7f127534a3ff8de2b2a0e4c

SHA256
a6c90c1dcb7a1f689c46f9539619c85a4647e42a033a81846fa79d70b7e2e764

SHA512
8a803c32fc782dfcadf1d60f558ba89e7207cbdecad16624478982a64f729fe8f3fc289b6a963ebee17753ac2665b43833117d1a1b03d831c362f66e11baaa7b

Download Submit
memory/1984-5-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1984-6-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1984-8-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2376-1-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2376-2-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2376-16-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2376-146-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3028-81-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3028-80-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3028-79-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download

Analysis

Sharing