cycbot | b22309bbdb4d5d0d65e85992761911f449a5eeeaed589ab167c5d20ec7ac2e46

General

Target

JaffaCakes118_777717ead7a63ff83965fd6187fd6c23.exe
Size

194KB
MD5

777717ead7a63ff83965fd6187fd6c23
SHA1

027c9b469c825893542740869aeb3cf46752d8e8
SHA256

b22309bbdb4d5d0d65e85992761911f449a5eeeaed589ab167c5d20ec7ac2e46
SHA512

41cc79792c374bbd20855e0099f6bc3aa734298ca3a1a2b7b9eefeeb751ca1be41656b2c364ee6f267138de6edd3f5f484e01c2819b5676583b987ac5a715896
SSDEEP

3072:bTaD1fYq1T/av2VUCATjD6nyK96B8AgNJu6hYXs/2OCjahvXnfp2T/gONzYFiwpc:QYU62a21962HbYkjhnfgN4Txn

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2724-14-0x0000000000400000-0x0000000000454000-memory.dmp	family_cycbot
behavioral1/memory/2720-15-0x0000000000400000-0x0000000000454000-memory.dmp	family_cycbot
behavioral1/memory/1756-90-0x0000000000400000-0x0000000000454000-memory.dmp	family_cycbot
behavioral1/memory/2720-171-0x0000000000400000-0x0000000000454000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2720-2-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2724-14-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2724-12-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2720-15-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/1756-89-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/1756-90-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2720-171-0x0000000000400000-0x0000000000454000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_777717ead7a63ff83965fd6187fd6c23.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_777717ead7a63ff83965fd6187fd6c23.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_777717ead7a63ff83965fd6187fd6c23.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 2724	2720	JaffaCakes118_777717ead7a63ff83965fd6187fd6c23.exe	30
PID 2720 wrote to memory of 2724	2720	JaffaCakes118_777717ead7a63ff83965fd6187fd6c23.exe	30
PID 2720 wrote to memory of 2724	2720	JaffaCakes118_777717ead7a63ff83965fd6187fd6c23.exe	30
PID 2720 wrote to memory of 2724	2720	JaffaCakes118_777717ead7a63ff83965fd6187fd6c23.exe	30
PID 2720 wrote to memory of 1756	2720	JaffaCakes118_777717ead7a63ff83965fd6187fd6c23.exe	32
PID 2720 wrote to memory of 1756	2720	JaffaCakes118_777717ead7a63ff83965fd6187fd6c23.exe	32
PID 2720 wrote to memory of 1756	2720	JaffaCakes118_777717ead7a63ff83965fd6187fd6c23.exe	32
PID 2720 wrote to memory of 1756	2720	JaffaCakes118_777717ead7a63ff83965fd6187fd6c23.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_777717ead7a63ff83965fd6187fd6c23.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_777717ead7a63ff83965fd6187fd6c23.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_777717ead7a63ff83965fd6187fd6c23.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_777717ead7a63ff83965fd6187fd6c23.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2724
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_777717ead7a63ff83965fd6187fd6c23.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_777717ead7a63ff83965fd6187fd6c23.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\C98E.7FA

Filesize
996B

MD5
a3b9958352ca7769b1be79647ecfba72

SHA1
937e44f290bcdc8b52b853808924fd942d681dd0

SHA256
15c267c97f43f714693cb94577010ed2aec45f678a75b7ea70a0895ebe310acf

SHA512
6686a0950b54a033b5dd71c46b4a7352b003a29f754923773386739c156e17f08693bd3d1a83400acd6f064836c57d6654ce2f1f0fa93a2edf040aa29c9aa111

Download Submit
C:\Users\Admin\AppData\Roaming\C98E.7FA

Filesize
600B

MD5
a24ab9906fd8b2e9f7006607f3395877

SHA1
fc7e31665a33af188a915665099ff23c6bcd5c9e

SHA256
9c7dcf11ef934a5272e358a21aa66ba60782f4f9cd1d8d66f7d57b25f767041f

SHA512
e8341e8c75981a11410b68e0d2927ba7fe6da646a40f466d585bf9b12e2f31ef32d0f52f9a5d6ed86880764170b45f259b413915295543fcbe1ef88ad77aa6f4

Download Submit
C:\Users\Admin\AppData\Roaming\C98E.7FA

Filesize
1KB

MD5
4fa3030fad25ab1efb6d9002ec0dafd3

SHA1
ca5702f20d1c60f968df2b54595a1d55bdafb5eb

SHA256
e30319fe621e9160c1659cd6d403bef0324002abb17ea5da7e592fa34d3e3ec0

SHA512
a5bcc9ccfb0839a430621e5ce860aad74f5b55f208bde1e6b1c87fa3820621cb361234ba029d4ef74cae7e2601b3a32ef2591f6a052817a7b75c5292d0ea1418

Download Submit
memory/1756-89-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1756-90-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2720-2-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2720-1-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2720-15-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2720-171-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2724-14-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2724-12-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing