cycbot | 063c81d12968d51e53c675030ebd49ec5f9283e52049460a22e5cfd7c7f82cec

General

Target

JaffaCakes118_7b198772f7537b85497ecb23545ba2ce.exe
Size

172KB
MD5

7b198772f7537b85497ecb23545ba2ce
SHA1

9266c8e880ff247b4a0260019328c8ffd3ac05f6
SHA256

063c81d12968d51e53c675030ebd49ec5f9283e52049460a22e5cfd7c7f82cec
SHA512

a1c43f1793171c875b1f5a1df3173da8ab1af87f14751cecbca0c21a41849f1a805d4be24c2a6b5dbbeb6ae5d667e491bdf67bfed182b919c120535068bb3f25
SSDEEP

3072:eF3WWl4UBXhn3GPl1SNEUoJ5HIKAsnWqREKUE1GKCA1L:bW6+x3ol0EUeHzrWhKZAKN

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2456-13-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot
behavioral1/memory/2456-15-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot
behavioral1/memory/2868-16-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot
behavioral1/memory/1200-86-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot
behavioral1/memory/2868-168-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2868-2-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2456-13-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2456-15-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2868-16-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/1200-85-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/1200-86-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2868-168-0x0000000000400000-0x000000000046B000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7b198772f7537b85497ecb23545ba2ce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7b198772f7537b85497ecb23545ba2ce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7b198772f7537b85497ecb23545ba2ce.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 2456	2868	JaffaCakes118_7b198772f7537b85497ecb23545ba2ce.exe	31
PID 2868 wrote to memory of 2456	2868	JaffaCakes118_7b198772f7537b85497ecb23545ba2ce.exe	31
PID 2868 wrote to memory of 2456	2868	JaffaCakes118_7b198772f7537b85497ecb23545ba2ce.exe	31
PID 2868 wrote to memory of 2456	2868	JaffaCakes118_7b198772f7537b85497ecb23545ba2ce.exe	31
PID 2868 wrote to memory of 1200	2868	JaffaCakes118_7b198772f7537b85497ecb23545ba2ce.exe	33
PID 2868 wrote to memory of 1200	2868	JaffaCakes118_7b198772f7537b85497ecb23545ba2ce.exe	33
PID 2868 wrote to memory of 1200	2868	JaffaCakes118_7b198772f7537b85497ecb23545ba2ce.exe	33
PID 2868 wrote to memory of 1200	2868	JaffaCakes118_7b198772f7537b85497ecb23545ba2ce.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7b198772f7537b85497ecb23545ba2ce.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7b198772f7537b85497ecb23545ba2ce.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7b198772f7537b85497ecb23545ba2ce.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7b198772f7537b85497ecb23545ba2ce.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2456
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7b198772f7537b85497ecb23545ba2ce.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7b198772f7537b85497ecb23545ba2ce.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\7458.40F

Filesize
1KB

MD5
9618c8a9326019e60b7aa897934f32e3

SHA1
8686effed1a11512874cc45d9493ab8b7b4c5f0d

SHA256
31fbdcca3e0078384daf54f70ff4792053bb6f868f91c38f929d88a5b716b654

SHA512
4ab072b48e797e4f48d0b9c7887669af6c239e8dccc807f968fa4931b0c82bbec376028b91db3f893b2eb51cff1388e0f99f380cdcfba71b9240920c87902be6

Download Submit
C:\Users\Admin\AppData\Roaming\7458.40F

Filesize
600B

MD5
d036ce9dd1f680db84eb870037b985fc

SHA1
501f866baacf3e900e6ff2267f122c13a0ee252c

SHA256
41233d5bb6830c78c5a8af759aed745427d3276d0fe9ca0632e67a26264dcd8f

SHA512
8e9d7fc83ac94261227104540d7d2f2d2f9c7be30f81000ee29112a2dd5623638f484e43b51ed40f4e68354d015e14351e38744030e7480498a3b305bdaf7f10

Download Submit
C:\Users\Admin\AppData\Roaming\7458.40F

Filesize
996B

MD5
b458b37467b4f47fbd845f68a01b43b8

SHA1
58b20e28c5edaeccec82ba7d3e36667ca73d8060

SHA256
dafd236fb0b12a54480b9979a981daa04e480c926fe01585ac5978f92788fd0d

SHA512
a784f6e3932e49b7a5f272eff6bc55c4f8d768a68e8fad81a39abb7aff7635f2753227248e701679042ba3411b84fe420a4fa232762bee56a2e4186bb04a197b

Download Submit
memory/1200-85-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1200-86-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2456-12-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2456-13-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2456-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2868-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2868-2-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2868-16-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2868-168-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing