cycbot | 14af37c5a45c3edcb5b07b459c1ee6d2f04e794992a5983b9a4567e2dddbf939

General

Target

JaffaCakes118_7bab48754618b293add1bddf8e3efbeb.exe
Size

171KB
MD5

7bab48754618b293add1bddf8e3efbeb
SHA1

51f114718eec7096b486b4881120e497fea92d6e
SHA256

14af37c5a45c3edcb5b07b459c1ee6d2f04e794992a5983b9a4567e2dddbf939
SHA512

b41ed52aca3f897078352570bf9449266425970395ce3537c5216365900a6d55421ed86510ebfbf2d4dd4a1a6f388e1db68c9ae8a284d601c4803c58a7af9a48
SSDEEP

3072:xMjhTAxjxNNOZj3j0yxFI6zrwfXFZQoksH5SHT1JDQPyj5M44aD0:qlTAxjxA3w+FIqUvF66UDVj5MJm

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/3004-14-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/1952-15-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/2156-81-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/1952-205-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1952-2-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/3004-12-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/3004-14-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1952-15-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2156-79-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2156-81-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1952-205-0x0000000000400000-0x000000000046C000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7bab48754618b293add1bddf8e3efbeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7bab48754618b293add1bddf8e3efbeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7bab48754618b293add1bddf8e3efbeb.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 3004	1952	JaffaCakes118_7bab48754618b293add1bddf8e3efbeb.exe	30
PID 1952 wrote to memory of 3004	1952	JaffaCakes118_7bab48754618b293add1bddf8e3efbeb.exe	30
PID 1952 wrote to memory of 3004	1952	JaffaCakes118_7bab48754618b293add1bddf8e3efbeb.exe	30
PID 1952 wrote to memory of 3004	1952	JaffaCakes118_7bab48754618b293add1bddf8e3efbeb.exe	30
PID 1952 wrote to memory of 2156	1952	JaffaCakes118_7bab48754618b293add1bddf8e3efbeb.exe	32
PID 1952 wrote to memory of 2156	1952	JaffaCakes118_7bab48754618b293add1bddf8e3efbeb.exe	32
PID 1952 wrote to memory of 2156	1952	JaffaCakes118_7bab48754618b293add1bddf8e3efbeb.exe	32
PID 1952 wrote to memory of 2156	1952	JaffaCakes118_7bab48754618b293add1bddf8e3efbeb.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7bab48754618b293add1bddf8e3efbeb.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7bab48754618b293add1bddf8e3efbeb.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7bab48754618b293add1bddf8e3efbeb.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7bab48754618b293add1bddf8e3efbeb.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3004
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7bab48754618b293add1bddf8e3efbeb.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7bab48754618b293add1bddf8e3efbeb.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\94C0.C17

Filesize
1KB

MD5
f18ea68d3a9d62bc1880d9dcf4a18e4b

SHA1
88cbebcf3295c82234341d3e86611c53d483cd05

SHA256
bdda33cc06cb36ea142b413bf7842c510946466c34f1e3c5e0c38a727872d5fa

SHA512
c6bd1f818edf5d34cc576e0da6a108a8a60334cf5cdf7475255d42e1d58834491b8c206fd0a59bdfe7755c8d0f4595184f5b545882d253d552f13608b13bd0a4

Download Submit
C:\Users\Admin\AppData\Roaming\94C0.C17

Filesize
600B

MD5
1698bc8b16e0d3121d6476e31a78a614

SHA1
1b270ba0f8ae16825b75bee05b9b2af1432dfece

SHA256
7efff85901abef1d961b222fa1bb72a53bb487bf1be5d203ebcfc92b654e794e

SHA512
ccd0bdc6a67addd9a65bd8ad09d9b8b8b6198d67b60ac3770c09da42777a8766019055c68419415c93ddd73c0596aa0db855eddba79fc21f30e893bc3563bd74

Download Submit
C:\Users\Admin\AppData\Roaming\94C0.C17

Filesize
996B

MD5
37302429420ef203e95881f3ead1af4e

SHA1
4452e5b49fcc230b6bbbadf3588f5d8f34fe18ac

SHA256
dfda970c3c1ecfe261bb31e06daba856e4a3f3ca524030ff636d4925a422b567

SHA512
7213bf1678ef7794dd5910e3cbb090b6ad169f7c58b3989ca40bf949c66195aa0011c344830ddcf2db4c80410ab740ddd7ae02eed98860bbd5512dca874b2d36

Download Submit
memory/1952-1-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1952-2-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1952-15-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1952-205-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2156-78-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2156-79-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2156-81-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3004-12-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3004-14-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download

Analysis

Sharing