cycbot | 28ba9c5739e19baf5dc58f5ce8669bc18786865c476565430e29d55474d23973

General

Target

JaffaCakes118_04450caf764bd461dcd0ccb198c1b55d.exe
Size

187KB
MD5

04450caf764bd461dcd0ccb198c1b55d
SHA1

15366f466350b8b98dade6488e3b5a9f0214aa79
SHA256

28ba9c5739e19baf5dc58f5ce8669bc18786865c476565430e29d55474d23973
SHA512

8d0c6919444303accbc3891c073d19503c4c3ecadf2527e83ac14b1d6563d5324c2886b3de0263eb1ef2f0964568e0caaefea9ad7fbb2e65bbf44bf16e03866c
SSDEEP

3072:yAuWzkD8lxQzuXPO5zdtVXvWKGUp3pyQX1yCMFrxjIW8Q+WhdakYleB6hYM5zCrd:NhkobQzuX2lfV/WOp34QjMPsW+SdakYa

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2112-11-0x0000000000400000-0x0000000000471000-memory.dmp	family_cycbot
behavioral1/memory/2096-16-0x0000000000400000-0x0000000000471000-memory.dmp	family_cycbot
behavioral1/memory/2044-89-0x0000000000400000-0x0000000000471000-memory.dmp	family_cycbot
behavioral1/memory/2096-194-0x0000000000400000-0x0000000000471000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2096-2-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral1/memory/2112-9-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral1/memory/2112-11-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral1/memory/2112-8-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral1/memory/2096-16-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral1/memory/2044-88-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral1/memory/2044-89-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral1/memory/2096-194-0x0000000000400000-0x0000000000471000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_04450caf764bd461dcd0ccb198c1b55d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_04450caf764bd461dcd0ccb198c1b55d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_04450caf764bd461dcd0ccb198c1b55d.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 2112	2096	JaffaCakes118_04450caf764bd461dcd0ccb198c1b55d.exe	30
PID 2096 wrote to memory of 2112	2096	JaffaCakes118_04450caf764bd461dcd0ccb198c1b55d.exe	30
PID 2096 wrote to memory of 2112	2096	JaffaCakes118_04450caf764bd461dcd0ccb198c1b55d.exe	30
PID 2096 wrote to memory of 2112	2096	JaffaCakes118_04450caf764bd461dcd0ccb198c1b55d.exe	30
PID 2096 wrote to memory of 2044	2096	JaffaCakes118_04450caf764bd461dcd0ccb198c1b55d.exe	33
PID 2096 wrote to memory of 2044	2096	JaffaCakes118_04450caf764bd461dcd0ccb198c1b55d.exe	33
PID 2096 wrote to memory of 2044	2096	JaffaCakes118_04450caf764bd461dcd0ccb198c1b55d.exe	33
PID 2096 wrote to memory of 2044	2096	JaffaCakes118_04450caf764bd461dcd0ccb198c1b55d.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04450caf764bd461dcd0ccb198c1b55d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04450caf764bd461dcd0ccb198c1b55d.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04450caf764bd461dcd0ccb198c1b55d.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04450caf764bd461dcd0ccb198c1b55d.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2112
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04450caf764bd461dcd0ccb198c1b55d.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04450caf764bd461dcd0ccb198c1b55d.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\200A.809

Filesize
1KB

MD5
c608f807f7946341a2460b369fc3ea9e

SHA1
e1c6f7c0d4f39d6805f3ac83cde15cd2efce19b2

SHA256
e56a2a784e3d8001af723f5acaefeb598226660039f6b7b89e3346508a1bb2ba

SHA512
3f1e2b35533879d748d7c0ab1b329b9409d4715a7e5fbabeff8206d69731da9e173ca9efd587ce04b96edc1d4a08cf46e348f904d53f7aa5ac94cf5136ff9893

Download Submit
C:\Users\Admin\AppData\Roaming\200A.809

Filesize
600B

MD5
9154bfee27a0884f217cf485d28f07b4

SHA1
564bd60a4acc81c9facdaaa35348ac29efaed5e8

SHA256
5dda77654b06a61a9dc267e23a9c5cbb7a20d6944cbca7963e248dd0bf3bbbc4

SHA512
f876853fed3470d37b4b8f90ed3e87037fcba976e6d3d8307bfe953c45dae55c85884e30e308055c08ebacd0b30c49e09148e533c5ab50fdcd8ff946dc0ffd24

Download Submit
C:\Users\Admin\AppData\Roaming\200A.809

Filesize
996B

MD5
ec249d09c2313324346d145c8ded84d5

SHA1
9f31868e95476913d6878aabf50f0ff983ee91c1

SHA256
2e767fd903bbb25fcf37db4b9ececcdec4c1ef7443dbab514ffc4617fa382a91

SHA512
506c5bb3b1d7f90ad735552ed31249bada3cee50aeeb0f3ff651a1069f178f10c11641d154a4763d3b4dd34ab7cd893a49815e257c18adc510a05bd3dc93f5c9

Download Submit
memory/2044-88-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2044-89-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2096-1-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2096-2-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2096-16-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2096-194-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2112-9-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2112-11-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2112-8-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing