cycbot | 4ef3f844e0d6ff1b38b9f601ef0d93c6ce6fa945602d3fd7354206f50ed59d30

General

Target

JaffaCakes118_08dc9ce40262450a71dc495bd3fb7d60.exe
Size

173KB
MD5

08dc9ce40262450a71dc495bd3fb7d60
SHA1

8572170e5a3be6288b9b2d0c5a7c6cef604aa2a6
SHA256

4ef3f844e0d6ff1b38b9f601ef0d93c6ce6fa945602d3fd7354206f50ed59d30
SHA512

62e372fb2798b5d63ceacda34e64c6c0b78155c6201c1a19ae24a318c8cbcdd12a98716f828e779421ac857fc48b749788cea6f8aa1ae24dddc00e05372b9711
SSDEEP

3072:tYc3AyXNWdNo+YFLs1Ilg1EGfvCjxKyeW2kRPz+0XqjQdf5cKDFoc43Jh+S9vc1R:Sc3AeNWdNo+N1l1EXdPBXqUdB5FoJqSM

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2704-14-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/2396-15-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/2528-81-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/2396-186-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2396-2-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2704-12-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2704-14-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2396-15-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2528-80-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2528-81-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2396-186-0x0000000000400000-0x000000000046C000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_08dc9ce40262450a71dc495bd3fb7d60.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_08dc9ce40262450a71dc495bd3fb7d60.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_08dc9ce40262450a71dc495bd3fb7d60.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 2704	2396	JaffaCakes118_08dc9ce40262450a71dc495bd3fb7d60.exe	31
PID 2396 wrote to memory of 2704	2396	JaffaCakes118_08dc9ce40262450a71dc495bd3fb7d60.exe	31
PID 2396 wrote to memory of 2704	2396	JaffaCakes118_08dc9ce40262450a71dc495bd3fb7d60.exe	31
PID 2396 wrote to memory of 2704	2396	JaffaCakes118_08dc9ce40262450a71dc495bd3fb7d60.exe	31
PID 2396 wrote to memory of 2528	2396	JaffaCakes118_08dc9ce40262450a71dc495bd3fb7d60.exe	33
PID 2396 wrote to memory of 2528	2396	JaffaCakes118_08dc9ce40262450a71dc495bd3fb7d60.exe	33
PID 2396 wrote to memory of 2528	2396	JaffaCakes118_08dc9ce40262450a71dc495bd3fb7d60.exe	33
PID 2396 wrote to memory of 2528	2396	JaffaCakes118_08dc9ce40262450a71dc495bd3fb7d60.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_08dc9ce40262450a71dc495bd3fb7d60.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_08dc9ce40262450a71dc495bd3fb7d60.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_08dc9ce40262450a71dc495bd3fb7d60.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_08dc9ce40262450a71dc495bd3fb7d60.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2704
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_08dc9ce40262450a71dc495bd3fb7d60.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_08dc9ce40262450a71dc495bd3fb7d60.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\B7FD.9A6

Filesize
1KB

MD5
0f08e7843fc7e2e566582c34a3fa7eb5

SHA1
cdb857ca7236d8d786b4951e2278bf4cdfbafe05

SHA256
c5651a376e779373c0c8a06a4cb510f9c1f0565ad66a13b5c75f066d69ad2846

SHA512
c86aff45ae05e387b3cce2faaccac483465c1730f0b0398a63a4e964ca63f8b9b8e90a600359d19fcc3d8031c09f79e503a8ce39d2a05f0ee20517e0d846b95a

Download Submit
C:\Users\Admin\AppData\Roaming\B7FD.9A6

Filesize
600B

MD5
34bbbd065a486a9da7be4c15b5244283

SHA1
077712483725b644ac4bc5f39171755908d71d43

SHA256
9425f6d1ab54003c6314e8f5c3550e7847470ecceca477adb318904fb7acc3ed

SHA512
35433394b73d1493902003b87f7cb1ff08eee8f07aa532e0295bc789187133ca1347470e1f2a5b5255ac1a55655ee3bb4bd257906aa11d7ac790772690298a8a

Download Submit
C:\Users\Admin\AppData\Roaming\B7FD.9A6

Filesize
996B

MD5
c1ea6540ece0f1ee24ea7ac812e5e4a2

SHA1
a969a44e53e9c2bdcc21b4b0da27e41da63456a8

SHA256
115b06d3b21c9890bd94e108bcaa38bcbf56dddae3ec99839eda799a1ce4e244

SHA512
a0ea21cf03672dbf006f05109da3095ca2c55588b81ee115295e515210681ce85a3a658358d5565690a96490e9035987f4ec61e37414d7126016dd44713b8854

Download Submit
memory/2396-1-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2396-2-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2396-15-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2396-186-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2528-80-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2528-81-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2704-12-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2704-14-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download

Analysis

Sharing