cycbot | 6729a9416994f6232b1078334bd2ba6c7f79f059e673c3e21c7cadd0b0a949d5

General

Target

JaffaCakes118_1128afe54d77bc854e931acfddd88a64.exe
Size

212KB
MD5

1128afe54d77bc854e931acfddd88a64
SHA1

7ab6bffc762e3b0ca9117edbb6355f79fc941ddf
SHA256

6729a9416994f6232b1078334bd2ba6c7f79f059e673c3e21c7cadd0b0a949d5
SHA512

d49e308acde4faf5cfcfde54cd57a46a2195685b93c14e830e07d16a3ef46d17adb5f9d182d08526e8752acc979339b1c544549ec464d0f8625c7f435a6bffd7
SSDEEP

3072:Mt959W8lgzl/yNauKpiqFXJwEvPH+pNx/sRlX96aq1gpz7BwECAgS8eP9gFh+HL:MtDXau8lXJHXuDUT6rgV9SAgS5PS3+H

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2748-7-0x0000000000400000-0x000000000044F000-memory.dmp	family_cycbot
behavioral1/memory/2788-15-0x0000000000400000-0x000000000044F000-memory.dmp	family_cycbot
behavioral1/memory/1804-78-0x0000000000400000-0x000000000044F000-memory.dmp	family_cycbot
behavioral1/memory/2788-181-0x0000000000400000-0x000000000044F000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process
PID 2788 set thread context of 0	2788	JaffaCakes118_1128afe54d77bc854e931acfddd88a64.exe
PID 2748 set thread context of 0	2748	JaffaCakes118_1128afe54d77bc854e931acfddd88a64.exe
PID 1804 set thread context of 0	1804	JaffaCakes118_1128afe54d77bc854e931acfddd88a64.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2788-2-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2748-5-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2748-7-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2788-15-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/1804-76-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/1804-78-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2788-181-0x0000000000400000-0x000000000044F000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1128afe54d77bc854e931acfddd88a64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1128afe54d77bc854e931acfddd88a64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1128afe54d77bc854e931acfddd88a64.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 2748	2788	JaffaCakes118_1128afe54d77bc854e931acfddd88a64.exe	30
PID 2788 wrote to memory of 2748	2788	JaffaCakes118_1128afe54d77bc854e931acfddd88a64.exe	30
PID 2788 wrote to memory of 2748	2788	JaffaCakes118_1128afe54d77bc854e931acfddd88a64.exe	30
PID 2788 wrote to memory of 2748	2788	JaffaCakes118_1128afe54d77bc854e931acfddd88a64.exe	30
PID 2788 wrote to memory of 1804	2788	JaffaCakes118_1128afe54d77bc854e931acfddd88a64.exe	32
PID 2788 wrote to memory of 1804	2788	JaffaCakes118_1128afe54d77bc854e931acfddd88a64.exe	32
PID 2788 wrote to memory of 1804	2788	JaffaCakes118_1128afe54d77bc854e931acfddd88a64.exe	32
PID 2788 wrote to memory of 1804	2788	JaffaCakes118_1128afe54d77bc854e931acfddd88a64.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1128afe54d77bc854e931acfddd88a64.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1128afe54d77bc854e931acfddd88a64.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1128afe54d77bc854e931acfddd88a64.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1128afe54d77bc854e931acfddd88a64.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:2748
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1128afe54d77bc854e931acfddd88a64.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1128afe54d77bc854e931acfddd88a64.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:1804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\5769.527

Filesize
1KB

MD5
b05b567897d79f7ffdd9b113a6753438

SHA1
646ddc6c3ac9c18f14abc456ded8db44e9a812e9

SHA256
83f7189dfd8982a8333cda36951b63a64e6c1498d35e57e759e1c37d0662b91c

SHA512
0a5c548d6bda57bb8c578d56777212f6800ca5871becf12669d52fb0466d9674baee617d0d8a85dbfde288f9c14ad456cfbc5b65428158cfc67bd4720ba93282

Download Submit
C:\Users\Admin\AppData\Roaming\5769.527

Filesize
600B

MD5
aeca2c2ff70ac5bc1e8c27e964d21676

SHA1
48c2c19bc437c24c2a3ff4d10b5c20552ca7b9a4

SHA256
fe5273a6c8118476e32e093545ee067d46df5dbe0e2107b889262d16fca82e9c

SHA512
5118b7e80c8b3538d205c87cb07d6a7bda4588b4b5d258d5fb0e6a4b510289e29e6ca46f4ce5762e9c5065cd8f94a8dd6993ed53bd647fde00f02ad9faf2c43c

Download Submit
C:\Users\Admin\AppData\Roaming\5769.527

Filesize
996B

MD5
a299ee12d84a7c51bd966141a4927009

SHA1
cb287fb5b3f3ae77a665c04cce0158ae38700641

SHA256
d18957894c5f61b05d06469a6269777c66e6665347ea9303c13d48b839904feb

SHA512
8e6937e6fc9db2d82aeeed4db8b12023f1b6e99e4ffefcf83a986ee17df000a197a1042b47db54ecb64f3814b6442ecf2b4aeefae9c015f4ad91842ab2764510

Download Submit
memory/1804-76-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1804-78-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2748-5-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2748-7-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2788-1-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2788-2-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2788-15-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2788-181-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download

Analysis

Sharing