cycbot | 4c1c9aed83b91a704398f6958342c990f38333ca08b638006c4c8d49c79ce233

General

Target

JaffaCakes118_17ab588760812f3fc9cdd6c85a6c34e7.exe
Size

164KB
MD5

17ab588760812f3fc9cdd6c85a6c34e7
SHA1

379a496e1f8bee02911556afb6c64276f01b636d
SHA256

4c1c9aed83b91a704398f6958342c990f38333ca08b638006c4c8d49c79ce233
SHA512

94ad538c9d0b5e00cb381395d86fc1d302abaad7406696a05c4acf59a7173bcba8b9fa3b82cd76491f3e9394c6309dc01360fa74ba0d32f73d91e91f27b9cb4a
SSDEEP

3072:GmfJmOJHYuBuyWKfo1y+/Ihyt3hJWQ8V+yAsOezzEOYHq0aIcZtL:IONYuBuyIYtQgzOezRYHqM

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2832-7-0x0000000000400000-0x0000000000469000-memory.dmp	family_cycbot
behavioral1/memory/2832-9-0x0000000000400000-0x0000000000469000-memory.dmp	family_cycbot
behavioral1/memory/2820-20-0x0000000000400000-0x0000000000469000-memory.dmp	family_cycbot
behavioral1/memory/2404-89-0x0000000000400000-0x0000000000469000-memory.dmp	family_cycbot
behavioral1/memory/2820-192-0x0000000000400000-0x0000000000469000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2820-1-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2832-6-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2832-7-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2832-9-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2820-20-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2404-89-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2820-192-0x0000000000400000-0x0000000000469000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_17ab588760812f3fc9cdd6c85a6c34e7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_17ab588760812f3fc9cdd6c85a6c34e7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_17ab588760812f3fc9cdd6c85a6c34e7.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 2832	2820	JaffaCakes118_17ab588760812f3fc9cdd6c85a6c34e7.exe	30
PID 2820 wrote to memory of 2832	2820	JaffaCakes118_17ab588760812f3fc9cdd6c85a6c34e7.exe	30
PID 2820 wrote to memory of 2832	2820	JaffaCakes118_17ab588760812f3fc9cdd6c85a6c34e7.exe	30
PID 2820 wrote to memory of 2832	2820	JaffaCakes118_17ab588760812f3fc9cdd6c85a6c34e7.exe	30
PID 2820 wrote to memory of 2404	2820	JaffaCakes118_17ab588760812f3fc9cdd6c85a6c34e7.exe	32
PID 2820 wrote to memory of 2404	2820	JaffaCakes118_17ab588760812f3fc9cdd6c85a6c34e7.exe	32
PID 2820 wrote to memory of 2404	2820	JaffaCakes118_17ab588760812f3fc9cdd6c85a6c34e7.exe	32
PID 2820 wrote to memory of 2404	2820	JaffaCakes118_17ab588760812f3fc9cdd6c85a6c34e7.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_17ab588760812f3fc9cdd6c85a6c34e7.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_17ab588760812f3fc9cdd6c85a6c34e7.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_17ab588760812f3fc9cdd6c85a6c34e7.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_17ab588760812f3fc9cdd6c85a6c34e7.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2832
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_17ab588760812f3fc9cdd6c85a6c34e7.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_17ab588760812f3fc9cdd6c85a6c34e7.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\320A.AF3

Filesize
597B

MD5
7e4270b3e5df6bcc3b7237812ef29163

SHA1
2e61526d7f6cc15d8c357e57e1ae3dbd93731079

SHA256
6c4df1044420071ccd52c453c3ceeac91076da721f25501281130f6f1de39e2c

SHA512
8d2e88cebbbe18bcbe75a3fbd8c7180de27a4ea41ebe116eb54083182d932293e1e8e4fe8f9b54268b6d5bbd4b90b80a34e36bbc946a9791c53c9fca19c0585d

Download Submit
C:\Users\Admin\AppData\Roaming\320A.AF3

Filesize
1KB

MD5
a3ac571a5174746c086a3194aae84a50

SHA1
1fa6e5f96e34010dd954781c8e2d8236cc20eca5

SHA256
a578ba9c87f7e3043c46e54b0a075c651580e93393cf18c99dda687d6b71ea7a

SHA512
ad90dc5887ddf50f123f3808256f73e9a4a8fb083ef6ece557cbe5060c63229d85389eab92450b281083f1617e28d279453f1c675362d8d12a9db42d475be6be

Download Submit
C:\Users\Admin\AppData\Roaming\320A.AF3

Filesize
897B

MD5
1217e64edd64c0586e611dde2c2bdfb5

SHA1
9d76c5b6dcdab2841111269eb79d28ec73cd594f

SHA256
3740421721c300ce6100cf1a3682edb2f5576b7a2d0e6fffa79b24caeb17a296

SHA512
8c65f3c86d2af3800e725bde995779c62a293330094c030061c901b204c99bb8bb65b0b8f5e4261f7e3df1823f4187764d4fef7a229e33643954024c06fdf389

Download Submit
C:\Users\Admin\AppData\Roaming\320A.AF3

Filesize
1KB

MD5
6d427e6ee2d3adcef50ddb01c3de81d6

SHA1
34effc53a93e015a1faa1207cc3e02d2c7dcb47e

SHA256
a7490b3367fbe08e41be75982c78fd1177931762ca0178719fa1d7a99d749b9d

SHA512
6fd0a3d6a89a4e2f7fd11b9234a5b4073015de4e2ce6d47316e3c021576c906bee6d00c142e24077ae783826ae1872cf0dc9f3eba6573388c0eef9ff1fb6a4ae

Download Submit
memory/2404-89-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2404-88-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2820-1-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2820-20-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2820-192-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2832-6-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2832-7-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2832-9-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download

Analysis

Sharing