cycbot | 7c0d6d06819983b999dae6d9ef7a50b216df20e86f3c5e5c332805bbe4a65307

General

Target

JaffaCakes118_1f893827c86f656ed62f6e7cbd46cbf0.exe
Size

182KB
MD5

1f893827c86f656ed62f6e7cbd46cbf0
SHA1

b23c725346b5d270f3fecdd0ba0b9df73829916f
SHA256

7c0d6d06819983b999dae6d9ef7a50b216df20e86f3c5e5c332805bbe4a65307
SHA512

c9f1472098655f645adebee272a8725f1bb893f5405e5aaf97448a2fc85cd3f9b1435649001bf60678f2d97e9876937992714588034ae8ea49ff640aa03d7ba8
SSDEEP

3072:ezxvyc3GHS+6kbVWBzESJtAqY6uZTwXjLe+9kzdoC6QGY8eDEH+VbY:gxvVWHSjk5WBztY6uZEXjLe2kzOC6m81

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2316-13-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral1/memory/2088-14-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral1/memory/3036-76-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral1/memory/2088-183-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2088-2-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2316-12-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2316-13-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2088-14-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/3036-75-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/3036-76-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2088-183-0x0000000000400000-0x000000000044E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1f893827c86f656ed62f6e7cbd46cbf0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1f893827c86f656ed62f6e7cbd46cbf0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1f893827c86f656ed62f6e7cbd46cbf0.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 2316	2088	JaffaCakes118_1f893827c86f656ed62f6e7cbd46cbf0.exe	30
PID 2088 wrote to memory of 2316	2088	JaffaCakes118_1f893827c86f656ed62f6e7cbd46cbf0.exe	30
PID 2088 wrote to memory of 2316	2088	JaffaCakes118_1f893827c86f656ed62f6e7cbd46cbf0.exe	30
PID 2088 wrote to memory of 2316	2088	JaffaCakes118_1f893827c86f656ed62f6e7cbd46cbf0.exe	30
PID 2088 wrote to memory of 3036	2088	JaffaCakes118_1f893827c86f656ed62f6e7cbd46cbf0.exe	33
PID 2088 wrote to memory of 3036	2088	JaffaCakes118_1f893827c86f656ed62f6e7cbd46cbf0.exe	33
PID 2088 wrote to memory of 3036	2088	JaffaCakes118_1f893827c86f656ed62f6e7cbd46cbf0.exe	33
PID 2088 wrote to memory of 3036	2088	JaffaCakes118_1f893827c86f656ed62f6e7cbd46cbf0.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1f893827c86f656ed62f6e7cbd46cbf0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1f893827c86f656ed62f6e7cbd46cbf0.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1f893827c86f656ed62f6e7cbd46cbf0.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1f893827c86f656ed62f6e7cbd46cbf0.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2316
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1f893827c86f656ed62f6e7cbd46cbf0.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1f893827c86f656ed62f6e7cbd46cbf0.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\0BB3.903

Filesize
1KB

MD5
c932e45b5a04d080e22018a16a6318ac

SHA1
0d0fab55bc82bdfda6e4a99ccd80f5a2c6040e66

SHA256
511dba7923ba0ff3f222955e82252b8908c250a0581a0343facad01119e01e92

SHA512
e01242a9a905ebe5edd93890147df16aac0810a47aeff0e68da6ba0d78f5830d04acf2eade3857a29b0f771fd6f3ff68abfdebafcdb03fe50743e177a6e07c21

Download Submit
C:\Users\Admin\AppData\Roaming\0BB3.903

Filesize
600B

MD5
e556ab5fd8093175a9757392920dcca9

SHA1
bda61eed87bd84c46f630b62b440b16c4299eb30

SHA256
43ae814bd29f796a753f029c402230699b22eb64b019491976454cf16e372826

SHA512
a655a379c4f23de109bcbdf9d2cd3657f53fa2af3d84ca9f917336914051643d192ff1aea43f3e4e8aa99d613f39758f697714ccc814531064b1e7a58ed0b1dd

Download Submit
C:\Users\Admin\AppData\Roaming\0BB3.903

Filesize
996B

MD5
5d88bc4f6520fd6077f00a6657723286

SHA1
11f0a9b6d9b2445618d97c301fa82433c464b331

SHA256
92e2a45dca46757ec96f80661ad3a7e77a515124f62c1f71831db1ff4115229f

SHA512
c2c204cdfd218b89f7478193e18238ae9752fc36d86e8928ba9333bd17f6be6bacc5ebd6d0a8e4c796d3caa91e9258b898abe2d2d76bee1f51e45184f1d27a6d

Download Submit
memory/2088-1-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2088-2-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2088-14-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2088-183-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2316-12-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2316-13-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3036-75-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3036-76-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing