cycbot | 4bc53d3c2b2b7e398c2ff79567c649693e8cf31ae87f687935d040909dd131af

General

Target

JaffaCakes118_32663601c06a91564a0de6dfa310140c.exe
Size

188KB
MD5

32663601c06a91564a0de6dfa310140c
SHA1

7aedbd286e02fee49db7331bf4d2e6e584ae8d2b
SHA256

4bc53d3c2b2b7e398c2ff79567c649693e8cf31ae87f687935d040909dd131af
SHA512

c8f38abf6a21d51cf797ba402345c27c9f6db1f566cb604a5915d823a073a48f9fc3627f863c6d9188f26fb38e10cb61a62d30cf62002b6dfb63cad25edb3c80
SSDEEP

3072:0FsFlM4t39BF1irIluJFJIL1hjAEdtBxYKyWXazR3jxMip:0FsFlMQNBFQrJLCzjAEdtIKrazR1

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/3024-14-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral1/memory/2764-15-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral1/memory/2052-82-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral1/memory/2764-188-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2764-2-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/3024-14-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/3024-13-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2764-15-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2052-80-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2052-82-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2764-188-0x0000000000400000-0x000000000044E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_32663601c06a91564a0de6dfa310140c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_32663601c06a91564a0de6dfa310140c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_32663601c06a91564a0de6dfa310140c.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2764 wrote to memory of 3024	2764	JaffaCakes118_32663601c06a91564a0de6dfa310140c.exe	31
PID 2764 wrote to memory of 3024	2764	JaffaCakes118_32663601c06a91564a0de6dfa310140c.exe	31
PID 2764 wrote to memory of 3024	2764	JaffaCakes118_32663601c06a91564a0de6dfa310140c.exe	31
PID 2764 wrote to memory of 3024	2764	JaffaCakes118_32663601c06a91564a0de6dfa310140c.exe	31
PID 2764 wrote to memory of 2052	2764	JaffaCakes118_32663601c06a91564a0de6dfa310140c.exe	33
PID 2764 wrote to memory of 2052	2764	JaffaCakes118_32663601c06a91564a0de6dfa310140c.exe	33
PID 2764 wrote to memory of 2052	2764	JaffaCakes118_32663601c06a91564a0de6dfa310140c.exe	33
PID 2764 wrote to memory of 2052	2764	JaffaCakes118_32663601c06a91564a0de6dfa310140c.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_32663601c06a91564a0de6dfa310140c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_32663601c06a91564a0de6dfa310140c.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_32663601c06a91564a0de6dfa310140c.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_32663601c06a91564a0de6dfa310140c.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3024
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_32663601c06a91564a0de6dfa310140c.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_32663601c06a91564a0de6dfa310140c.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\6AEA.E85

Filesize
1KB

MD5
410417a82eab25a357d76ddafb437ade

SHA1
414a0f70d8341c812f2bcee31b9acb399b7b31d1

SHA256
3a21be4cecc17fc2b6b00174d9dad6e705ee0160605fa48f250e6893e6f4531a

SHA512
01c13464059babe0fa3c84e98e3341d5aa438649e96ff5c481a71b9a21f6c276b1892c446b328c5d8f4d9505376f459814e9f51612cde219b6d5066632d6a8da

Download Submit
C:\Users\Admin\AppData\Roaming\6AEA.E85

Filesize
1KB

MD5
a14cc5534082088643700a4f784f778e

SHA1
4617bd8c560e3d7907e5e2af7d77a1929d8b00ca

SHA256
34b8cab7a707810765ca0c0bf2980465640952512dc28b97ef6863a12c51f5af

SHA512
5abffefc6c66e03ff98583ee231faeae23cdb40a659964e10c9f2f121df8026d5d2c8c345518530f8ca846b9b765ac61c44d9b990f29ecf19d5b9b9e3dfc15b9

Download Submit
C:\Users\Admin\AppData\Roaming\6AEA.E85

Filesize
600B

MD5
5d7d47a41b310d7e448241629e5c6de2

SHA1
498f95fd571091b5cdf11877dd7a6470ac53bdd5

SHA256
484d82bb109c015de2367cffe20d128d78b9bbd68fbd826c115105629a27bb37

SHA512
1bd1634f9c2bec1a69d8234c66731370ba2ae4ad01fb9981489085d3bccca1e7955e30e310473d9f6a2998866fb4ee0d5f299bca330ccdbec053c344b25ea478

Download Submit
C:\Users\Admin\AppData\Roaming\6AEA.E85

Filesize
996B

MD5
76364d284725a4a9e7a2268d1930bf49

SHA1
ad01103564ffa10960947b73c09a7e4617a7dff9

SHA256
3303af867449461f78221cf3120d3ce5a46f415ca07c89bf9af6199031cd23d1

SHA512
9b7db5afcc7b04ed62024ab21b1fa4130aaed5b789b34daeb88f3a967322904aa3371eef089718be9bcdb8ed94d5bb89f38e143c8c3821cb2d5c353655ad2158

Download Submit
memory/2052-80-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2052-82-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2764-1-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2764-2-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2764-15-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2764-188-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3024-14-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3024-13-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing