cycbot | 4ea6847072997dfeec7065db49399d984fda52c7d0945ce5d862fad04d2fd9d3

General

Target

JaffaCakes118_3287ca6ceecdae104c573da0f7efc1f5.exe
Size

208KB
MD5

3287ca6ceecdae104c573da0f7efc1f5
SHA1

f2fa2bacfcca62711333bdabb5024779e1f7b8cf
SHA256

4ea6847072997dfeec7065db49399d984fda52c7d0945ce5d862fad04d2fd9d3
SHA512

10cb438349c216aa725aff2eafb656fcadec1b9b809584465f95133a07eb9abb2e88b6e0a0fce3a978a7a4a3b3f889e26eb083a2edaddb6eb2555d630fcd3b4a
SSDEEP

3072:qsIbkttKFHyFeKLUVGGKusRLsLHahgKNJXtnuwrcemxkr186pGJ6PIsjCuuj2HyV:FViHue/DJELSa3HtnuwXkXAijGbjl8V

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2688-6-0x0000000000400000-0x000000000044D000-memory.dmp	family_cycbot
behavioral1/memory/2744-14-0x0000000000400000-0x000000000044D000-memory.dmp	family_cycbot
behavioral1/memory/2928-83-0x0000000000400000-0x000000000044D000-memory.dmp	family_cycbot
behavioral1/memory/2744-181-0x0000000000400000-0x000000000044D000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2744-2-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral1/memory/2688-5-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral1/memory/2688-6-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral1/memory/2744-14-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral1/memory/2928-83-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral1/memory/2744-181-0x0000000000400000-0x000000000044D000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3287ca6ceecdae104c573da0f7efc1f5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3287ca6ceecdae104c573da0f7efc1f5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3287ca6ceecdae104c573da0f7efc1f5.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 2688	2744	JaffaCakes118_3287ca6ceecdae104c573da0f7efc1f5.exe	31
PID 2744 wrote to memory of 2688	2744	JaffaCakes118_3287ca6ceecdae104c573da0f7efc1f5.exe	31
PID 2744 wrote to memory of 2688	2744	JaffaCakes118_3287ca6ceecdae104c573da0f7efc1f5.exe	31
PID 2744 wrote to memory of 2688	2744	JaffaCakes118_3287ca6ceecdae104c573da0f7efc1f5.exe	31
PID 2744 wrote to memory of 2928	2744	JaffaCakes118_3287ca6ceecdae104c573da0f7efc1f5.exe	33
PID 2744 wrote to memory of 2928	2744	JaffaCakes118_3287ca6ceecdae104c573da0f7efc1f5.exe	33
PID 2744 wrote to memory of 2928	2744	JaffaCakes118_3287ca6ceecdae104c573da0f7efc1f5.exe	33
PID 2744 wrote to memory of 2928	2744	JaffaCakes118_3287ca6ceecdae104c573da0f7efc1f5.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3287ca6ceecdae104c573da0f7efc1f5.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3287ca6ceecdae104c573da0f7efc1f5.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3287ca6ceecdae104c573da0f7efc1f5.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3287ca6ceecdae104c573da0f7efc1f5.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2688
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3287ca6ceecdae104c573da0f7efc1f5.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3287ca6ceecdae104c573da0f7efc1f5.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\A216.3BF

Filesize
1KB

MD5
cd792437baa3f8c906363725baca8191

SHA1
21e88f35c1988f3c8b200cd53c26354ff7e65915

SHA256
4b3410a2588dd1d220dfd3a63dc411a5edeedeaff8d0c3d626a9807435daf23c

SHA512
78da3f98769948da68c4906d9d487b106da99e35756515e833487a1921daaa261cbb0f771c3135b6292b9c80ddb92b57f57eaacd571268e049377175eed43f92

Download Submit
C:\Users\Admin\AppData\Roaming\A216.3BF

Filesize
600B

MD5
1861eaa3bfef6a5f15b703fc91ae92f1

SHA1
33d2aac6e6521a0ac9bc54d228db0d88bf882e10

SHA256
fb3884cc3ab9a8d463c60067e8744aaa1ddd3192b5a9392102e7dd62f2483970

SHA512
191c36a506a04b1a0c89383c86e4c5793463fe334dd0e301de554834bbf438511a1fe12aeb46cf4eaf303a0dc3a61b7531c22ac4bd4b64b9d09a851278175c3c

Download Submit
C:\Users\Admin\AppData\Roaming\A216.3BF

Filesize
996B

MD5
0909de31c5fc654233ae320a6a1d27d0

SHA1
26d8109333e197ad9e1cdb431ca2b19a8ba11c2e

SHA256
37f223e782d81c772f38ce9742243c4de170ee0de8be4da678517526c0b8231b

SHA512
613738fe162f8518c18e2ff3aee27dc9698f5aaa9f3cb4ec88852e9bc5453523d34931d257f23adfe6c177b9883d31f2f0953c03366a4ccc2c3954bb4f9d21db

Download Submit
memory/2688-5-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2688-6-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2744-1-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2744-2-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2744-14-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2744-181-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2928-83-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download

Analysis

Sharing