cycbot | 1f68755a40128115f0b431efe0a90a6048f86c6bba42862ee55e8081b5c27cf3

General

Target

JaffaCakes118_3cff8414a9d8f8bb8078d59d7031ec11.exe
Size

182KB
MD5

3cff8414a9d8f8bb8078d59d7031ec11
SHA1

81943722851df11e394d5d6e702d2890376a327c
SHA256

1f68755a40128115f0b431efe0a90a6048f86c6bba42862ee55e8081b5c27cf3
SHA512

9a78a224f7f858eb348841077c59518748c416c7b223dfa6ebb398a7751730fd1200ad78349ea4bd17c568d7a311654e4751aefd546967f531b2280caaf8e33c
SSDEEP

3072:SUd1Ce41yxx874cEEqN4B2H/I1FrDQZVZAI9CAJljvH/lv7:XKL1Mxc/t8H/RKIQATT

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2368-13-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral1/memory/2452-14-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral1/memory/2332-80-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral1/memory/2452-125-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2452-2-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2368-12-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2368-13-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2452-14-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2332-77-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2332-80-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2452-125-0x0000000000400000-0x000000000044E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3cff8414a9d8f8bb8078d59d7031ec11.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3cff8414a9d8f8bb8078d59d7031ec11.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3cff8414a9d8f8bb8078d59d7031ec11.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2452 wrote to memory of 2368	2452	JaffaCakes118_3cff8414a9d8f8bb8078d59d7031ec11.exe	30
PID 2452 wrote to memory of 2368	2452	JaffaCakes118_3cff8414a9d8f8bb8078d59d7031ec11.exe	30
PID 2452 wrote to memory of 2368	2452	JaffaCakes118_3cff8414a9d8f8bb8078d59d7031ec11.exe	30
PID 2452 wrote to memory of 2368	2452	JaffaCakes118_3cff8414a9d8f8bb8078d59d7031ec11.exe	30
PID 2452 wrote to memory of 2332	2452	JaffaCakes118_3cff8414a9d8f8bb8078d59d7031ec11.exe	32
PID 2452 wrote to memory of 2332	2452	JaffaCakes118_3cff8414a9d8f8bb8078d59d7031ec11.exe	32
PID 2452 wrote to memory of 2332	2452	JaffaCakes118_3cff8414a9d8f8bb8078d59d7031ec11.exe	32
PID 2452 wrote to memory of 2332	2452	JaffaCakes118_3cff8414a9d8f8bb8078d59d7031ec11.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3cff8414a9d8f8bb8078d59d7031ec11.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3cff8414a9d8f8bb8078d59d7031ec11.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2452
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3cff8414a9d8f8bb8078d59d7031ec11.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3cff8414a9d8f8bb8078d59d7031ec11.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2368
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3cff8414a9d8f8bb8078d59d7031ec11.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3cff8414a9d8f8bb8078d59d7031ec11.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\4BDB.F4E

Filesize
600B

MD5
a3083f3e5762ed680a76fe0936500510

SHA1
01505bca4bd3da5a01c7f7c6abb0fd18ea51ddbb

SHA256
e7eec75814c20384d69044d51f1fb39805e050fba720945a35180c3e34a97925

SHA512
24e377003453a1630b40dfbd09e928c8d4bb816babe935aee24ee9a234ee43f741d471ebb593b02e9d079b6ced2a4610348a096f265e9629c8f515c0fe9837f5

Download Submit
C:\Users\Admin\AppData\Roaming\4BDB.F4E

Filesize
996B

MD5
1ed2d1994768027b3fabbf55c1c9684c

SHA1
ba64e54a3cd0311199fa312bad826986b3d9634f

SHA256
513c9f8e84180c3b3c437ed3141b02ddb87e935d7813681eee726b6ed00a5014

SHA512
ece46a2c33215e6905c80efdca30ecdfb5c6ebddbd7686afe2090fa0607213478f83e843cbcb5c5d8758b8544eaed57318d1f2ee28ec7b7b7772adb3b51a39f5

Download Submit
C:\Users\Admin\AppData\Roaming\4BDB.F4E

Filesize
1KB

MD5
cf5ea79084a0f9b141b1501be9b6bc91

SHA1
e09bc63cae844e7e267f9bb7fb4c203da297835c

SHA256
f497014869822ac04b958017694a8f232f559b18b40254d9aca89c2ed6a195e8

SHA512
be3f3254a74e6097a6c7401de47e540ec3cf2918e7df5a4353a99f82b5f645416102889e6d44a2a9802bbe4f92afb3fd61682f6c09dfe215b806bbb713f8ab1b

Download Submit
memory/2332-77-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2332-80-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2368-12-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2368-13-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2452-1-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2452-2-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2452-14-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2452-125-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing