cycbot | a4580a57891368aaacdfd05cd974f598d4b53efaf9e026f73e997bfcb75099ca

General

Target

JaffaCakes118_42ef2a4aad043117da75041fd50f6959.exe
Size

212KB
MD5

42ef2a4aad043117da75041fd50f6959
SHA1

3dab976c7b911f26c900ddea2b437002c606c8ed
SHA256

a4580a57891368aaacdfd05cd974f598d4b53efaf9e026f73e997bfcb75099ca
SHA512

5e8997f63a912e21e33ad7489397cd43409065463a373db2d4ab3971a64c670b99f1f9484863ee93be04dcd1d1b331f0bc86a91e34e2411a2eff0d1f1bc9b735
SSDEEP

6144:nLMOdSe0hCAqxcQm63mu3JAfys1QAv//3Ub5JJ:oO30hBqyQmG327XUbJ

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2760-6-0x0000000000400000-0x000000000044F000-memory.dmp	family_cycbot
behavioral1/memory/2280-14-0x0000000000400000-0x000000000044F000-memory.dmp	family_cycbot
behavioral1/memory/2240-77-0x0000000000400000-0x000000000044F000-memory.dmp	family_cycbot
behavioral1/memory/2280-184-0x0000000000400000-0x000000000044F000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2280-2-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2760-5-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2760-6-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2280-14-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2240-76-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2240-77-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2280-184-0x0000000000400000-0x000000000044F000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_42ef2a4aad043117da75041fd50f6959.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_42ef2a4aad043117da75041fd50f6959.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_42ef2a4aad043117da75041fd50f6959.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 2760	2280	JaffaCakes118_42ef2a4aad043117da75041fd50f6959.exe	30
PID 2280 wrote to memory of 2760	2280	JaffaCakes118_42ef2a4aad043117da75041fd50f6959.exe	30
PID 2280 wrote to memory of 2760	2280	JaffaCakes118_42ef2a4aad043117da75041fd50f6959.exe	30
PID 2280 wrote to memory of 2760	2280	JaffaCakes118_42ef2a4aad043117da75041fd50f6959.exe	30
PID 2280 wrote to memory of 2240	2280	JaffaCakes118_42ef2a4aad043117da75041fd50f6959.exe	32
PID 2280 wrote to memory of 2240	2280	JaffaCakes118_42ef2a4aad043117da75041fd50f6959.exe	32
PID 2280 wrote to memory of 2240	2280	JaffaCakes118_42ef2a4aad043117da75041fd50f6959.exe	32
PID 2280 wrote to memory of 2240	2280	JaffaCakes118_42ef2a4aad043117da75041fd50f6959.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_42ef2a4aad043117da75041fd50f6959.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_42ef2a4aad043117da75041fd50f6959.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_42ef2a4aad043117da75041fd50f6959.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_42ef2a4aad043117da75041fd50f6959.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2760
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_42ef2a4aad043117da75041fd50f6959.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_42ef2a4aad043117da75041fd50f6959.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\E3DB.D71

Filesize
1KB

MD5
15724d3516a71fe5778bdeba948948be

SHA1
3202960e4b75b0ddad8ad5a768a0fca31e5d7f3b

SHA256
67852e8ff55302bde6d160898f4b2bd93114f68596db2de74552ebdd2a787932

SHA512
00657792b4f443368ba5bc3d3d80d64343a733ca6a78701cba61bfc814acf5376413dcd1e9dc2edc590b83402393bd36562183ccc671582e0e87c007f4bfc116

Download Submit
C:\Users\Admin\AppData\Roaming\E3DB.D71

Filesize
600B

MD5
65d5890e63777e7e9f894fa1acac585d

SHA1
17e944c47959eccf047edb57a8094f10ba2885e7

SHA256
d31d480b02bb24298295fab2ed86a698ceb6758f2288fe999179053074536ed9

SHA512
0de6afa7c77b889c0f4b37150380ed80ef6ca39249baca7e17e23ab16ddd39a74394d7238fd375291bf7640efb8dd060dedae699fd006f0a30a9146a32c12be0

Download Submit
C:\Users\Admin\AppData\Roaming\E3DB.D71

Filesize
996B

MD5
43864260bd54fd815cf4b1d8ac80db3a

SHA1
dca39d867331048588769fb059861e87d4f15b59

SHA256
1868cd2e41608661d10b92f3033525faf7a1ad0ba5f1d6c0ab99c941373af279

SHA512
ce80d9aec30908b5a4546ca08df88cf2caba47420ad79e1d43cb44cb830c9fb7a0ce83e46785fb2bddf23b1d9ce6f0f00f47e40cfe35c98597b53e8146b8110c

Download Submit
memory/2240-76-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2240-77-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2280-1-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2280-2-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2280-14-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2280-184-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2760-5-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2760-6-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download

Analysis

Sharing