cycbot | 6ea4f3e71b83f6c6dcaf84b8d628ffe51c83ed17b66bea2807bae60bc08cb630

General

Target

JaffaCakes118_4a762d202e32f366c77523604120df7b.exe
Size

178KB
MD5

4a762d202e32f366c77523604120df7b
SHA1

6ed198914478446eee2053a6ff92bb225e101a55
SHA256

6ea4f3e71b83f6c6dcaf84b8d628ffe51c83ed17b66bea2807bae60bc08cb630
SHA512

204d5eb249cb97d7cb3095b289f55e13496db05d22d22ccda3ee661ab14757f0adb9ad67cba2250c3cf480f6c78a43a8992fbb83964d1d8583e2b0041a45c231
SSDEEP

3072:6RVdPpjP1C8U8lGx/I1nMqcCS3Je2EtniT922oQVFqxgDMlCY:kZpJDd0X33SiT922oWYxgD4

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/1632-9-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/2984-14-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/2044-85-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/2984-202-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2984-1-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1632-8-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1632-9-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2984-14-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2044-84-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2044-85-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2984-202-0x0000000000400000-0x000000000046C000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4a762d202e32f366c77523604120df7b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4a762d202e32f366c77523604120df7b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4a762d202e32f366c77523604120df7b.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 1632	2984	JaffaCakes118_4a762d202e32f366c77523604120df7b.exe	30
PID 2984 wrote to memory of 1632	2984	JaffaCakes118_4a762d202e32f366c77523604120df7b.exe	30
PID 2984 wrote to memory of 1632	2984	JaffaCakes118_4a762d202e32f366c77523604120df7b.exe	30
PID 2984 wrote to memory of 1632	2984	JaffaCakes118_4a762d202e32f366c77523604120df7b.exe	30
PID 2984 wrote to memory of 2044	2984	JaffaCakes118_4a762d202e32f366c77523604120df7b.exe	33
PID 2984 wrote to memory of 2044	2984	JaffaCakes118_4a762d202e32f366c77523604120df7b.exe	33
PID 2984 wrote to memory of 2044	2984	JaffaCakes118_4a762d202e32f366c77523604120df7b.exe	33
PID 2984 wrote to memory of 2044	2984	JaffaCakes118_4a762d202e32f366c77523604120df7b.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4a762d202e32f366c77523604120df7b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4a762d202e32f366c77523604120df7b.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4a762d202e32f366c77523604120df7b.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4a762d202e32f366c77523604120df7b.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1632
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4a762d202e32f366c77523604120df7b.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4a762d202e32f366c77523604120df7b.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\BB22.045

Filesize
600B

MD5
2354cd65289e87b87688484f8f5b4c63

SHA1
dccfb5fe8ab25a4d9b0c3d424d182cb1d918ae71

SHA256
9b0db2d1f98acefc23d82f01c8acac99e7c228f580fd2bece331b8eccb0d02f0

SHA512
83512ef01b376ffe9e8b27f32c16bcd7730c319fbf2c300f76459adf9a91620cb4ada74db07dd3d5a9053f73bb2e25e4dbdec27e8d101dc10b710b5020c71998

Download Submit
C:\Users\Admin\AppData\Roaming\BB22.045

Filesize
1KB

MD5
85d790aac98dd37a1e75b0325ad93fc3

SHA1
915180601b25c9ba040f21f57089abb1630a6672

SHA256
39c517ea0502c885d9d0ad062adf17819803bcb96d1e6e51e545b318bc8ee5fb

SHA512
176e513d5f60354bc4a590633760cdb486d8dff36aa28fcc593301814e8c26213413c143c730633f8b1ea3b522f7180a9f8c46f705cff0e2aa54479e1a0fe96d

Download Submit
C:\Users\Admin\AppData\Roaming\BB22.045

Filesize
996B

MD5
97ac3781739e84b81f6bb0f4e579a468

SHA1
f0bb1892d80220034bc0756904657bd278b955ac

SHA256
260080ce7b0740d0f91cc3e6a188c54efdb7b8ba3b62c78c54a09a3f766e432d

SHA512
432fc03d877f375bc7f586d32a18c246e5aa8e588fdd2ded991a98d3922ba87afc1221087070fb9dd2977d5eacf1196df0192b2f1b2865c3f6bc5ca1760f1a6c

Download Submit
memory/1632-8-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1632-9-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2044-84-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2044-83-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2044-85-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2984-1-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2984-14-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2984-202-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download

Analysis

Sharing