cycbot | 2b4c2dcfb2dba4f26c2d65f3621e7d123b96815cf8fbf16ccc14a378cd746141

General

Target

JaffaCakes118_4fa395b4f7eabf255edcab9a2c4f35eb.exe
Size

186KB
MD5

4fa395b4f7eabf255edcab9a2c4f35eb
SHA1

86201b60e53229d7276d79df2f9019b240fa443e
SHA256

2b4c2dcfb2dba4f26c2d65f3621e7d123b96815cf8fbf16ccc14a378cd746141
SHA512

526f00971685aacc5742731f68fac61bfd0c955b6658f02abb30aba0da3b008ee90381fc6ce4c259803abaac683e136f48822d22fd2cce0d18e99633eb112736
SSDEEP

3072:WNsG96bd+ahdOcdJubbVs1HcDMChU6m/yZpaqy4fzFBBH/KKrpEGSWZCDzYelsGH:WN1WdlhdOcdJsJs1HcDjcajySznVHSW0

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2808-14-0x0000000000400000-0x0000000000471000-memory.dmp	family_cycbot
behavioral1/memory/2656-15-0x0000000000400000-0x0000000000471000-memory.dmp	family_cycbot
behavioral1/memory/1696-81-0x0000000000400000-0x0000000000471000-memory.dmp	family_cycbot
behavioral1/memory/2656-185-0x0000000000400000-0x0000000000471000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2656-2-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral1/memory/2808-12-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral1/memory/2808-14-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral1/memory/2656-15-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral1/memory/1696-80-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral1/memory/1696-81-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral1/memory/2656-185-0x0000000000400000-0x0000000000471000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4fa395b4f7eabf255edcab9a2c4f35eb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4fa395b4f7eabf255edcab9a2c4f35eb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4fa395b4f7eabf255edcab9a2c4f35eb.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 2808	2656	JaffaCakes118_4fa395b4f7eabf255edcab9a2c4f35eb.exe	30
PID 2656 wrote to memory of 2808	2656	JaffaCakes118_4fa395b4f7eabf255edcab9a2c4f35eb.exe	30
PID 2656 wrote to memory of 2808	2656	JaffaCakes118_4fa395b4f7eabf255edcab9a2c4f35eb.exe	30
PID 2656 wrote to memory of 2808	2656	JaffaCakes118_4fa395b4f7eabf255edcab9a2c4f35eb.exe	30
PID 2656 wrote to memory of 1696	2656	JaffaCakes118_4fa395b4f7eabf255edcab9a2c4f35eb.exe	32
PID 2656 wrote to memory of 1696	2656	JaffaCakes118_4fa395b4f7eabf255edcab9a2c4f35eb.exe	32
PID 2656 wrote to memory of 1696	2656	JaffaCakes118_4fa395b4f7eabf255edcab9a2c4f35eb.exe	32
PID 2656 wrote to memory of 1696	2656	JaffaCakes118_4fa395b4f7eabf255edcab9a2c4f35eb.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4fa395b4f7eabf255edcab9a2c4f35eb.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4fa395b4f7eabf255edcab9a2c4f35eb.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4fa395b4f7eabf255edcab9a2c4f35eb.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4fa395b4f7eabf255edcab9a2c4f35eb.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2808
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4fa395b4f7eabf255edcab9a2c4f35eb.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4fa395b4f7eabf255edcab9a2c4f35eb.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\9E5D.222

Filesize
1KB

MD5
57c1fddf12d5153312a2c772ac5f1cc9

SHA1
168b54989701e55500e63a745841216349910a7b

SHA256
ee99292f2520e8a21d8ae1e680e5653e0a325cc28972c4c79cbf463a2dc34b9e

SHA512
1a316d183ed7c865a1012484d2349464a9177a5672922ecc75b4b1b3bbbe522318e9c18f3e39e7062d689bfda39a0b6e6116d1d93febfa408824b1a4598ff17a

Download Submit
C:\Users\Admin\AppData\Roaming\9E5D.222

Filesize
600B

MD5
3a046847e95dbb1b404559c09c02a4fe

SHA1
e0c0264ce5f2b6af8480e843727880f81d1b0f13

SHA256
2404fdd4655689b67ae9d4316a0ad8aead6cdb1a224e81b96c0fad87510a0602

SHA512
ea14bc78049cf193e5061ff2f78750980d9c0368edb7b93c5275935018b1f435d6ae6d77278f0e08607f5d86a53e766322b0abfab659f2ffebf62f9c4666a75e

Download Submit
C:\Users\Admin\AppData\Roaming\9E5D.222

Filesize
996B

MD5
cbb24e74edc908c28296f3058ed87f5c

SHA1
4a91114baa715005c8e674813039da71d53fea15

SHA256
8b6bcce01ddb17e0b1644af8fb4c70c7ed8dc2b6af538edb862a772ffdb217d5

SHA512
231c3e4c11fae114fb686146d308beb83877e218367ba149c663cbeb7aaa8c926a15654823af13d3d7f7b74173ca9809cb6e7288b7eeee60c152a5cdf6f13fbf

Download Submit
memory/1696-80-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1696-81-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2656-1-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2656-2-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2656-15-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2656-185-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2808-12-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2808-14-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing