cycbot | 78b30537960636d7670ad548ecca677bf3c12fe70013c67b7c75380af94f7b58

General

Target

JaffaCakes118_5c029eafa1bf0d194e908a3f0c15e492.exe
Size

192KB
MD5

5c029eafa1bf0d194e908a3f0c15e492
SHA1

f9d358fccd989959292efc0132b3d8f1756c5436
SHA256

78b30537960636d7670ad548ecca677bf3c12fe70013c67b7c75380af94f7b58
SHA512

e9fbe5e883b46eb9e16677e1c8b0997a7e1ce7bbc4cfaecb14a9141c7eca76bab891a14de0605f914d935f8492d01e2bbe66aad83bb5f6e192a73e664f85d211
SSDEEP

6144:aLay5o6ySxhl6zT5JR3jtW6MP6/zhBB4g5A3:yTQyhlw5JR3jtySFB5A3

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/780-13-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/780-14-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/2792-15-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/2116-83-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/2116-85-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/2792-187-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2792-2-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/780-13-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/780-12-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/780-14-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2792-15-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2116-83-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2116-85-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2792-187-0x0000000000400000-0x0000000000455000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5c029eafa1bf0d194e908a3f0c15e492.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5c029eafa1bf0d194e908a3f0c15e492.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5c029eafa1bf0d194e908a3f0c15e492.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 780	2792	JaffaCakes118_5c029eafa1bf0d194e908a3f0c15e492.exe	29
PID 2792 wrote to memory of 780	2792	JaffaCakes118_5c029eafa1bf0d194e908a3f0c15e492.exe	29
PID 2792 wrote to memory of 780	2792	JaffaCakes118_5c029eafa1bf0d194e908a3f0c15e492.exe	29
PID 2792 wrote to memory of 780	2792	JaffaCakes118_5c029eafa1bf0d194e908a3f0c15e492.exe	29
PID 2792 wrote to memory of 2116	2792	JaffaCakes118_5c029eafa1bf0d194e908a3f0c15e492.exe	31
PID 2792 wrote to memory of 2116	2792	JaffaCakes118_5c029eafa1bf0d194e908a3f0c15e492.exe	31
PID 2792 wrote to memory of 2116	2792	JaffaCakes118_5c029eafa1bf0d194e908a3f0c15e492.exe	31
PID 2792 wrote to memory of 2116	2792	JaffaCakes118_5c029eafa1bf0d194e908a3f0c15e492.exe	31

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c029eafa1bf0d194e908a3f0c15e492.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c029eafa1bf0d194e908a3f0c15e492.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c029eafa1bf0d194e908a3f0c15e492.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c029eafa1bf0d194e908a3f0c15e492.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:780
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c029eafa1bf0d194e908a3f0c15e492.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c029eafa1bf0d194e908a3f0c15e492.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\B84C.734

Filesize
1KB

MD5
101d46ed6300d6dad2126fef034366c9

SHA1
751eae16cb6ee89af3c8cc04905b2888a9adbc21

SHA256
3b33a694f898c425fbb5932da0678c3a70ed32d00c0c60907c85ed1aee2654b1

SHA512
4ca0e07db534763aef170e57400c2cc818f6858607159594011664049c225bab221f5f3cde265ae48aecbf52696de6b5a1edb0250aed428178c5937f7190e89c

Download Submit
C:\Users\Admin\AppData\Roaming\B84C.734

Filesize
600B

MD5
c7d7b1219fb48b840d932e6c2cd191fe

SHA1
f3d60e160fa0c2584525130e627c23c7a694457b

SHA256
1c9a9bf8784282840bd45b35d5593dbba089ff9f9574a4e11df2b5f4fb3e04ff

SHA512
176b4403a92d59cb77c71dc9f3fdf9ac7382856f25eb65e54aeee59587db4badb904051ac8e7c83240892cbfb67c0fd7ad49691263325d373ca9d5cb12f202a5

Download Submit
C:\Users\Admin\AppData\Roaming\B84C.734

Filesize
996B

MD5
a490236ee7224fa8ed410ace08c9e23e

SHA1
b66830dd7d15a8badb4fbb10221c1fc3298ca6d1

SHA256
17d97903192fcbb81596186ccf5b75dab86971b423a3b43bea0d95e77d01d5a8

SHA512
e741bb9f0f6a99403fef74a639a7b5807cad1668b9f72b45de2b6cf77cabba3cf6e6168c65042b417b4b7ceeefc48eb8548f461d57bab51abdbd17508508fffc

Download Submit
memory/780-12-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/780-14-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/780-13-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2116-83-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2116-82-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2116-85-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2792-15-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2792-1-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2792-2-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2792-187-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing