cycbot | aa8cccc49dba224f73fe18ae068248919eea80e7819ef670f4a528eeefe65456

General

Target

JaffaCakes118_6129b4d7ce88e1ab364f8c4b70674c64.exe
Size

199KB
MD5

6129b4d7ce88e1ab364f8c4b70674c64
SHA1

a366de5a915edd38b8aa13736f7e1d7814586dab
SHA256

aa8cccc49dba224f73fe18ae068248919eea80e7819ef670f4a528eeefe65456
SHA512

9016b78c6b7e08ddd3bac7c0111d9b8550bcac0c3851d0d7ecfa77d18ef5248e2445aa1f8d3e909c9c24af7cbc613a87d2467c821005f5185ad7943844a40c64
SSDEEP

6144:gO9ODXnHKR5mXwDTuZUdOfYv7u7Z3eG1CuS8j7y:T9Aa5mgDTuZUMfeKwOj+

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2756-6-0x0000000000400000-0x0000000000449000-memory.dmp	family_cycbot
behavioral1/memory/2160-14-0x0000000000400000-0x0000000000449000-memory.dmp	family_cycbot
behavioral1/memory/1096-82-0x0000000000400000-0x0000000000449000-memory.dmp	family_cycbot
behavioral1/memory/2160-189-0x0000000000400000-0x0000000000449000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2160-2-0x0000000000400000-0x0000000000449000-memory.dmp	upx
behavioral1/memory/2756-5-0x0000000000400000-0x0000000000449000-memory.dmp	upx
behavioral1/memory/2756-6-0x0000000000400000-0x0000000000449000-memory.dmp	upx
behavioral1/memory/2160-14-0x0000000000400000-0x0000000000449000-memory.dmp	upx
behavioral1/memory/1096-81-0x0000000000400000-0x0000000000449000-memory.dmp	upx
behavioral1/memory/1096-82-0x0000000000400000-0x0000000000449000-memory.dmp	upx
behavioral1/memory/2160-189-0x0000000000400000-0x0000000000449000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6129b4d7ce88e1ab364f8c4b70674c64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6129b4d7ce88e1ab364f8c4b70674c64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6129b4d7ce88e1ab364f8c4b70674c64.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 2756	2160	JaffaCakes118_6129b4d7ce88e1ab364f8c4b70674c64.exe	30
PID 2160 wrote to memory of 2756	2160	JaffaCakes118_6129b4d7ce88e1ab364f8c4b70674c64.exe	30
PID 2160 wrote to memory of 2756	2160	JaffaCakes118_6129b4d7ce88e1ab364f8c4b70674c64.exe	30
PID 2160 wrote to memory of 2756	2160	JaffaCakes118_6129b4d7ce88e1ab364f8c4b70674c64.exe	30
PID 2160 wrote to memory of 1096	2160	JaffaCakes118_6129b4d7ce88e1ab364f8c4b70674c64.exe	32
PID 2160 wrote to memory of 1096	2160	JaffaCakes118_6129b4d7ce88e1ab364f8c4b70674c64.exe	32
PID 2160 wrote to memory of 1096	2160	JaffaCakes118_6129b4d7ce88e1ab364f8c4b70674c64.exe	32
PID 2160 wrote to memory of 1096	2160	JaffaCakes118_6129b4d7ce88e1ab364f8c4b70674c64.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6129b4d7ce88e1ab364f8c4b70674c64.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6129b4d7ce88e1ab364f8c4b70674c64.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6129b4d7ce88e1ab364f8c4b70674c64.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6129b4d7ce88e1ab364f8c4b70674c64.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2756
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6129b4d7ce88e1ab364f8c4b70674c64.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6129b4d7ce88e1ab364f8c4b70674c64.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\A59C.BBE

Filesize
1KB

MD5
f2cd5583f2a5ac74873e01473d777c71

SHA1
00f6da8e997b9a94617e3693a9079d375a9ca99b

SHA256
af9b2b4f937c5d845703fb53d2f464d79ccec776c1828d2090742253dd53450f

SHA512
949225c3ee2f91b05c05a79b33f3f48836fee04994a53d5234939cae8eb302bea7251d0692a8f48341195454b25c1d5b70cb5ce323fd9301106aa76ac5ddd6e4

Download Submit
C:\Users\Admin\AppData\Roaming\A59C.BBE

Filesize
600B

MD5
d54645b7768a242c049f81db97ed8b2c

SHA1
ea38bd4d6246a0836a21f6475c11be05d7418991

SHA256
2a089de9a585e22cdeb464c0b701376a80a76bf252637cc10690cd83b46873c9

SHA512
592b4ba3e4a44671b831127a174d869f9858519347c04ea92e07d45580c77a0d5ea8a1e0fa236a0bb579f63ec17d6a7264d7491c1e5ae2358044c07703555d28

Download Submit
C:\Users\Admin\AppData\Roaming\A59C.BBE

Filesize
996B

MD5
ef4d4c9ddc1a3e95350adcad734f384c

SHA1
ff0c82569329cb7c9213d48d7c06566626d3af9d

SHA256
d2177e685bbc3f28fcbfb69c53a0b78350a841d934f72850e3d9787c0f3e6d45

SHA512
ae85be0ed79d81c27ff49a7046db8bafff33d378ce7f3dbb1f070cfd68ea9ff2f4288c027584496ddd958855a7a1d82b31413708dedb788407819b2b7fc83631

Download Submit
memory/1096-81-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1096-82-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2160-1-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2160-2-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2160-14-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2160-189-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2756-5-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2756-6-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download

Analysis

Sharing