cycbot | 4ecb755813a23a0b1d4d172dc7890beb31c8201bd585e6f34f2d2280ac478fee

General

Target

JaffaCakes118_6ae348e7854364850edac14cc13cbd32.exe
Size

164KB
MD5

6ae348e7854364850edac14cc13cbd32
SHA1

1172b4bd95d757708520da587e1d0e49b54beb2b
SHA256

4ecb755813a23a0b1d4d172dc7890beb31c8201bd585e6f34f2d2280ac478fee
SHA512

f21d6f37f9ef521353556b680162fdeee46ac5a385e19d2c4967321129d713692e09266f7f2b11bde809e09cd51e1583e951e45dc754fcbe855d010501756732
SSDEEP

3072:L4urZQ8GkP9rSVL/hGcShwLxJzaBD3M8tTAtc1RhrSHul+muhqbY4ZLDWasu8cT8:EcF5uZ9g8xJIlitc1RhrSHZtwLDlsub

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2524-7-0x0000000000400000-0x0000000000468000-memory.dmp	family_cycbot
behavioral1/memory/2076-15-0x0000000000400000-0x0000000000468000-memory.dmp	family_cycbot
behavioral1/memory/1840-82-0x0000000000400000-0x0000000000468000-memory.dmp	family_cycbot
behavioral1/memory/2076-188-0x0000000000400000-0x0000000000468000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2076-1-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2524-5-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2524-7-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2076-15-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/1840-80-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/1840-82-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2076-188-0x0000000000400000-0x0000000000468000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6ae348e7854364850edac14cc13cbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6ae348e7854364850edac14cc13cbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6ae348e7854364850edac14cc13cbd32.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 2524	2076	JaffaCakes118_6ae348e7854364850edac14cc13cbd32.exe	30
PID 2076 wrote to memory of 2524	2076	JaffaCakes118_6ae348e7854364850edac14cc13cbd32.exe	30
PID 2076 wrote to memory of 2524	2076	JaffaCakes118_6ae348e7854364850edac14cc13cbd32.exe	30
PID 2076 wrote to memory of 2524	2076	JaffaCakes118_6ae348e7854364850edac14cc13cbd32.exe	30
PID 2076 wrote to memory of 1840	2076	JaffaCakes118_6ae348e7854364850edac14cc13cbd32.exe	33
PID 2076 wrote to memory of 1840	2076	JaffaCakes118_6ae348e7854364850edac14cc13cbd32.exe	33
PID 2076 wrote to memory of 1840	2076	JaffaCakes118_6ae348e7854364850edac14cc13cbd32.exe	33
PID 2076 wrote to memory of 1840	2076	JaffaCakes118_6ae348e7854364850edac14cc13cbd32.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6ae348e7854364850edac14cc13cbd32.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6ae348e7854364850edac14cc13cbd32.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6ae348e7854364850edac14cc13cbd32.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6ae348e7854364850edac14cc13cbd32.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2524
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6ae348e7854364850edac14cc13cbd32.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6ae348e7854364850edac14cc13cbd32.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\51E9.DF3

Filesize
1KB

MD5
23caa98143aa5fcf68185e3d68e30650

SHA1
34cc9dfca7cc0c0b353b15194ba60354ecbc0ad1

SHA256
4762edbc0ad2bd9fc5a72d236c0fc60d8045a60e3db18845355d9ba423e64ee8

SHA512
06a903894f4ba714b093838805d57cda0b290a3d2d499505a28c6a3f126afa96ab5ccaa19e23edcc29d5cf4ff1a8630826901fdf93171253a4240f183627993f

Download Submit
C:\Users\Admin\AppData\Roaming\51E9.DF3

Filesize
600B

MD5
57c9f77e51297db46f1dfef68cb96cdf

SHA1
3eefbb8e6daad6b3cffc01bf8115b7669c5cf9a0

SHA256
472af376f534f5a6ba77433322a21bd3408bcab593383402f0ff0f50dea9889b

SHA512
760d59d36015fc53a870ae8f6580f92a21020bd700a7bbbea7d298a357ffbb3010528deda11e3940d78be24c58371a1bcda7f1bb54e9d871dc5f3e1c5c3b78f7

Download Submit
C:\Users\Admin\AppData\Roaming\51E9.DF3

Filesize
996B

MD5
958b97cacb169c2876e9e1abd0f90903

SHA1
9cad25d4f757f3cd0a1673857c14d792c0077746

SHA256
312ac15a7f4ace9010e4a937e53b7a67aa6bd418994fa48e24e60031bc8155a7

SHA512
9e96cd4b542013ff5439bb3cece4bfc8d13af62c02e844d48da409adea403d784500477980cddec412cb29739437f04ec1b377cc8955ee07d8fad59dd2d3eb27

Download Submit
memory/1840-80-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1840-82-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2076-1-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2076-15-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2076-188-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2524-4-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2524-5-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2524-7-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download

Analysis

Sharing