cycbot | 4bfd840dd225f9a35db2f86016baed211aa7143d966ef6bc309c549722eb97d0

General

Target

JaffaCakes118_6d9479cec76910f9f2ee6ce7d1ef7ad8.exe
Size

177KB
MD5

6d9479cec76910f9f2ee6ce7d1ef7ad8
SHA1

24ff9622ffd6052a433c8d9018fff7f28d75e69b
SHA256

4bfd840dd225f9a35db2f86016baed211aa7143d966ef6bc309c549722eb97d0
SHA512

334fcd05182620d2603d309e35e84166b4ed38c1ced304acab9447335ba61a250a4b7ab65fea1653c0c2e1745f2ef420296f5a10806277440c59789118c673ba
SSDEEP

3072:ZxL0ksG5gARjRaVo2Xm6IXIJAONZJPt6EL9nKqXuJr5ZeMgeGAKNxPm7l:xs0RYVo2QXIbJPtbgJVZeMgeGAK7m7l

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/1892-6-0x0000000000400000-0x0000000000463000-memory.dmp	family_cycbot
behavioral1/memory/1872-13-0x0000000000400000-0x0000000000463000-memory.dmp	family_cycbot
behavioral1/memory/2892-81-0x0000000000400000-0x0000000000463000-memory.dmp	family_cycbot
behavioral1/memory/1872-169-0x0000000000400000-0x0000000000463000-memory.dmp	family_cycbot
behavioral1/memory/1872-206-0x0000000000400000-0x0000000000463000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1872-2-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1892-5-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1892-6-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1872-13-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2892-81-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1872-169-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1872-206-0x0000000000400000-0x0000000000463000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6d9479cec76910f9f2ee6ce7d1ef7ad8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6d9479cec76910f9f2ee6ce7d1ef7ad8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6d9479cec76910f9f2ee6ce7d1ef7ad8.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1872 wrote to memory of 1892	1872	JaffaCakes118_6d9479cec76910f9f2ee6ce7d1ef7ad8.exe	28
PID 1872 wrote to memory of 1892	1872	JaffaCakes118_6d9479cec76910f9f2ee6ce7d1ef7ad8.exe	28
PID 1872 wrote to memory of 1892	1872	JaffaCakes118_6d9479cec76910f9f2ee6ce7d1ef7ad8.exe	28
PID 1872 wrote to memory of 1892	1872	JaffaCakes118_6d9479cec76910f9f2ee6ce7d1ef7ad8.exe	28
PID 1872 wrote to memory of 2892	1872	JaffaCakes118_6d9479cec76910f9f2ee6ce7d1ef7ad8.exe	30
PID 1872 wrote to memory of 2892	1872	JaffaCakes118_6d9479cec76910f9f2ee6ce7d1ef7ad8.exe	30
PID 1872 wrote to memory of 2892	1872	JaffaCakes118_6d9479cec76910f9f2ee6ce7d1ef7ad8.exe	30
PID 1872 wrote to memory of 2892	1872	JaffaCakes118_6d9479cec76910f9f2ee6ce7d1ef7ad8.exe	30

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d9479cec76910f9f2ee6ce7d1ef7ad8.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d9479cec76910f9f2ee6ce7d1ef7ad8.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d9479cec76910f9f2ee6ce7d1ef7ad8.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d9479cec76910f9f2ee6ce7d1ef7ad8.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1892
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d9479cec76910f9f2ee6ce7d1ef7ad8.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d9479cec76910f9f2ee6ce7d1ef7ad8.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\74F2.AD6

Filesize
1KB

MD5
24707f16e3644113d66a9f4dc37b3974

SHA1
e85e0464093e7d5e67761533c80a9e955206ad95

SHA256
886e64ab90ed047fa5f281603d1687f9310d3b33bfc0521fd7148500f8beec9d

SHA512
378dea0ff47615ebc479f92a9c011b86caa70027d9592d9ef1beb3071b1b08cb8fa926c070af807d50e4959006a4ca2aec7f5441764931a4f12766f51d16f55d

Download Submit
C:\Users\Admin\AppData\Roaming\74F2.AD6

Filesize
600B

MD5
c2a0a4d2813a03d2d2d8211bdd7d8537

SHA1
244e09c76b630e2f74b874bb6fa1f1cb8000561f

SHA256
ee976e9c58f3cddf412a7457d2e8782b70edf3a1ce68b7da24f341c94e21f2da

SHA512
9e410631eb13acca2e99776ca3758d7f60b50a748e7704d2328bbe2bd379e0eb0d19621a04c3af905b7b1861208b7dfc112f48fc78a188defe5703427d724136

Download Submit
C:\Users\Admin\AppData\Roaming\74F2.AD6

Filesize
996B

MD5
a6d02ef8af4b1fe01c58fe3cca658b6e

SHA1
b6321d5984c216b01b305d292d9a47218697510b

SHA256
3e576bce0b11c7b0d29d53b964359f64b7dd8909aeddcd17e577521c4e108e48

SHA512
2450e25343e1b7ca9ada7f0634a20402460d4c9fb1c50f2387613f51a1a16c08b39018f5133fe16e9a41741ded2287bc976b3d8b3e08c3e9460e6d8d5572d8aa

Download Submit
memory/1872-1-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1872-2-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1872-13-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1872-169-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1872-206-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1892-5-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1892-6-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2892-81-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download

Analysis

Sharing