cycbot | 4ea6d62094747ebde70ada63f90a317a8073776ed26f0c6373d19c49cee65463

General

Target

JaffaCakes118_6e8f7aeef56207be6abdd96b571ff575.exe
Size

211KB
MD5

6e8f7aeef56207be6abdd96b571ff575
SHA1

1af7bfa7cd47be565de3db92ae18d185c0bb5739
SHA256

4ea6d62094747ebde70ada63f90a317a8073776ed26f0c6373d19c49cee65463
SHA512

91702413c1fc7d8356b9cf82bfc14e0f5f8b1f5c518c291b98a4c82864f2b482bb8ad18bd65275aaf1636d5fea14539a85d6bedaa75927896dbd4d1f8e220719
SSDEEP

6144:h/Z20OehgB6ku3Ci1TwgcaQAEtz1VMZp:h/ZU6auNQZtz1

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/1796-5-0x0000000000400000-0x000000000044F000-memory.dmp	family_cycbot
behavioral1/memory/1796-7-0x0000000000400000-0x000000000044F000-memory.dmp	family_cycbot
behavioral1/memory/2004-15-0x0000000000400000-0x000000000044F000-memory.dmp	family_cycbot
behavioral1/memory/1048-82-0x0000000000400000-0x000000000044F000-memory.dmp	family_cycbot
behavioral1/memory/2004-193-0x0000000000400000-0x000000000044F000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2004-2-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/1796-5-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/1796-7-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2004-15-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/1048-82-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/1048-80-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2004-193-0x0000000000400000-0x000000000044F000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6e8f7aeef56207be6abdd96b571ff575.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6e8f7aeef56207be6abdd96b571ff575.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6e8f7aeef56207be6abdd96b571ff575.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 1796	2004	JaffaCakes118_6e8f7aeef56207be6abdd96b571ff575.exe	30
PID 2004 wrote to memory of 1796	2004	JaffaCakes118_6e8f7aeef56207be6abdd96b571ff575.exe	30
PID 2004 wrote to memory of 1796	2004	JaffaCakes118_6e8f7aeef56207be6abdd96b571ff575.exe	30
PID 2004 wrote to memory of 1796	2004	JaffaCakes118_6e8f7aeef56207be6abdd96b571ff575.exe	30
PID 2004 wrote to memory of 1048	2004	JaffaCakes118_6e8f7aeef56207be6abdd96b571ff575.exe	33
PID 2004 wrote to memory of 1048	2004	JaffaCakes118_6e8f7aeef56207be6abdd96b571ff575.exe	33
PID 2004 wrote to memory of 1048	2004	JaffaCakes118_6e8f7aeef56207be6abdd96b571ff575.exe	33
PID 2004 wrote to memory of 1048	2004	JaffaCakes118_6e8f7aeef56207be6abdd96b571ff575.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6e8f7aeef56207be6abdd96b571ff575.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6e8f7aeef56207be6abdd96b571ff575.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6e8f7aeef56207be6abdd96b571ff575.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6e8f7aeef56207be6abdd96b571ff575.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1796
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6e8f7aeef56207be6abdd96b571ff575.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6e8f7aeef56207be6abdd96b571ff575.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\0D72.0CC

Filesize
1KB

MD5
c9d0112db9a1e1ec2fc4062a1b9c9d71

SHA1
1b8543be95771b088ed3b2e8b50ba5de1a63e977

SHA256
99e7b5bee21ac05b6332aa51180762fe2390b2b175af82edab3f94174ecbeaa4

SHA512
073b417675968a95e0a6605d1fb26ab777f2cf372aba331fb62290a03b79b28fde13bdb3ebdd62bbd7b6232b8cde62a9206f4763bdc5e64a632233df2c76bbd6

Download Submit
C:\Users\Admin\AppData\Roaming\0D72.0CC

Filesize
1KB

MD5
350655f2255215436aeeabc68c0e3a99

SHA1
5d1c056bbb5bb1b5a43e8e74c13343c8b3275d59

SHA256
37a514d85e85a19199760b30572bb9f4000da4fbe70f668d187bbd4be97c342a

SHA512
41f1ced7ed140ff1747e25444f37e985d4ac922d4aa8b819f82f69dcb7b338089cc9f498813e20093feaa9c3ab34174849e704aa0bd8c5de7fba79f536e83f32

Download Submit
C:\Users\Admin\AppData\Roaming\0D72.0CC

Filesize
600B

MD5
471d635cce88ca8e9b25d09bfed9dea7

SHA1
97b14ba2f4d4b94f8d5ebb3b78e2d0a5caed5938

SHA256
c7f126b9362e104c3d3af6da0fcdade1e05c5046bddfee7d88f09ad3cc8aa54d

SHA512
4f9a4d7d58a32759520d38092cf7024cd56af9568e5c5a3bd6ba89e35e191ef874d9a1dee79b0138ffd94465d1b886bc3f9ba9d5419863b4363732117c30fe81

Download Submit
C:\Users\Admin\AppData\Roaming\0D72.0CC

Filesize
996B

MD5
18523433c221311e50767a64736254bb

SHA1
e67247aa1a76db101f6a13c4aac9a8fbcc923f31

SHA256
8072302eb5b15d56bcbefa2969853612f6f5802d2cf504b609ee1d570ef1b440

SHA512
c7f33139fef3e08b5cba9bccd35dc4a4e666faf0b181b888bd5b5f64775dcd17b0adaa051a08adfdbaceba0e1e5c37fa64e1071b161b11dc0c9468adb89db5a3

Download Submit
memory/1048-82-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1048-80-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1796-5-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1796-7-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2004-1-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2004-2-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2004-15-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2004-193-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download

Analysis

Sharing