cycbot | ab4086bd672a3121a9d24ac708c4a1a6c8bca239d512c3ccf77b797aafb1c586

General

Target

JaffaCakes118_77c8395803c70f168b2abd5ea69405a1.exe
Size

183KB
MD5

77c8395803c70f168b2abd5ea69405a1
SHA1

e58030a4e4f1480fec62e9b4e857774e2fc84d04
SHA256

ab4086bd672a3121a9d24ac708c4a1a6c8bca239d512c3ccf77b797aafb1c586
SHA512

2eacd94cbbadb057bebf86f6096b648d07b8b2f774b10be57a477676977d4300937a74371e6a22d803f5ab7fc07dea57c3febb5c87f335075c090adf9b4b6a10
SSDEEP

3072:axdC1qMD076AGoht9CaVySS7qGsTQJ8OXVZo5oJolMf53xEEJIsokfh6g6mA/F:shgi6AzhtVNSOyJFZBJaMfp1JIsN9

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/288-6-0x0000000000400000-0x0000000000468000-memory.dmp	family_cycbot
behavioral1/memory/2324-13-0x0000000000400000-0x0000000000468000-memory.dmp	family_cycbot
behavioral1/memory/2660-83-0x0000000000400000-0x0000000000468000-memory.dmp	family_cycbot
behavioral1/memory/2324-171-0x0000000000400000-0x0000000000468000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2324-2-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/288-5-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/288-6-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2324-13-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2660-81-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2660-83-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2324-171-0x0000000000400000-0x0000000000468000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_77c8395803c70f168b2abd5ea69405a1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_77c8395803c70f168b2abd5ea69405a1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_77c8395803c70f168b2abd5ea69405a1.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 288	2324	JaffaCakes118_77c8395803c70f168b2abd5ea69405a1.exe	28
PID 2324 wrote to memory of 288	2324	JaffaCakes118_77c8395803c70f168b2abd5ea69405a1.exe	28
PID 2324 wrote to memory of 288	2324	JaffaCakes118_77c8395803c70f168b2abd5ea69405a1.exe	28
PID 2324 wrote to memory of 288	2324	JaffaCakes118_77c8395803c70f168b2abd5ea69405a1.exe	28
PID 2324 wrote to memory of 2660	2324	JaffaCakes118_77c8395803c70f168b2abd5ea69405a1.exe	30
PID 2324 wrote to memory of 2660	2324	JaffaCakes118_77c8395803c70f168b2abd5ea69405a1.exe	30
PID 2324 wrote to memory of 2660	2324	JaffaCakes118_77c8395803c70f168b2abd5ea69405a1.exe	30
PID 2324 wrote to memory of 2660	2324	JaffaCakes118_77c8395803c70f168b2abd5ea69405a1.exe	30

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_77c8395803c70f168b2abd5ea69405a1.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_77c8395803c70f168b2abd5ea69405a1.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_77c8395803c70f168b2abd5ea69405a1.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_77c8395803c70f168b2abd5ea69405a1.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:288
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_77c8395803c70f168b2abd5ea69405a1.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_77c8395803c70f168b2abd5ea69405a1.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\23E8.103

Filesize
1KB

MD5
e0519f88dc9fa8e4a27dcec6ab2fec77

SHA1
bdbd5542388b45a11b50d872a889f94504f00abe

SHA256
8d29573453a99f461c9e19a7e2a53db2cf5f8251b2300924855e9feb3e6915f3

SHA512
c9498bba86a0e38554982e386e780f3e08fb12695b0196590d496b566359f6cb61db434b0e17070384d8085762c1d0f64fd19410afe04acb5efca5d3b2948ce8

Download Submit
C:\Users\Admin\AppData\Roaming\23E8.103

Filesize
600B

MD5
b71d029880c7c989f6fc3115201b3192

SHA1
93ed7e2cccb91a8743eeb00817e90f93231e600a

SHA256
a83daabb6a60e8cbd50119585c6510f1f25543b259ba172fecffd25c34f423af

SHA512
1ec34a714894ffdb261990273cbccc60d776b4d2d4f11544f22204e17d71c4fb1cfdbdf8be7dd02c10b970af97315478af0d9d5d7042cb720e5181440db5756b

Download Submit
C:\Users\Admin\AppData\Roaming\23E8.103

Filesize
996B

MD5
93521e4654d08c226c95647103390513

SHA1
fb7a566b208a40a5081597a1a68ab93c6eb4fdcb

SHA256
1f930a2df5f11ed49367eb5568fc1f460ea55bed2b02341b2575bf5ecea24f0f

SHA512
6b0e95848f7b29539eeafa9d12b56a7fccec9a7a9ed66f93bd4a309593cca6064a9f04ab8d97b907a358afcf06b084d36da1299fe4a68c65f7201a427877eebe

Download Submit
memory/288-5-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/288-6-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2324-1-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2324-2-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2324-13-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2324-171-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2660-81-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2660-83-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download

Analysis

Sharing