cycbot | a790549fa8ddbfe09d00824809c969cc5f15345f323579dea1c84bc95b23f3fe

General

Target

JaffaCakes118_7aeb7e393793c9081460346fed9352aa.exe
Size

180KB
MD5

7aeb7e393793c9081460346fed9352aa
SHA1

92ef0dfc7211b2303529e7fe18a8071bbf4e0717
SHA256

a790549fa8ddbfe09d00824809c969cc5f15345f323579dea1c84bc95b23f3fe
SHA512

c60fb3885b3e5fe35626d6a8e52593a3a0379db86cf848cb1b3c21b1a76830f52d9a799915540c83ef8c547215755f11f9eca363920b80aa5fde038e69c3134a
SSDEEP

3072:YoQ+V8r79/ZwWlLGZsA9J8rFGu1Ictws/BAwu6EB1+qOmnJcJlaM:7QC8rph9LGWAD8rFG2PwiB7qfXRM

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/3044-7-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/1904-15-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/1560-87-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/1904-181-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1904-2-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/3044-6-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/3044-7-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1904-15-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1560-87-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1904-181-0x0000000000400000-0x000000000044B000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7aeb7e393793c9081460346fed9352aa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7aeb7e393793c9081460346fed9352aa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7aeb7e393793c9081460346fed9352aa.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1904 wrote to memory of 3044	1904	JaffaCakes118_7aeb7e393793c9081460346fed9352aa.exe	30
PID 1904 wrote to memory of 3044	1904	JaffaCakes118_7aeb7e393793c9081460346fed9352aa.exe	30
PID 1904 wrote to memory of 3044	1904	JaffaCakes118_7aeb7e393793c9081460346fed9352aa.exe	30
PID 1904 wrote to memory of 3044	1904	JaffaCakes118_7aeb7e393793c9081460346fed9352aa.exe	30
PID 1904 wrote to memory of 1560	1904	JaffaCakes118_7aeb7e393793c9081460346fed9352aa.exe	33
PID 1904 wrote to memory of 1560	1904	JaffaCakes118_7aeb7e393793c9081460346fed9352aa.exe	33
PID 1904 wrote to memory of 1560	1904	JaffaCakes118_7aeb7e393793c9081460346fed9352aa.exe	33
PID 1904 wrote to memory of 1560	1904	JaffaCakes118_7aeb7e393793c9081460346fed9352aa.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7aeb7e393793c9081460346fed9352aa.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7aeb7e393793c9081460346fed9352aa.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7aeb7e393793c9081460346fed9352aa.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7aeb7e393793c9081460346fed9352aa.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3044
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7aeb7e393793c9081460346fed9352aa.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7aeb7e393793c9081460346fed9352aa.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\BC1E.4A4

Filesize
1KB

MD5
294639951bb862c7468b027f4f940ecd

SHA1
ba619571fc47ff12c3d06bd9869739cafa574c12

SHA256
37b5fbb4bd9e91f594910df4f014f5f4c04f4b479457e2eea7cd07db559b0719

SHA512
add75e6031980e58d607a75c674b63a83584af47c1767c6fa4e8ba36dd81f5d9e9da7ec10d27d9794a7283d4ce4a05406b629c70a828d779d4819533b3ac8e53

Download Submit
C:\Users\Admin\AppData\Roaming\BC1E.4A4

Filesize
600B

MD5
e7bfccd6d66a08db8d25d496a318edd8

SHA1
8801228e5d236224d36840499a0e50937f9d6d55

SHA256
00a85bda77a4867f49c94b68808b651a2b88d9726468f94162938265c7592d98

SHA512
16aa3111fd1723906f6e8f14f8f5f9247b5a5a67af0e1e5c452d878cdba6b2cc77fc8c4a804fd556629d72ebcd7811bba21ab419b426a2a53d8d879c6017c15e

Download Submit
C:\Users\Admin\AppData\Roaming\BC1E.4A4

Filesize
996B

MD5
a46f1787e3b95b720077b921ff4267fc

SHA1
b29c5badf90fbe4bb70bfcc5e7253ef59d65f28d

SHA256
f07c7328dbba6eec4c275811270f786cd6c6b6eee074f074c05b07201299490f

SHA512
3633b63f7e9d03f5272ae2a19e98edb6b072448ee711a7e355744d03a211fa7cd8a70380a2f318131b0ca189f7d4a26924d38bf274e7719763c5788f8dd4c187

Download Submit
memory/1560-87-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1904-1-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1904-2-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1904-15-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1904-181-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3044-6-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3044-5-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3044-7-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download

Analysis

Sharing