cycbot | 61dad02174f7b9e1cd30002b40b4bcb601759c188d88535f444b42dfbdc252e5

General

Target

JaffaCakes118_7b5557d1ef9d23f7a92c8fae30f024d6.exe
Size

178KB
MD5

7b5557d1ef9d23f7a92c8fae30f024d6
SHA1

1fbcdaa529c102aead38396384207483b86e285a
SHA256

61dad02174f7b9e1cd30002b40b4bcb601759c188d88535f444b42dfbdc252e5
SHA512

be2c018d25795a7377548fe40e0767b0ad1fa3262d2da14af57e9b5416c6b36ea6756eb20e8ad74f02c27dd38846aa60b6c4113d491b88150fe30cb5c1b48d05
SSDEEP

3072:3/VFEi0NYnMNzaWX8fwqLm94ZcgxCCPBn661/UU5GtIp2Qj7EAp0NN:vHub9wrLmM7xCCR91/lGlQHDp0N

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/1468-6-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/1944-14-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/1644-83-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/1944-189-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1944-2-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1468-5-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1468-6-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1944-14-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1644-82-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1644-83-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1944-189-0x0000000000400000-0x000000000044B000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7b5557d1ef9d23f7a92c8fae30f024d6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7b5557d1ef9d23f7a92c8fae30f024d6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7b5557d1ef9d23f7a92c8fae30f024d6.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1944 wrote to memory of 1468	1944	JaffaCakes118_7b5557d1ef9d23f7a92c8fae30f024d6.exe	30
PID 1944 wrote to memory of 1468	1944	JaffaCakes118_7b5557d1ef9d23f7a92c8fae30f024d6.exe	30
PID 1944 wrote to memory of 1468	1944	JaffaCakes118_7b5557d1ef9d23f7a92c8fae30f024d6.exe	30
PID 1944 wrote to memory of 1468	1944	JaffaCakes118_7b5557d1ef9d23f7a92c8fae30f024d6.exe	30
PID 1944 wrote to memory of 1644	1944	JaffaCakes118_7b5557d1ef9d23f7a92c8fae30f024d6.exe	32
PID 1944 wrote to memory of 1644	1944	JaffaCakes118_7b5557d1ef9d23f7a92c8fae30f024d6.exe	32
PID 1944 wrote to memory of 1644	1944	JaffaCakes118_7b5557d1ef9d23f7a92c8fae30f024d6.exe	32
PID 1944 wrote to memory of 1644	1944	JaffaCakes118_7b5557d1ef9d23f7a92c8fae30f024d6.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7b5557d1ef9d23f7a92c8fae30f024d6.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7b5557d1ef9d23f7a92c8fae30f024d6.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7b5557d1ef9d23f7a92c8fae30f024d6.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7b5557d1ef9d23f7a92c8fae30f024d6.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1468
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7b5557d1ef9d23f7a92c8fae30f024d6.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7b5557d1ef9d23f7a92c8fae30f024d6.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\0160.0B6

Filesize
300B

MD5
b41ec422f6276dce3754cf44358ea1c0

SHA1
600979ee6543d37dd2e310c0155d8548c68addab

SHA256
d942679434e79749410149e590aeaf01f49bbede6c32976c9fdd40036a93f8ed

SHA512
bdc06a2a7746cdbd8962b2e32dfefd4eb5d21f41034ef03ce053107f6998b18af1c429918b1d4c43ff88d179063cfafda32e6537c2b20c428abe4d77e7717163

Download Submit
C:\Users\Admin\AppData\Roaming\0160.0B6

Filesize
1KB

MD5
c741269620610feaffe6a574822d6e71

SHA1
2ccd747135bee159ab8044937bc358deee52a4cb

SHA256
9521dd3c3f880f9e48e4113fdd26e9dbd26a32cc1f4f6ab36bb92f1792aa9c50

SHA512
dba8326bdf1a889824bbf09947564a6c2c3f38a195406bbe28e620122b3ba130ae39914569aa8694a7d0d99a4523c26018d78efc9425b24eac3f7a5f4973f6bf

Download Submit
C:\Users\Admin\AppData\Roaming\0160.0B6

Filesize
600B

MD5
247c1bc95b20915d9b854339868ac90d

SHA1
8accfc88d56b3527cdbe9587460560e323a0d218

SHA256
6d3ebc201a1951004d384f26b402f98e61114ce968501355eae890bf0586df96

SHA512
e173ff921b509d130705d9645fdb65fcc11702a12e41e84a18d297f883719de10672381cc36dd35088c2f7337dfbaf88f4ea85d9464764a30a732bd3124e7778

Download Submit
C:\Users\Admin\AppData\Roaming\0160.0B6

Filesize
996B

MD5
ad4bf778b70f752579fd2a3aea3dc4eb

SHA1
20d5479c61425907fc66f02a7225d7f3d40be66e

SHA256
4a0ab5452bf7da4b72b60d992548d98b24e0731fce2489f45aa39089b73e9388

SHA512
9bab47692faf291def967ff3001be67c93a44651c138a55c29ea50b63f8ea00894b6bc0618d0d48405daced5a97e97ef8c9e30254138d586ce19f40c37af148a

Download Submit
memory/1468-5-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1468-6-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1644-82-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1644-83-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1944-1-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1944-2-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1944-14-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1944-189-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download

Analysis

Sharing