cycbot | 4db1a9b4a76c18d9ad024b51287ec586578ea6071f349a4cce573e43116e5de1

General

Target

JaffaCakes118_7f57bb055fa2ec175d379c44a87c85b4.exe
Size

189KB
MD5

7f57bb055fa2ec175d379c44a87c85b4
SHA1

d9daee9400ec5ae2468f2be9651e86987fb7749d
SHA256

4db1a9b4a76c18d9ad024b51287ec586578ea6071f349a4cce573e43116e5de1
SHA512

868fc222ab90c04995a07810838e524c6d639c847a374cbc65dca118e549b4f70e91565e0bfbfd95d2cf51253671a14ecd9d9ee570be35f62d35601180d2be63
SSDEEP

3072:WfGeoZEG/GJQmcNOfq+3OCIfPZyXytHpML7zmhWjw8m9ct2BCXW+YBg:WftoZEd6tJPUCJMKhWjfm9n2Wng

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/1740-7-0x0000000000400000-0x0000000000447000-memory.dmp	family_cycbot
behavioral1/memory/2312-14-0x0000000000400000-0x0000000000447000-memory.dmp	family_cycbot
behavioral1/memory/2312-82-0x0000000000400000-0x0000000000447000-memory.dmp	family_cycbot
behavioral1/memory/2608-84-0x0000000000400000-0x0000000000447000-memory.dmp	family_cycbot
behavioral1/memory/2312-197-0x0000000000400000-0x0000000000447000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2312-2-0x0000000000400000-0x0000000000447000-memory.dmp	upx
behavioral1/memory/1740-5-0x0000000000400000-0x0000000000447000-memory.dmp	upx
behavioral1/memory/1740-7-0x0000000000400000-0x0000000000447000-memory.dmp	upx
behavioral1/memory/2312-14-0x0000000000400000-0x0000000000447000-memory.dmp	upx
behavioral1/memory/2312-82-0x0000000000400000-0x0000000000447000-memory.dmp	upx
behavioral1/memory/2608-84-0x0000000000400000-0x0000000000447000-memory.dmp	upx
behavioral1/memory/2312-197-0x0000000000400000-0x0000000000447000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7f57bb055fa2ec175d379c44a87c85b4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7f57bb055fa2ec175d379c44a87c85b4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7f57bb055fa2ec175d379c44a87c85b4.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 1740	2312	JaffaCakes118_7f57bb055fa2ec175d379c44a87c85b4.exe	31
PID 2312 wrote to memory of 1740	2312	JaffaCakes118_7f57bb055fa2ec175d379c44a87c85b4.exe	31
PID 2312 wrote to memory of 1740	2312	JaffaCakes118_7f57bb055fa2ec175d379c44a87c85b4.exe	31
PID 2312 wrote to memory of 1740	2312	JaffaCakes118_7f57bb055fa2ec175d379c44a87c85b4.exe	31
PID 2312 wrote to memory of 2608	2312	JaffaCakes118_7f57bb055fa2ec175d379c44a87c85b4.exe	33
PID 2312 wrote to memory of 2608	2312	JaffaCakes118_7f57bb055fa2ec175d379c44a87c85b4.exe	33
PID 2312 wrote to memory of 2608	2312	JaffaCakes118_7f57bb055fa2ec175d379c44a87c85b4.exe	33
PID 2312 wrote to memory of 2608	2312	JaffaCakes118_7f57bb055fa2ec175d379c44a87c85b4.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7f57bb055fa2ec175d379c44a87c85b4.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7f57bb055fa2ec175d379c44a87c85b4.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7f57bb055fa2ec175d379c44a87c85b4.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7f57bb055fa2ec175d379c44a87c85b4.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1740
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7f57bb055fa2ec175d379c44a87c85b4.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7f57bb055fa2ec175d379c44a87c85b4.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\5925.75C

Filesize
1KB

MD5
844e18751e4d103fce0c1d31d8908515

SHA1
cc61325caaed08d0fc3dcb1a680f4c83495b925d

SHA256
e65202b07a72813a564ba7444f26d5511e7393c7fe46c7f68305fc4022bbb2b3

SHA512
29d1478383a18999c888be4db5731b624eb7f71267a8fce42b944f77ebe22582bd8f53e6c837ac4199e95174dd595f226d9cac299feeae0595fed679e3acca94

Download Submit
C:\Users\Admin\AppData\Roaming\5925.75C

Filesize
600B

MD5
eab6f10ba37a396628d1bb631bfa611b

SHA1
3392f5ee71b73ce8a6d81ac07dd9c55a2acabfef

SHA256
f235e9493d4724b0a44274fa36209031f78bb188d6fe18638c55c7eca25abbe9

SHA512
fd29d782eab5f48b5943e5f2f56e404845ea1e1439b8c85cc61642cbc1085c1323538a5d5db2aaa658c181cb7564a31762f3afed03e54b5ab3d1aa47a86253ee

Download Submit
C:\Users\Admin\AppData\Roaming\5925.75C

Filesize
996B

MD5
bd11952d34761d015cfad9548bace964

SHA1
a9ef896dab43c9148bcf5bb324eed5b5e17c143e

SHA256
38481c508afa86b7e729bec4af06404942d5dac71d5dae0debefc765d54fd9f2

SHA512
edd714ad313d19feb6f4adc886a3a6bd1820487f236dbd36537000a8fa3cd6c08289b547620ab5157df470e571efd99325258e5d393211f19a6ef21aab8427e5

Download Submit
memory/1740-5-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1740-7-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2312-1-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2312-2-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2312-14-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2312-82-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2312-197-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2608-84-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download

Analysis

Sharing