cycbot | 1ce012c3a37cbfc3bbd0872cc5b0a9cec916ffeb612327f7a4da9b505a53404d

General

Target

JaffaCakes118_9235835d67d9fe459b8e009d501784b7.exe
Size

194KB
MD5

9235835d67d9fe459b8e009d501784b7
SHA1

6a0725b7b93452bc880eedf6a858fb46ad77ae6b
SHA256

1ce012c3a37cbfc3bbd0872cc5b0a9cec916ffeb612327f7a4da9b505a53404d
SHA512

b526ea6eab7dc95032182d46125ee2729f1ec91faf8ef2fc831dabd3673070d466692b6490b1f9bb35db4ae7312fb6b5990dee1e07f8a5b50ca0e380d24eebb0
SSDEEP

3072:nZyZ/e5K4ql2Tp9diLrSy031h9kPhwuvTAYNqGWyDNFfDf:nZyZvPedarSy2v9WpmnyDNF

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2656-13-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/3068-14-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/672-79-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/3068-176-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/3068-177-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3068-2-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2656-12-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2656-13-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/3068-14-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/672-79-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/3068-176-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/3068-177-0x0000000000400000-0x0000000000455000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_9235835d67d9fe459b8e009d501784b7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_9235835d67d9fe459b8e009d501784b7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_9235835d67d9fe459b8e009d501784b7.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 2656	3068	JaffaCakes118_9235835d67d9fe459b8e009d501784b7.exe	30
PID 3068 wrote to memory of 2656	3068	JaffaCakes118_9235835d67d9fe459b8e009d501784b7.exe	30
PID 3068 wrote to memory of 2656	3068	JaffaCakes118_9235835d67d9fe459b8e009d501784b7.exe	30
PID 3068 wrote to memory of 2656	3068	JaffaCakes118_9235835d67d9fe459b8e009d501784b7.exe	30
PID 3068 wrote to memory of 672	3068	JaffaCakes118_9235835d67d9fe459b8e009d501784b7.exe	32
PID 3068 wrote to memory of 672	3068	JaffaCakes118_9235835d67d9fe459b8e009d501784b7.exe	32
PID 3068 wrote to memory of 672	3068	JaffaCakes118_9235835d67d9fe459b8e009d501784b7.exe	32
PID 3068 wrote to memory of 672	3068	JaffaCakes118_9235835d67d9fe459b8e009d501784b7.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9235835d67d9fe459b8e009d501784b7.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9235835d67d9fe459b8e009d501784b7.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9235835d67d9fe459b8e009d501784b7.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9235835d67d9fe459b8e009d501784b7.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2656
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9235835d67d9fe459b8e009d501784b7.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9235835d67d9fe459b8e009d501784b7.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\B7E5.308

Filesize
1KB

MD5
4bdc26e161640e1d5deb2b308ca06b4c

SHA1
4eed6b1c8928e292e765aab3ce6f3936db47038f

SHA256
fb7c242677300c3927a2743aba5b5814c5c4d848dfe3b9e508a9add7c250f811

SHA512
bf6221cb696556ee279a825017734175f22967d67e9c2fffd8eff20f6df5d48d768466d8e52bde74741925d46540814587552a5d6809a10564137e8f6d6ae33d

Download Submit
C:\Users\Admin\AppData\Roaming\B7E5.308

Filesize
600B

MD5
9b5ec6be9af162bc800c5432e847e9ea

SHA1
7c4d7c89b11729eb98f648ad7e6c1aaabfaff39e

SHA256
67ec209169230181f0878daa82f852aa3190249997f5e112b655db9d0d1a0f98

SHA512
7de9e72a06c83b1b03a55be12e8891dd398184faa69fd0586ea60550cf422bf2c5d005b29a7cb4bf1f48568b0f887fb55e5cf1b2a4c42717c999cdca7d700920

Download Submit
C:\Users\Admin\AppData\Roaming\B7E5.308

Filesize
996B

MD5
727749462ffe9ea39d1583b35c783714

SHA1
4dd764d8375b14d78d913fc48305aed9fe3e0c00

SHA256
30f1bf047a219983c1709ceb1583b8422958247f5c2ae6c9fe03a1f566742918

SHA512
dfe341e5c8aa33d380fccb793a803f333607fd6717ec89a9ccee388d081b9d2fa6ccdcca7b9a84d5718adc2a1e3de31249d9144d17ce191b4b9928b22dd6df47

Download Submit
memory/672-79-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2656-12-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2656-13-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3068-1-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3068-2-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3068-14-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3068-176-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3068-177-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Resubmissions

Analysis

Sharing