cycbot | 4b95b03e48c5d1e488d157d9b4c6946ef094a83755518620081cc992f60677a4

General

Target

JaffaCakes118_a030ef66f9ef28a688f2c8463748c762.exe
Size

176KB
MD5

a030ef66f9ef28a688f2c8463748c762
SHA1

be5461ec3f54e4f386e8cdabb7d3c88e47bb3cc6
SHA256

4b95b03e48c5d1e488d157d9b4c6946ef094a83755518620081cc992f60677a4
SHA512

328258cf2431f9b338e33e0dde0327a44bc4cd9d16c7aceaa6a3a32671d9f08e45ebc0f68ab71b59136c6d148c6f0856e358258e8d99d787bc0c8b1af9c26caa
SSDEEP

3072:7wbqKYJUz2rp2YLb+tye2FZGZu9ZTA44AM3vf6h1kCZEtd2g4Psp2:7wbqKYyK1L/+7EZ9lRDM/ih2yE6gf

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2896-8-0x0000000000400000-0x0000000000463000-memory.dmp	family_cycbot
behavioral1/memory/2192-18-0x0000000000400000-0x0000000000463000-memory.dmp	family_cycbot
behavioral1/memory/2192-84-0x0000000000400000-0x0000000000463000-memory.dmp	family_cycbot
behavioral1/memory/3032-88-0x0000000000400000-0x0000000000463000-memory.dmp	family_cycbot
behavioral1/memory/2192-155-0x0000000000400000-0x0000000000463000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2192-2-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2896-8-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2192-18-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2192-84-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/3032-88-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/3032-87-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2192-155-0x0000000000400000-0x0000000000463000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_a030ef66f9ef28a688f2c8463748c762.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_a030ef66f9ef28a688f2c8463748c762.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_a030ef66f9ef28a688f2c8463748c762.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 2896	2192	JaffaCakes118_a030ef66f9ef28a688f2c8463748c762.exe	30
PID 2192 wrote to memory of 2896	2192	JaffaCakes118_a030ef66f9ef28a688f2c8463748c762.exe	30
PID 2192 wrote to memory of 2896	2192	JaffaCakes118_a030ef66f9ef28a688f2c8463748c762.exe	30
PID 2192 wrote to memory of 2896	2192	JaffaCakes118_a030ef66f9ef28a688f2c8463748c762.exe	30
PID 2192 wrote to memory of 3032	2192	JaffaCakes118_a030ef66f9ef28a688f2c8463748c762.exe	32
PID 2192 wrote to memory of 3032	2192	JaffaCakes118_a030ef66f9ef28a688f2c8463748c762.exe	32
PID 2192 wrote to memory of 3032	2192	JaffaCakes118_a030ef66f9ef28a688f2c8463748c762.exe	32
PID 2192 wrote to memory of 3032	2192	JaffaCakes118_a030ef66f9ef28a688f2c8463748c762.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a030ef66f9ef28a688f2c8463748c762.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a030ef66f9ef28a688f2c8463748c762.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a030ef66f9ef28a688f2c8463748c762.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a030ef66f9ef28a688f2c8463748c762.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2896
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a030ef66f9ef28a688f2c8463748c762.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a030ef66f9ef28a688f2c8463748c762.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\66A4.654

Filesize
597B

MD5
5b1cd55c2d5ceb3389c92d75f3314aba

SHA1
f80cec76a27ab1758588de29e68db12a9f89027d

SHA256
4fcaa69897cfa359110167d4990fd525451415b60863e01e29f91f23e3b1f40d

SHA512
8323963a9bffedfcb9dae9af6a56ac0c39366a5044a9f0687976b2ff5ff4ff74bd7342692897e9eaa8b383627d9fe6ab354edd9723a2e8d5c06c57ed4144b58e

Download Submit
C:\Users\Admin\AppData\Roaming\66A4.654

Filesize
1KB

MD5
5b16ff2c76dfbe1cdbf7e1fa7f23011f

SHA1
832de76e1b00fdc2ef59de70a98bf9819f1080bc

SHA256
fd6b33147ab38d5fe5b1ef167b946ada3c2b7c82655c2760f1af44e125c78f21

SHA512
6855686a7f953649fc5e62bc279ba7373e7e25af4969d13b081b9af449a4a9b4103a9beafe0f1e6b56209d612498a17637cc7811d1ed9ca039fffbc1f38e07f0

Download Submit
C:\Users\Admin\AppData\Roaming\66A4.654

Filesize
897B

MD5
febc9bd48a2cc2d94bbb1a91affa6e2d

SHA1
c7b9c6981d75567bd89772f16240d021f4f523cd

SHA256
897edd973105e2779fc2eeaa5b8694110bb77154330eb14da7730b6b08b647e3

SHA512
67721fd4ea1f76f4e21233d9bc7dcf4afda21266f5f8822e7a159d31304b0df383f46d21b1e1c149ffb58438b3d36b6795c5ea4390e0a7ae0eb2e738c19b1b97

Download Submit
C:\Users\Admin\AppData\Roaming\66A4.654

Filesize
1KB

MD5
91348aee75c4700f0fddb8058036001f

SHA1
87e2d224225eaf29f1d52b8a47fc85ef93d99c5c

SHA256
99d6fc79f236cd8344d5976978f555263ddb750774b057ea7c7a76ded12a72f0

SHA512
e766a3f6088388962d29beb98b996e5af4708b7a71cdada2c8d55c11e57f3e36de45867de0e2a6c2037e228fb427d2004c3aa4bc56663518c2b900e5dde33dde

Download Submit
memory/2192-2-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2192-155-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2192-1-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2192-18-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2192-84-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2896-8-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2896-6-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/3032-87-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/3032-88-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download

Analysis

Sharing