cycbot | 283d2334a993e01097c1c7d01e6d5a1bbd531b77cb9ed5ef4bec802055fc49a1

General

Target

JaffaCakes118_a6b6fae00bee7da928eddae33795b4d9.exe
Size

187KB
MD5

a6b6fae00bee7da928eddae33795b4d9
SHA1

dbf46ccee8a223ab8307346715d375570b42bc11
SHA256

283d2334a993e01097c1c7d01e6d5a1bbd531b77cb9ed5ef4bec802055fc49a1
SHA512

7781aba5dd8aaff9435853ced299329ea32825359309d27eebaaf7f68d3b8681eb2683d4c2c208195a265bb04fa9a84e447b7dbc853fff3b21d88e00ca9a0c58
SSDEEP

3072:TbVFc9nDbdmVniB4vegqy+fzQPRnSj/tr2SfGNxkqsm2We7ditqoVzhRtvmo0M:TCtIniBa+rYSj/52SYs0cdiIoHRl

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2772-14-0x0000000000400000-0x0000000000471000-memory.dmp	family_cycbot
behavioral1/memory/2772-13-0x0000000000400000-0x0000000000471000-memory.dmp	family_cycbot
behavioral1/memory/2464-15-0x0000000000400000-0x0000000000471000-memory.dmp	family_cycbot
behavioral1/memory/2772-16-0x0000000000400000-0x0000000000471000-memory.dmp	family_cycbot
behavioral1/memory/2116-81-0x0000000000400000-0x0000000000471000-memory.dmp	family_cycbot
behavioral1/memory/2464-184-0x0000000000400000-0x0000000000471000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2464-2-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral1/memory/2772-14-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral1/memory/2772-13-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral1/memory/2464-15-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral1/memory/2772-16-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral1/memory/2116-80-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral1/memory/2116-81-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral1/memory/2464-184-0x0000000000400000-0x0000000000471000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_a6b6fae00bee7da928eddae33795b4d9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_a6b6fae00bee7da928eddae33795b4d9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_a6b6fae00bee7da928eddae33795b4d9.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 2772	2464	JaffaCakes118_a6b6fae00bee7da928eddae33795b4d9.exe	30
PID 2464 wrote to memory of 2772	2464	JaffaCakes118_a6b6fae00bee7da928eddae33795b4d9.exe	30
PID 2464 wrote to memory of 2772	2464	JaffaCakes118_a6b6fae00bee7da928eddae33795b4d9.exe	30
PID 2464 wrote to memory of 2772	2464	JaffaCakes118_a6b6fae00bee7da928eddae33795b4d9.exe	30
PID 2464 wrote to memory of 2116	2464	JaffaCakes118_a6b6fae00bee7da928eddae33795b4d9.exe	32
PID 2464 wrote to memory of 2116	2464	JaffaCakes118_a6b6fae00bee7da928eddae33795b4d9.exe	32
PID 2464 wrote to memory of 2116	2464	JaffaCakes118_a6b6fae00bee7da928eddae33795b4d9.exe	32
PID 2464 wrote to memory of 2116	2464	JaffaCakes118_a6b6fae00bee7da928eddae33795b4d9.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a6b6fae00bee7da928eddae33795b4d9.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a6b6fae00bee7da928eddae33795b4d9.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a6b6fae00bee7da928eddae33795b4d9.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a6b6fae00bee7da928eddae33795b4d9.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2772
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a6b6fae00bee7da928eddae33795b4d9.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a6b6fae00bee7da928eddae33795b4d9.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\548A.B1B

Filesize
1KB

MD5
2afc10e73c24a3068f7aea3751086545

SHA1
aa63cd8bb0943ab0fcc8b6e34f8f9f9553759b10

SHA256
a4e770b3ebef1b6d19a843f8a17b6773843411b2d4542013f0ffeb8c986d42da

SHA512
e0b72fee60c0bf60ff425c944cae128173761ee031e383cb8b2222cb43d5f6cae17c1dd4a17a1fc0c067a0cb321302fbf85ab3a2abdb3834e05a3ddcc552d045

Download Submit
C:\Users\Admin\AppData\Roaming\548A.B1B

Filesize
600B

MD5
5c2b9007eb573ac3e5f5c8df8b62bdf8

SHA1
f5e953a1aabb413fc50bbddf9d979d529d3b0bcc

SHA256
1290143345741165f67be45cdc90fff0c1400238294383130804019471f45fe1

SHA512
9f223bb1668251adfc206813de18b6c86286b1a24cccd85b5891dc1748a13852b08e20e9c8d7f7f81e28442822811c5bceb7dd831f7431f7c0cbda145e9edfe3

Download Submit
C:\Users\Admin\AppData\Roaming\548A.B1B

Filesize
996B

MD5
0476d19a3e62ff41c283be20f9eccc02

SHA1
da18c104c0d75b53c2f9931b429c177d3d50d439

SHA256
db63cd8fb1f1c4fb48744a8f7adb65bb86e8e42e866aa56f75a256184ac1e2de

SHA512
4c98dc23a8c11ef5bb3a91aef2bfb0df1e367f8bfdeaa2179bbd00c540d2be1946c08271030db4a91d08c842e15d287ee52e2b91ecac3c6c7520924592fe43ec

Download Submit
memory/2116-80-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2116-81-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2464-1-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2464-2-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2464-15-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2464-184-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2772-14-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2772-13-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2772-16-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing