cycbot | 4d54eef01bc3accd66f74a458ad3d1ea55a00678174121677466c27c15692811

General

Target

JaffaCakes118_abf0ec93f206d7b215f7b3d6f68fe1f5.exe
Size

207KB
MD5

abf0ec93f206d7b215f7b3d6f68fe1f5
SHA1

19d60e9b6cac841eaff4c4b8a98faa89f20929a4
SHA256

4d54eef01bc3accd66f74a458ad3d1ea55a00678174121677466c27c15692811
SHA512

4cdcb62285983d968bbdb3c8f6d077ba807a7d75092db60f18fec785d2d7a9f6818f6921f303f9cbdeaf372d7af04f67116d3efe8b19e7d3f31d935a14e193ea
SSDEEP

6144:HXyNYcXMbt2ohgdqNgxiQFhsGIyQ4IUfO4:HCNfcb3hgd8miAFxIUfO4

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2948-13-0x0000000000400000-0x000000000044D000-memory.dmp	family_cycbot
behavioral1/memory/3008-14-0x0000000000400000-0x000000000044D000-memory.dmp	family_cycbot
behavioral1/memory/2088-84-0x0000000000400000-0x000000000044D000-memory.dmp	family_cycbot
behavioral1/memory/3008-193-0x0000000000400000-0x000000000044D000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3008-2-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral1/memory/2948-12-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral1/memory/2948-13-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral1/memory/3008-14-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral1/memory/2088-84-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral1/memory/2088-83-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral1/memory/3008-193-0x0000000000400000-0x000000000044D000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_abf0ec93f206d7b215f7b3d6f68fe1f5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_abf0ec93f206d7b215f7b3d6f68fe1f5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_abf0ec93f206d7b215f7b3d6f68fe1f5.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 2948	3008	JaffaCakes118_abf0ec93f206d7b215f7b3d6f68fe1f5.exe	31
PID 3008 wrote to memory of 2948	3008	JaffaCakes118_abf0ec93f206d7b215f7b3d6f68fe1f5.exe	31
PID 3008 wrote to memory of 2948	3008	JaffaCakes118_abf0ec93f206d7b215f7b3d6f68fe1f5.exe	31
PID 3008 wrote to memory of 2948	3008	JaffaCakes118_abf0ec93f206d7b215f7b3d6f68fe1f5.exe	31
PID 3008 wrote to memory of 2088	3008	JaffaCakes118_abf0ec93f206d7b215f7b3d6f68fe1f5.exe	33
PID 3008 wrote to memory of 2088	3008	JaffaCakes118_abf0ec93f206d7b215f7b3d6f68fe1f5.exe	33
PID 3008 wrote to memory of 2088	3008	JaffaCakes118_abf0ec93f206d7b215f7b3d6f68fe1f5.exe	33
PID 3008 wrote to memory of 2088	3008	JaffaCakes118_abf0ec93f206d7b215f7b3d6f68fe1f5.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_abf0ec93f206d7b215f7b3d6f68fe1f5.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_abf0ec93f206d7b215f7b3d6f68fe1f5.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_abf0ec93f206d7b215f7b3d6f68fe1f5.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_abf0ec93f206d7b215f7b3d6f68fe1f5.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2948
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_abf0ec93f206d7b215f7b3d6f68fe1f5.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_abf0ec93f206d7b215f7b3d6f68fe1f5.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\D9BA.240

Filesize
600B

MD5
afce2092b6f345b7d30daaadc9ce574a

SHA1
c995110ac1a959bf911b4deeb2eabf310e661dad

SHA256
e79eee2768a68686f534ec5bf4277e7b2dd5eec929060b4d83265435b46f600b

SHA512
5d3b4833f9ea184d7a2e09b605d2b63900773d5d79d3275bd74783c5317839bfbc754d45be3063e609c9528546a544626f283a83b35d18b95e4ed69125b9be57

Download Submit
C:\Users\Admin\AppData\Roaming\D9BA.240

Filesize
1KB

MD5
b6c2e6a63f7985418be1619be6610436

SHA1
ad0e2dd2df4b4a35606739bbee832a0e59280fc1

SHA256
0d9c98c97a75718de5314a3e050f0123159807433d722cf047f249cdcdc53286

SHA512
e3e6ce939891646e5af7a002877ae09daeac019239eda02f8240a4d67d669fa4845001a6a0cfbf30bcef151ba935b38178513c5955fe62df40f00b70aa33f3b0

Download Submit
C:\Users\Admin\AppData\Roaming\D9BA.240

Filesize
996B

MD5
4c4808ca1a667933727fed1df8f0b0e3

SHA1
8d7fe5c2c571641e23951029cedc5983a79e3190

SHA256
d2bccc34a7823be12d9368eb52fff6c92c0967e852278fb307cd8f3cbd062abf

SHA512
de08a418567a51102fdd90a201853d9cc62c819ee4af881e9de6f259bebf30939e0e8a57c01a730e37fbab05cdaaca7a1fdb0ae1dd39d56570d53339d48722d9

Download Submit
memory/2088-84-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2088-83-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2948-12-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2948-13-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3008-1-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3008-2-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3008-14-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3008-193-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download

Analysis

Sharing