cycbot | 69c096891b96c8fbc81dfa8810dcb44b4d90212f8906080fd1f2f366e98b9b18

General

Target

JaffaCakes118_aff739d105557a8917b8434d8e6eabb4.exe
Size

173KB
MD5

aff739d105557a8917b8434d8e6eabb4
SHA1

6f66e044c7b49b2afee60431779ee2ff70b68520
SHA256

69c096891b96c8fbc81dfa8810dcb44b4d90212f8906080fd1f2f366e98b9b18
SHA512

0668718c7d0515415e08323ef70fcd025080397d42296a82bb7d93fe0b014bbb4b23a255c30715e6610978e46db1b1f6b8da167ee82c4f61484d91502e388b88
SSDEEP

3072:DKap6OBhoYZcCGgPs8nQyLQ1bCSDAXTUPYNKVaHSBGndBTg+TtzF:NfL08nQyLQEBTUgNpHqGLTgYt5

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2716-6-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/2744-14-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/2016-81-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/2744-82-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/2744-183-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2744-1-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2716-6-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2716-5-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2744-14-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2016-81-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2744-82-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2744-183-0x0000000000400000-0x000000000046A000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_aff739d105557a8917b8434d8e6eabb4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_aff739d105557a8917b8434d8e6eabb4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_aff739d105557a8917b8434d8e6eabb4.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 2716	2744	JaffaCakes118_aff739d105557a8917b8434d8e6eabb4.exe	30
PID 2744 wrote to memory of 2716	2744	JaffaCakes118_aff739d105557a8917b8434d8e6eabb4.exe	30
PID 2744 wrote to memory of 2716	2744	JaffaCakes118_aff739d105557a8917b8434d8e6eabb4.exe	30
PID 2744 wrote to memory of 2716	2744	JaffaCakes118_aff739d105557a8917b8434d8e6eabb4.exe	30
PID 2744 wrote to memory of 2016	2744	JaffaCakes118_aff739d105557a8917b8434d8e6eabb4.exe	32
PID 2744 wrote to memory of 2016	2744	JaffaCakes118_aff739d105557a8917b8434d8e6eabb4.exe	32
PID 2744 wrote to memory of 2016	2744	JaffaCakes118_aff739d105557a8917b8434d8e6eabb4.exe	32
PID 2744 wrote to memory of 2016	2744	JaffaCakes118_aff739d105557a8917b8434d8e6eabb4.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_aff739d105557a8917b8434d8e6eabb4.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_aff739d105557a8917b8434d8e6eabb4.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_aff739d105557a8917b8434d8e6eabb4.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_aff739d105557a8917b8434d8e6eabb4.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2716
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_aff739d105557a8917b8434d8e6eabb4.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_aff739d105557a8917b8434d8e6eabb4.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\3B7C.DCC

Filesize
1KB

MD5
b271def117e0ac7c149c3904d87e0732

SHA1
5f8b757605ead22ffd633fee0ac92569ae3b63fd

SHA256
21aea57b3c97689747b162f92f2c5d8761c5e96ab36d59d8e39b006f06ec70d0

SHA512
9d4da19653e5d8a5e4c6036151f52855d678e15183a6ba4f1720eb76fd866b78faf3bdd46dfecef426a071ef5b002a9b4ecdaf83ca515fc799452211065aab77

Download Submit
C:\Users\Admin\AppData\Roaming\3B7C.DCC

Filesize
600B

MD5
739141d7d5da4995070c004aeb745774

SHA1
1f7634c62d12aac74cbdce5cf44d56ff62a62354

SHA256
3f5c59c37f2de696d4e602a58990e904ebfcd6ce96b23cfe44b18dc5ed128183

SHA512
10fe622ba7274664b6ca326cc5770889339bc3b14657d8a3ba015aa945e954ad27fbe8fcadb061ee156186f38a6993a92434d27a29144b5b04671d898cbe0049

Download Submit
C:\Users\Admin\AppData\Roaming\3B7C.DCC

Filesize
996B

MD5
063fd41c2d11672146870bc608b979ad

SHA1
38b2eed3bd8bc989f2e4b9d3cbd1f32df2fbb181

SHA256
db9970819ac34a54689aa2eba6d29eb22e015c73a21b0e8f96e3c3c740eddc81

SHA512
11a270512b044472b0beb5e881f99233150fbce72710e252f1caa59795693c79ef2ec3c088c776dbf514a73923611e584e9c0d76781998cb5ab76f7062551352

Download Submit
memory/2016-81-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2716-4-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2716-6-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2716-5-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2744-1-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2744-14-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2744-82-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2744-183-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download

Analysis

Sharing