cycbot | 4c6aa7ff2628bf9f5cbeea4cd70b7fb2dbf33de41a789082b8232733a17a8324

General

Target

JaffaCakes118_d42f67a3c6498615ec0aa6a6111398fd.exe
Size

164KB
MD5

d42f67a3c6498615ec0aa6a6111398fd
SHA1

672209922587af5d4b9d810c10e75e2eac0c98a2
SHA256

4c6aa7ff2628bf9f5cbeea4cd70b7fb2dbf33de41a789082b8232733a17a8324
SHA512

bc6bfd84ccb72f4aa3e118ee00d9f0aee18ab8354c964648cca5f9b53eed1512a6f0dca0f584172c90ca3c28b7a1ae26b96c53c6da7bffe06949153b8af11663
SSDEEP

3072:L4urZQ8GkP9rSVL/hGcShwLxJzaBD3M8tTAtc1RhrSHul+muhqbY4ZLDWasu8cT8:EcF5uZ9g8xJIlitc1RhrSHZtwLDlsub

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2764-5-0x0000000000400000-0x0000000000468000-memory.dmp	family_cycbot
behavioral1/memory/2392-13-0x0000000000400000-0x0000000000468000-memory.dmp	family_cycbot
behavioral1/memory/2392-78-0x0000000000400000-0x0000000000468000-memory.dmp	family_cycbot
behavioral1/memory/2888-81-0x0000000000400000-0x0000000000468000-memory.dmp	family_cycbot
behavioral1/memory/2392-193-0x0000000000400000-0x0000000000468000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2392-2-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2764-5-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2392-13-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2392-78-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2888-80-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2888-81-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2392-193-0x0000000000400000-0x0000000000468000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_d42f67a3c6498615ec0aa6a6111398fd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_d42f67a3c6498615ec0aa6a6111398fd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_d42f67a3c6498615ec0aa6a6111398fd.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 2764	2392	JaffaCakes118_d42f67a3c6498615ec0aa6a6111398fd.exe	31
PID 2392 wrote to memory of 2764	2392	JaffaCakes118_d42f67a3c6498615ec0aa6a6111398fd.exe	31
PID 2392 wrote to memory of 2764	2392	JaffaCakes118_d42f67a3c6498615ec0aa6a6111398fd.exe	31
PID 2392 wrote to memory of 2764	2392	JaffaCakes118_d42f67a3c6498615ec0aa6a6111398fd.exe	31
PID 2392 wrote to memory of 2888	2392	JaffaCakes118_d42f67a3c6498615ec0aa6a6111398fd.exe	33
PID 2392 wrote to memory of 2888	2392	JaffaCakes118_d42f67a3c6498615ec0aa6a6111398fd.exe	33
PID 2392 wrote to memory of 2888	2392	JaffaCakes118_d42f67a3c6498615ec0aa6a6111398fd.exe	33
PID 2392 wrote to memory of 2888	2392	JaffaCakes118_d42f67a3c6498615ec0aa6a6111398fd.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d42f67a3c6498615ec0aa6a6111398fd.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d42f67a3c6498615ec0aa6a6111398fd.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d42f67a3c6498615ec0aa6a6111398fd.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d42f67a3c6498615ec0aa6a6111398fd.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2764
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d42f67a3c6498615ec0aa6a6111398fd.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d42f67a3c6498615ec0aa6a6111398fd.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\6BB7.F5E

Filesize
1KB

MD5
abf000b32b407ec37a2c1767e2a177d0

SHA1
f95cd0279b488e41379fa9128caee6193ac3c3f2

SHA256
ac3b54c76de7e65bc98e2c0977ad2548975d6511fd28145f0321a3ffd3b4b399

SHA512
0c25c07ef683b23d5fb6774a838d3fc319ec9a435ded36865ad7a62ff865e19e72e63c16510b6eb85475823e7a3cf0041a93e9ed8c73ad695a927d4eea67c814

Download Submit
C:\Users\Admin\AppData\Roaming\6BB7.F5E

Filesize
600B

MD5
4768e2a3c4b143410710eb9333e4daba

SHA1
57280da48022093daf6723dbedbfc29a75b2323d

SHA256
5b972ee52cd2c9caf5d1265458e55bf592170ef4c4b50db1b8b51c80f9334c41

SHA512
ddc39a097c294dfc7959c58f25f7e516a4485254bba3e85fbbacc91be8074d5442ccb4b9b4bc21cf5ac02206ebe856d07717e6e2b25388885069e071288bbddd

Download Submit
C:\Users\Admin\AppData\Roaming\6BB7.F5E

Filesize
996B

MD5
a2456ebce59e479d03a8d27989b07038

SHA1
7de1d066fa6ff47de8cf2289777bb23f3a028503

SHA256
01587c2288bc1ab3815cd8e679c1ec46927769385b8893a595db1d6de455f935

SHA512
1a79833d8fd3415a956eb19efeb92322bb1b56cbbaf67667ce249a721a3b02ace6184456418b1b189fee7b0e9481c55f9a8d3de22f2e8fa41521ab6b8d13d55b

Download Submit
memory/2392-1-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2392-2-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2392-13-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2392-78-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2392-193-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2764-5-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2888-80-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2888-81-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download

Analysis

Sharing