cycbot | af40c8547c51a7a1ed8f0ac083467165195521d243dba5bd15c39778a4153f75

General

Target

JaffaCakes118_b952132f41d08e1b569cf2733fad1e9d.exe
Size

178KB
MD5

b952132f41d08e1b569cf2733fad1e9d
SHA1

ba8d4783f0afd505f912a3280744822bdda3a763
SHA256

af40c8547c51a7a1ed8f0ac083467165195521d243dba5bd15c39778a4153f75
SHA512

2d4e2128b9a4b79bf1f69f1bfd55e6350807c7a6a921ef4e8c1814c0474f16648de341fc3451277b916109f5472ef90f4149123cb19164cb84e8f93e0fdfd152
SSDEEP

3072:trmh2DkOci708qtdmf4JLzR6S7vbm8dQHpu7pGIB07HHHeN5DOsgGKxv5:EhHimfn0S/xKHpqna7n+3DRKxv5

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2084-6-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/1832-14-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/1568-78-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/1832-191-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1832-2-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2084-5-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2084-6-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1832-14-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1568-78-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1832-191-0x0000000000400000-0x000000000044B000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b952132f41d08e1b569cf2733fad1e9d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b952132f41d08e1b569cf2733fad1e9d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b952132f41d08e1b569cf2733fad1e9d.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1832 wrote to memory of 2084	1832	JaffaCakes118_b952132f41d08e1b569cf2733fad1e9d.exe	30
PID 1832 wrote to memory of 2084	1832	JaffaCakes118_b952132f41d08e1b569cf2733fad1e9d.exe	30
PID 1832 wrote to memory of 2084	1832	JaffaCakes118_b952132f41d08e1b569cf2733fad1e9d.exe	30
PID 1832 wrote to memory of 2084	1832	JaffaCakes118_b952132f41d08e1b569cf2733fad1e9d.exe	30
PID 1832 wrote to memory of 1568	1832	JaffaCakes118_b952132f41d08e1b569cf2733fad1e9d.exe	33
PID 1832 wrote to memory of 1568	1832	JaffaCakes118_b952132f41d08e1b569cf2733fad1e9d.exe	33
PID 1832 wrote to memory of 1568	1832	JaffaCakes118_b952132f41d08e1b569cf2733fad1e9d.exe	33
PID 1832 wrote to memory of 1568	1832	JaffaCakes118_b952132f41d08e1b569cf2733fad1e9d.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b952132f41d08e1b569cf2733fad1e9d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b952132f41d08e1b569cf2733fad1e9d.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b952132f41d08e1b569cf2733fad1e9d.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b952132f41d08e1b569cf2733fad1e9d.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2084
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b952132f41d08e1b569cf2733fad1e9d.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b952132f41d08e1b569cf2733fad1e9d.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\9024.3C1

Filesize
1KB

MD5
2f22d44cd0944ab5ff83b8e16b892266

SHA1
c0b810c17d09750899f95051994b47591807d17b

SHA256
caf0ee6ee39feac247a96a9785511be9b6096b64cf151c12cb556a160933d680

SHA512
de12cb9f59d86b22fef47355ca318ec7ef3bd623d01b8af73534d5c964d08b3c2983ac06080fb366888f6161c348120f9e99e7317217319034288ea7f4eb7b65

Download Submit
C:\Users\Admin\AppData\Roaming\9024.3C1

Filesize
600B

MD5
2b276828ccb5ebba79437e68d6017bb8

SHA1
1eac6811d8d07c446d9d6ab754880700ce4a53d7

SHA256
6a8d3c94ecdbe9a11e7d0f15ae77e2a84a13a9195eb757d285a788397bca07a7

SHA512
ac6552271e81653fdf0225d92b3502c47c3f87e467599cfccc4483b005db8c13b4a467aa298df02eea418d5934a01d86b666793ec10d2743ede07cfffdf243fb

Download Submit
C:\Users\Admin\AppData\Roaming\9024.3C1

Filesize
996B

MD5
c1763e89a2d609387189ee7f33a458c6

SHA1
2f209d798b850cd7588b7e6c9786041ee60f4e10

SHA256
b23111779edf77e64a8134e9b2350bb4626345cf9aea624fc73d1a60200bebab

SHA512
a8809c429ee625291571a6a50b08d8946a2fe67e7812147f7d61f95cf4cd0158ca1c133d4b1aff8d66b80dc9bccf0e17c15a3a16e5426ef1ee7ce766d7fdd817

Download Submit
memory/1568-76-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1568-78-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1832-1-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1832-2-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1832-14-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1832-191-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2084-5-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2084-6-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download

Analysis

Sharing