cycbot | 1195b6e737271930b417d14b43b0d48259ba52ec9337ac63ffaa21197d8efa51

General

Target

JaffaCakes118_bb9694e4fdd7556909779f2aca72ed07.exe
Size

187KB
MD5

bb9694e4fdd7556909779f2aca72ed07
SHA1

e74fefd342e8bda5363c96f2fe0224c013e57957
SHA256

1195b6e737271930b417d14b43b0d48259ba52ec9337ac63ffaa21197d8efa51
SHA512

fe176e3171e0b42d63d5b6ff69eb2202d21fdbd2a159bd6d788892dedf15a730f8f49a981c4a3f781b2babfd1319f283c1574439618f22ee1632d12e2dbfcba3
SSDEEP

3072:SZ8AZL/T1YtPqk1Njc4e+jvMyiZ81i8qjmfgak05DoA38OiD+pUZgLe0JR8zc7H1:SZ8KT1Ytik1vTJiScAZk05DoAudgLeaP

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2808-6-0x0000000000400000-0x0000000000468000-memory.dmp	family_cycbot
behavioral1/memory/988-13-0x0000000000400000-0x0000000000468000-memory.dmp	family_cycbot
behavioral1/memory/2080-79-0x0000000000400000-0x0000000000468000-memory.dmp	family_cycbot
behavioral1/memory/988-181-0x0000000000400000-0x0000000000468000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/988-1-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2808-4-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2808-6-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/988-13-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2080-77-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2080-79-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/988-181-0x0000000000400000-0x0000000000468000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_bb9694e4fdd7556909779f2aca72ed07.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_bb9694e4fdd7556909779f2aca72ed07.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_bb9694e4fdd7556909779f2aca72ed07.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 988 wrote to memory of 2808	988	JaffaCakes118_bb9694e4fdd7556909779f2aca72ed07.exe	31
PID 988 wrote to memory of 2808	988	JaffaCakes118_bb9694e4fdd7556909779f2aca72ed07.exe	31
PID 988 wrote to memory of 2808	988	JaffaCakes118_bb9694e4fdd7556909779f2aca72ed07.exe	31
PID 988 wrote to memory of 2808	988	JaffaCakes118_bb9694e4fdd7556909779f2aca72ed07.exe	31
PID 988 wrote to memory of 2080	988	JaffaCakes118_bb9694e4fdd7556909779f2aca72ed07.exe	33
PID 988 wrote to memory of 2080	988	JaffaCakes118_bb9694e4fdd7556909779f2aca72ed07.exe	33
PID 988 wrote to memory of 2080	988	JaffaCakes118_bb9694e4fdd7556909779f2aca72ed07.exe	33
PID 988 wrote to memory of 2080	988	JaffaCakes118_bb9694e4fdd7556909779f2aca72ed07.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9694e4fdd7556909779f2aca72ed07.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9694e4fdd7556909779f2aca72ed07.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:988
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9694e4fdd7556909779f2aca72ed07.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9694e4fdd7556909779f2aca72ed07.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2808
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9694e4fdd7556909779f2aca72ed07.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9694e4fdd7556909779f2aca72ed07.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\6BF3.ED8

Filesize
1KB

MD5
40f39f921031acb1a211c28db0e0043e

SHA1
f1d7e1dfbd050e9fa46c320b0ea2ad769faef352

SHA256
5b402d95bab2a6dcc48430e30d06d6633ba08daead43f9f44722b24f76f1d89e

SHA512
b0935976a02b893f4cf0aa4361c2a466ac5d7cae98f13c2ee65950af98dc0a4ae809c7e35b559834c22d04bd3fcabfe79769d3130cff0146b78fc08fc2aadc6c

Download Submit
C:\Users\Admin\AppData\Roaming\6BF3.ED8

Filesize
600B

MD5
baa44df9747ae486032b4c2a3d9e1613

SHA1
b9c13f4d910f057b888e491b51fa0c0ad98c7714

SHA256
a7b8bc208162d7e742b11d06355076d53ccf28ae3305733621c5661c31d04d19

SHA512
5446a86ff00e4fa7d3ededd8908dde9bd51c05e57e9a74a2601e66691f5680aec650613b0ce9f071cc5afc173df11b34cab40f5d4047e1039d4bbb090abcc025

Download Submit
C:\Users\Admin\AppData\Roaming\6BF3.ED8

Filesize
996B

MD5
4877e658f93d5e08a6070cb56a227eb3

SHA1
cdf29ac9b6044154ca55011f3cd39f8238822719

SHA256
f901c959c47ece1d49aa79fcd08c6ab91746a3258c866aa00ad0a4baf266a6c5

SHA512
31b351d4363daba0916042b39e2642c91afd0fdc4265c794b5341cad1d2ad0827c7df3b9a458c0007ea35291856bd06bc6682963c1962b64caa0789cea5ecb25

Download Submit
memory/988-1-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/988-13-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/988-181-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2080-77-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2080-76-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2080-79-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2808-4-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2808-6-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2808-70-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download

Analysis

Sharing