cycbot | 6aad95fe5ee7e0fc5cbd53692b62945b15ab1afde20399e199b18978aed8949d

General

Target

JaffaCakes118_bd38ea41bd3e640aa3585791e86ccba7.exe
Size

169KB
MD5

bd38ea41bd3e640aa3585791e86ccba7
SHA1

89af6a3e61ca6ae16b7b82908477cae466bed83c
SHA256

6aad95fe5ee7e0fc5cbd53692b62945b15ab1afde20399e199b18978aed8949d
SHA512

252e12cb5f070c7c100935b2b493ed0581ad0a52d5a5c0a199774399784b5cb30f1f442cc8123f9453bf0e6107caef70059e523b481f301e0eb1c30ca48acd2e
SSDEEP

3072:OLHCxS1VVkaLTznPxnBorktiY+SIOIIM7nA1Mgygqr15mhs6:SKAkaL/nPRBorXY+LOIf7A1M4qh5Es6

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2692-14-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/1508-15-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/2268-74-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/1508-178-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1508-2-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2692-12-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2692-14-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1508-15-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2268-72-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2268-74-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1508-178-0x0000000000400000-0x000000000046C000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_bd38ea41bd3e640aa3585791e86ccba7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_bd38ea41bd3e640aa3585791e86ccba7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_bd38ea41bd3e640aa3585791e86ccba7.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 2692	1508	JaffaCakes118_bd38ea41bd3e640aa3585791e86ccba7.exe	31
PID 1508 wrote to memory of 2692	1508	JaffaCakes118_bd38ea41bd3e640aa3585791e86ccba7.exe	31
PID 1508 wrote to memory of 2692	1508	JaffaCakes118_bd38ea41bd3e640aa3585791e86ccba7.exe	31
PID 1508 wrote to memory of 2692	1508	JaffaCakes118_bd38ea41bd3e640aa3585791e86ccba7.exe	31
PID 1508 wrote to memory of 2268	1508	JaffaCakes118_bd38ea41bd3e640aa3585791e86ccba7.exe	33
PID 1508 wrote to memory of 2268	1508	JaffaCakes118_bd38ea41bd3e640aa3585791e86ccba7.exe	33
PID 1508 wrote to memory of 2268	1508	JaffaCakes118_bd38ea41bd3e640aa3585791e86ccba7.exe	33
PID 1508 wrote to memory of 2268	1508	JaffaCakes118_bd38ea41bd3e640aa3585791e86ccba7.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bd38ea41bd3e640aa3585791e86ccba7.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bd38ea41bd3e640aa3585791e86ccba7.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bd38ea41bd3e640aa3585791e86ccba7.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bd38ea41bd3e640aa3585791e86ccba7.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2692
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bd38ea41bd3e640aa3585791e86ccba7.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bd38ea41bd3e640aa3585791e86ccba7.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\D56D.FA1

Filesize
1KB

MD5
5679a6a518c7394adecb784ab45a939b

SHA1
0a3498d9edf46a94ba1dd7ca28227296a45435aa

SHA256
da6a4c851bce28ffd7c6477309b30581588a173020323d04185fbd6d23482907

SHA512
6f31b0e36ed772cebe0df5b5fe832106b26600ee77ed9d642384bc1054a9936519ac578d1457795f5407b44f5c2292d1b19ec560877a6604e7e7adbdb629e612

Download Submit
C:\Users\Admin\AppData\Roaming\D56D.FA1

Filesize
600B

MD5
dbbb0bb145f6b874e75628352ebfe2c4

SHA1
67658bf67d2810b7e61e46d4b1c6e6ca2cb06382

SHA256
70b80a9e0d66d635b519f60c0bdcc6a2e9943d2f63b0f0620396d21090b41617

SHA512
3942171769771f47d79ee2a69bc34602118b44b45a86a9338c6388e3b1eb6820f2aec491d6f69c6692ead9ae9ace7a8f0eded3f4677ca7247fbece646aaf5508

Download Submit
C:\Users\Admin\AppData\Roaming\D56D.FA1

Filesize
996B

MD5
0942a9f0687136b20b64740dcc67d40e

SHA1
6de9f19db725b14b9ce834a094c9d216971edb01

SHA256
1bac84421803ff72f21ee27f0ba53147b552cf77b67029f6a8ecf9e42a4abbd6

SHA512
76121ee041a6593d8a353355b0f6c5fc516a79ed4e4a958a69557dcec4460208eabb991ae2f007035aa4f3311d618d61c077d0069653060e7d9b3e853ed2d466

Download Submit
memory/1508-1-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1508-2-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1508-15-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1508-178-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2268-72-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2268-74-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2692-12-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2692-14-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download

Analysis

Sharing