cycbot | 658271b9a7fa19820f64a1ca3c4d19a38cd368ae4d59aae8329f737b1cfc650c

General

Target

JaffaCakes118_bfa1d50fedad974a4199e5c01655bdb2.exe
Size

166KB
MD5

bfa1d50fedad974a4199e5c01655bdb2
SHA1

c4cdf26f8110647a680e520087ca3d4339deb2ab
SHA256

658271b9a7fa19820f64a1ca3c4d19a38cd368ae4d59aae8329f737b1cfc650c
SHA512

c0afdddd6ac98c64c0e037c29ecee95e4f0362305dcafd66e53c2ddb31a67d7e150622c7923b81be019958f5317ac21ed5289fc6e603569fb3d0d97e74472229
SSDEEP

3072:b5aUwUmJPCJIeGTvJTNdBadhGdDpWU+Jzu7bzKtQ4T/ffJTkTeM43D5c:b5SUmJPEI1vTdYhSUhzuM/ffRkTeMmDS

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2384-6-0x0000000000400000-0x0000000000468000-memory.dmp	family_cycbot
behavioral1/memory/2848-14-0x0000000000400000-0x0000000000468000-memory.dmp	family_cycbot
behavioral1/memory/2052-90-0x0000000000400000-0x0000000000468000-memory.dmp	family_cycbot
behavioral1/memory/2848-159-0x0000000000400000-0x0000000000468000-memory.dmp	family_cycbot
behavioral1/memory/2848-204-0x0000000000400000-0x0000000000468000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2848-2-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2384-5-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2384-6-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2848-14-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2052-89-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2052-90-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2848-159-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2848-204-0x0000000000400000-0x0000000000468000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_bfa1d50fedad974a4199e5c01655bdb2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_bfa1d50fedad974a4199e5c01655bdb2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_bfa1d50fedad974a4199e5c01655bdb2.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 2384	2848	JaffaCakes118_bfa1d50fedad974a4199e5c01655bdb2.exe	31
PID 2848 wrote to memory of 2384	2848	JaffaCakes118_bfa1d50fedad974a4199e5c01655bdb2.exe	31
PID 2848 wrote to memory of 2384	2848	JaffaCakes118_bfa1d50fedad974a4199e5c01655bdb2.exe	31
PID 2848 wrote to memory of 2384	2848	JaffaCakes118_bfa1d50fedad974a4199e5c01655bdb2.exe	31
PID 2848 wrote to memory of 2052	2848	JaffaCakes118_bfa1d50fedad974a4199e5c01655bdb2.exe	33
PID 2848 wrote to memory of 2052	2848	JaffaCakes118_bfa1d50fedad974a4199e5c01655bdb2.exe	33
PID 2848 wrote to memory of 2052	2848	JaffaCakes118_bfa1d50fedad974a4199e5c01655bdb2.exe	33
PID 2848 wrote to memory of 2052	2848	JaffaCakes118_bfa1d50fedad974a4199e5c01655bdb2.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bfa1d50fedad974a4199e5c01655bdb2.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bfa1d50fedad974a4199e5c01655bdb2.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bfa1d50fedad974a4199e5c01655bdb2.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bfa1d50fedad974a4199e5c01655bdb2.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2384
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bfa1d50fedad974a4199e5c01655bdb2.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bfa1d50fedad974a4199e5c01655bdb2.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\9473.DC6

Filesize
1KB

MD5
f15e53b8a6da4e8e117a414c4fe77fe5

SHA1
855197b647b7996328f01e93c2681f9ecff126c7

SHA256
4d819f110c6ad492ee3bc85bead5fdf11044587c34b5c0ff65eb6bf2ae1e8526

SHA512
e987003dfa81fcf013b83397b08f53592506386741c2083fc7c3ec2243e00fb027706186f76a8f1840df4a519d076e3b9b9717b417c478b97495d7e609367a7e

Download Submit
C:\Users\Admin\AppData\Roaming\9473.DC6

Filesize
600B

MD5
888eb51cb72a6785a6274152364c24fe

SHA1
65eff044311cc7fd609f0cce8c10bda89dc2847f

SHA256
08e995d55fc98be77d98ea67866776aab7cac18d77822e23508aec6d27a38677

SHA512
e7402a3c6b48fe032ef0108e1e2a048e6b541c910589b7554829c9ab7146ce2622265f135972c569cfca1b4059dd1af7e9fdd5626c0f67d08ef46d6512cc53a1

Download Submit
C:\Users\Admin\AppData\Roaming\9473.DC6

Filesize
1KB

MD5
f1526d930b364d54cb3886783eaabbcf

SHA1
af1cc341774646c0ef8439a77abbb411eda65669

SHA256
aaf1e08b88c272031932050af323cab3e187a33ac266d028204ea4fe408dd67f

SHA512
c6ce412690cd2355b33cd2f4d7ae7b5bef7fd6365590030cb62e0bc619e6d593f98f92dbb43dfcaaf5ef32c4ee9113d6dedc6d79c9b595cd2684016875af9041

Download Submit
C:\Users\Admin\AppData\Roaming\9473.DC6

Filesize
996B

MD5
75b98ef5d88ec482751f67e551de7b37

SHA1
7608430a2593f45668513e6233ccab4c99f661cd

SHA256
cb3c52c706a9152b82a196746649a21656fe7141296517e8def4f009e658fb00

SHA512
9008af7b085e670ab159ddf3bee1bbe8ad14a22f0f2c1e8f3be3539cb97943a0d13f267e0aae485f3fecd1199342c1be9684915650ba87836c5e3f7d5daacf90

Download Submit
memory/2052-88-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2052-89-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2052-90-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2384-6-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2384-5-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2848-14-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2848-1-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2848-159-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2848-2-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2848-204-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download

Analysis

Sharing