cycbot | 4de918adce319e1593def16c36e696f0653fe0a9c9079da72aaa6e38eb019284

General

Target

JaffaCakes118_e2bec97e8aa75ea569352756f99c339f.exe
Size

188KB
MD5

e2bec97e8aa75ea569352756f99c339f
SHA1

a44c2b430a9243f023067869318c242606d3b71a
SHA256

4de918adce319e1593def16c36e696f0653fe0a9c9079da72aaa6e38eb019284
SHA512

2ab57e0cda70f8d03984176e64dfb359bf762d8cb8f0cea2bcf2827ef648e3806ed20e09df19c0ecbed01e61c9a5d21f9a564bec36603fcfcb9f16c7ed1fbd72
SSDEEP

3072:JQJL5ddwYprtRMUmp9H7f/RacuCTWRuORRZtcFO+O1Jyk7Iz+trbUsgn:JAFddwcDr2H7BGKiZtc4+O1AYIz+gsg

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2480-15-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral1/memory/2364-16-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral1/memory/1580-84-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral1/memory/2364-183-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2364-2-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2480-15-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2480-13-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2364-16-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/1580-83-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/1580-84-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2364-183-0x0000000000400000-0x000000000044E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_e2bec97e8aa75ea569352756f99c339f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_e2bec97e8aa75ea569352756f99c339f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_e2bec97e8aa75ea569352756f99c339f.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2480	2364	JaffaCakes118_e2bec97e8aa75ea569352756f99c339f.exe	31
PID 2364 wrote to memory of 2480	2364	JaffaCakes118_e2bec97e8aa75ea569352756f99c339f.exe	31
PID 2364 wrote to memory of 2480	2364	JaffaCakes118_e2bec97e8aa75ea569352756f99c339f.exe	31
PID 2364 wrote to memory of 2480	2364	JaffaCakes118_e2bec97e8aa75ea569352756f99c339f.exe	31
PID 2364 wrote to memory of 1580	2364	JaffaCakes118_e2bec97e8aa75ea569352756f99c339f.exe	33
PID 2364 wrote to memory of 1580	2364	JaffaCakes118_e2bec97e8aa75ea569352756f99c339f.exe	33
PID 2364 wrote to memory of 1580	2364	JaffaCakes118_e2bec97e8aa75ea569352756f99c339f.exe	33
PID 2364 wrote to memory of 1580	2364	JaffaCakes118_e2bec97e8aa75ea569352756f99c339f.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e2bec97e8aa75ea569352756f99c339f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e2bec97e8aa75ea569352756f99c339f.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e2bec97e8aa75ea569352756f99c339f.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e2bec97e8aa75ea569352756f99c339f.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2480
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e2bec97e8aa75ea569352756f99c339f.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e2bec97e8aa75ea569352756f99c339f.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\9FEA.6C9

Filesize
1KB

MD5
b4eaf8dbb0528c872a2c6310b6651c40

SHA1
d2c3cf488495ab6422b819c6664a1336037c67e5

SHA256
f36033e66f12124aaafe7c73f2f246af78c067cec9da2adca3bc5a5f9c11fede

SHA512
fd3c904cfaf6c8c6cdf937ce8abd01547fa27fe6a31433db56264729331490c98803cb20d9c51cae3bc70f2c684c42d1a16646af57ae0f6d4715cc1d3cd8ec1f

Download Submit
C:\Users\Admin\AppData\Roaming\9FEA.6C9

Filesize
600B

MD5
16c2845d97abe7de0f3544225cb0024f

SHA1
1e6c04177e970283bdbf54c4c7ad7ae3799592b8

SHA256
89ffd9ee89c680ecbcb37620396a23fb99a19287e8d9a52f2fb2734eace18141

SHA512
bd785bba804edaf0e1cab1fcbe32e2d00b2df78c0694f5492c0b027c77d10e167415f2a79a6fcfc7a29970fc6860c796d80136fb598dde30342849b9611c6adf

Download Submit
C:\Users\Admin\AppData\Roaming\9FEA.6C9

Filesize
996B

MD5
58b2bfa0ce0c0f84540c1748df96c3e1

SHA1
a19fbea7b9b19586ff08cf945dacb36dd057cfa9

SHA256
718969e0625d4192507c3d91d05c1504570ab771cfd8da23b8ac247248190eab

SHA512
13ad95b8743f1ed00d107cef5acf36f9c8671a33e7599cb4319e42633134aa513e857e2d85e312c1918b6ec5141fcb5110e55088f5961a7566491dae63d34610

Download Submit
memory/1580-83-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1580-84-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2364-1-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2364-2-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2364-16-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2364-183-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2480-15-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2480-12-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2480-13-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing