cycbot | e25a524edbb1023b5cfeb5d2c8d83ff7e9fbb8e0a5f95d9d2456048d0ec0e8ab

General

Target

JaffaCakes118_0653710eb5c9598536d7ac27870134aa.exe
Size

163KB
MD5

0653710eb5c9598536d7ac27870134aa
SHA1

ef656480135941338072e365b5c0d762463bcd07
SHA256

e25a524edbb1023b5cfeb5d2c8d83ff7e9fbb8e0a5f95d9d2456048d0ec0e8ab
SHA512

2e58cff65da20bf26ad72f6014821c4ad769eb9e857f8c757eb597564bce98bcb4c561baec98d24893126b5465cac3dfec490833aa45600b1b34a4fe0b230784
SSDEEP

3072:mW2pUxUHaS1DQw26/PDOzz9Yy6oUZRf8jtAAjP96ZcIcOmjQI9o:0SU6A8N6cWTnZRmpj96ZcIcO8QN

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2188-7-0x0000000000400000-0x0000000000468000-memory.dmp	family_cycbot
behavioral1/memory/2188-6-0x0000000000400000-0x0000000000468000-memory.dmp	family_cycbot
behavioral1/memory/2504-15-0x0000000000400000-0x0000000000468000-memory.dmp	family_cycbot
behavioral1/memory/2608-87-0x0000000000400000-0x0000000000468000-memory.dmp	family_cycbot
behavioral1/memory/2504-197-0x0000000000400000-0x0000000000468000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2504-1-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2188-7-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2188-6-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2504-15-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2608-86-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2608-87-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2504-197-0x0000000000400000-0x0000000000468000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0653710eb5c9598536d7ac27870134aa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0653710eb5c9598536d7ac27870134aa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0653710eb5c9598536d7ac27870134aa.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 2188	2504	JaffaCakes118_0653710eb5c9598536d7ac27870134aa.exe	30
PID 2504 wrote to memory of 2188	2504	JaffaCakes118_0653710eb5c9598536d7ac27870134aa.exe	30
PID 2504 wrote to memory of 2188	2504	JaffaCakes118_0653710eb5c9598536d7ac27870134aa.exe	30
PID 2504 wrote to memory of 2188	2504	JaffaCakes118_0653710eb5c9598536d7ac27870134aa.exe	30
PID 2504 wrote to memory of 2608	2504	JaffaCakes118_0653710eb5c9598536d7ac27870134aa.exe	32
PID 2504 wrote to memory of 2608	2504	JaffaCakes118_0653710eb5c9598536d7ac27870134aa.exe	32
PID 2504 wrote to memory of 2608	2504	JaffaCakes118_0653710eb5c9598536d7ac27870134aa.exe	32
PID 2504 wrote to memory of 2608	2504	JaffaCakes118_0653710eb5c9598536d7ac27870134aa.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0653710eb5c9598536d7ac27870134aa.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0653710eb5c9598536d7ac27870134aa.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0653710eb5c9598536d7ac27870134aa.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0653710eb5c9598536d7ac27870134aa.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2188
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0653710eb5c9598536d7ac27870134aa.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0653710eb5c9598536d7ac27870134aa.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\B41B.D57

Filesize
1KB

MD5
0d923a9ce9bdfb0383d947d3fe8a45ed

SHA1
5433189a156589bd923b40439a42e5b39fd321e9

SHA256
78231dc21d732dd6f54402533bfb19c900fd1c404000f99797d9e5239b642a26

SHA512
f2f726e20f0785b769f0e97bd26663a530881453d684972d7bed39c81a1f4b85c9f6a463a775b8751642dde43c26297174b236113288e71c6e65aa1033677c0c

Download Submit
C:\Users\Admin\AppData\Roaming\B41B.D57

Filesize
600B

MD5
52644540583dfddbe013c8969cb4c52a

SHA1
a0585f5e825dddd29ecaf02fe24d3ded46b828f5

SHA256
d4554bb1b4b7d83d4dc38d8dc7ddb18b19023541077bceb4df8a85a868dd5f45

SHA512
af74675aa4ad34a78ee1d7be12e51aaf0deb2eef12a97fb2d471f5bd5535cff9b015b86fcd8fc4bf99fdc7c425d00fbea3840cbf5882009a9e4cc4719acce2e5

Download Submit
C:\Users\Admin\AppData\Roaming\B41B.D57

Filesize
996B

MD5
2c5f24d4b3f6b8eec5c3886efc1f6492

SHA1
bc167a6e0a87bb57bea53871e02bc5d1964e04e9

SHA256
6f68c610baf86e8451ffa7d5401aa94607e3b827df467626678fefea3e5cbcaa

SHA512
b5285729dce50f9848c0a49b717c2af0c4cc7240165279458c119b4cd2abcb883f9a4197ab137ab801860d0eb8dab4e0518838ac519526387fa77c838b13e46e

Download Submit
memory/2188-7-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2188-4-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2188-6-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2504-1-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2504-15-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2504-197-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2608-86-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2608-85-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2608-87-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download

Analysis

Sharing