cycbot | 0d85ac6300886bb171e8e6345ac049c3a1efa70db96c5e84ad4cc3abf8a32920

General

Target

JaffaCakes118_1d8709a213120dcc8e2c9cc454d93891.exe
Size

183KB
MD5

1d8709a213120dcc8e2c9cc454d93891
SHA1

4597a53cfdb50f2c2b0aab6479d23409368ac0de
SHA256

0d85ac6300886bb171e8e6345ac049c3a1efa70db96c5e84ad4cc3abf8a32920
SHA512

bda4fcc4cb041cbdf3a86fd19ba11bdb68827efdd6542bb1cf518600199e24822bd7728a0b839c9ffa7743d3ab5fd805d30e38799ef882ba43d1e748ec28a470
SSDEEP

3072:rltZnjFQ2sjrJ/FWNZtFw+4VEH3vGEjbvrnpmSk/FH9dzrJLYBOBT6u4mpDM476B:rl/eZjtAsGH3vdjbvrn0ZzFYBmlFDMvB

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2776-8-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/1552-16-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/2128-79-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/1552-182-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1552-2-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2776-6-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2776-8-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1552-16-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2128-79-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1552-182-0x0000000000400000-0x000000000044B000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1d8709a213120dcc8e2c9cc454d93891.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1d8709a213120dcc8e2c9cc454d93891.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1d8709a213120dcc8e2c9cc454d93891.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1552 wrote to memory of 2776	1552	JaffaCakes118_1d8709a213120dcc8e2c9cc454d93891.exe	30
PID 1552 wrote to memory of 2776	1552	JaffaCakes118_1d8709a213120dcc8e2c9cc454d93891.exe	30
PID 1552 wrote to memory of 2776	1552	JaffaCakes118_1d8709a213120dcc8e2c9cc454d93891.exe	30
PID 1552 wrote to memory of 2776	1552	JaffaCakes118_1d8709a213120dcc8e2c9cc454d93891.exe	30
PID 1552 wrote to memory of 2128	1552	JaffaCakes118_1d8709a213120dcc8e2c9cc454d93891.exe	32
PID 1552 wrote to memory of 2128	1552	JaffaCakes118_1d8709a213120dcc8e2c9cc454d93891.exe	32
PID 1552 wrote to memory of 2128	1552	JaffaCakes118_1d8709a213120dcc8e2c9cc454d93891.exe	32
PID 1552 wrote to memory of 2128	1552	JaffaCakes118_1d8709a213120dcc8e2c9cc454d93891.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1d8709a213120dcc8e2c9cc454d93891.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1d8709a213120dcc8e2c9cc454d93891.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1d8709a213120dcc8e2c9cc454d93891.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1d8709a213120dcc8e2c9cc454d93891.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2776
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1d8709a213120dcc8e2c9cc454d93891.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1d8709a213120dcc8e2c9cc454d93891.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\A3C1.824

Filesize
1KB

MD5
6262e95501fdc2dd9a8364332b27516f

SHA1
e2763c67c0402c129fa1f998e777eb153bf6a2eb

SHA256
e0a64317247d6f5574913792e779e8c88d8f21bcce9f9686682ab13ece66d39d

SHA512
96625c8615be5a517debe5406a72bd04857dd28974bff818f8a7b408c73f62ca745d17c201fa662f31263a81516038e458ec5934590b8474296ed250051131b6

Download Submit
C:\Users\Admin\AppData\Roaming\A3C1.824

Filesize
600B

MD5
7f0f878fbe35b4c36417b0da7148323a

SHA1
859466608b23c240c9bb491e8ab2782eac5fe53c

SHA256
bd1793b139b57534c48118690d0c460e47b8e1ba0875be538069325dc838cbdf

SHA512
b227a1b303efa9dab6c4186ef6b906171929e7a6440b08a601cb1ed335a26893dc91fd3c990542a66889ba0d56be0e50cab19942b83b160d7ad80dc20b79bdad

Download Submit
C:\Users\Admin\AppData\Roaming\A3C1.824

Filesize
996B

MD5
416c323539306e6a942f32b06cdfc0de

SHA1
f8036a1bb5c6018b27ac72a50fb8bbe964ab531f

SHA256
2b471e82b49c4b6ed6e9dca9c6f7fd4e7d629777f63e7464fa470297689129dd

SHA512
6d358feacb8204cf8a04c7e13dab7483a8882ab88b765022ac8fcaec1f187a8ecb805b43e06ede07d173500b44022e9ec58ab1c217deb120d82553f4d352609a

Download Submit
memory/1552-1-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1552-2-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1552-16-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1552-182-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2128-79-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2776-6-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2776-8-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2776-5-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download

Analysis

Sharing