cycbot | b9651acc18e1b9990e9b33ba6a7a13f6230650456ae41966d66a9726fee13d55

General

Target

JaffaCakes118_1e198fc248c260886dcefd5342e32efb.exe
Size

204KB
MD5

1e198fc248c260886dcefd5342e32efb
SHA1

f7a5090cdee527dd96e63931abdc108d35610b33
SHA256

b9651acc18e1b9990e9b33ba6a7a13f6230650456ae41966d66a9726fee13d55
SHA512

effadc7bfb8cce71df0fa6c4fd6c3143356d0f795465f36c2ecc371d847c7817c1e6c5fd2d858db1d95ca0823f36540b60e7ede937a4bc0a7cb8a33839a09609
SSDEEP

3072:v4FtNN0I0wKPQH7n/oA21gBB/wuPqWWqxPnU60UoKc2Qp5R+tUrQFNvHPpChfcA:gFp0XnITgfk7qslQ0cj5otbFNshfc

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2800-7-0x0000000000400000-0x000000000044D000-memory.dmp	family_cycbot
behavioral1/memory/2744-15-0x0000000000400000-0x000000000044D000-memory.dmp	family_cycbot
behavioral1/memory/1336-84-0x0000000000400000-0x000000000044D000-memory.dmp	family_cycbot
behavioral1/memory/2744-180-0x0000000000400000-0x000000000044D000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2744-2-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral1/memory/2800-5-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral1/memory/2800-7-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral1/memory/2744-15-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral1/memory/1336-84-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral1/memory/2744-180-0x0000000000400000-0x000000000044D000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1e198fc248c260886dcefd5342e32efb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1e198fc248c260886dcefd5342e32efb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1e198fc248c260886dcefd5342e32efb.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 2800	2744	JaffaCakes118_1e198fc248c260886dcefd5342e32efb.exe	30
PID 2744 wrote to memory of 2800	2744	JaffaCakes118_1e198fc248c260886dcefd5342e32efb.exe	30
PID 2744 wrote to memory of 2800	2744	JaffaCakes118_1e198fc248c260886dcefd5342e32efb.exe	30
PID 2744 wrote to memory of 2800	2744	JaffaCakes118_1e198fc248c260886dcefd5342e32efb.exe	30
PID 2744 wrote to memory of 1336	2744	JaffaCakes118_1e198fc248c260886dcefd5342e32efb.exe	32
PID 2744 wrote to memory of 1336	2744	JaffaCakes118_1e198fc248c260886dcefd5342e32efb.exe	32
PID 2744 wrote to memory of 1336	2744	JaffaCakes118_1e198fc248c260886dcefd5342e32efb.exe	32
PID 2744 wrote to memory of 1336	2744	JaffaCakes118_1e198fc248c260886dcefd5342e32efb.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1e198fc248c260886dcefd5342e32efb.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1e198fc248c260886dcefd5342e32efb.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1e198fc248c260886dcefd5342e32efb.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1e198fc248c260886dcefd5342e32efb.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2800
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1e198fc248c260886dcefd5342e32efb.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1e198fc248c260886dcefd5342e32efb.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\30DD.659

Filesize
300B

MD5
b05ad8c9b1e3b816a54c498cf21fb7ce

SHA1
ea9912b16d1d22ea3c46e8d73d5b1ce2a38eae32

SHA256
6cfc3f219f96a07eded7f4ec7d5e3a6827d2d7a769ec0a678e510ccf9779bf09

SHA512
9d04737a902675052ccd54452db8bc96eb5222ca32d52ad77bc8534d5013184a31455a1bf982335e72dfb85d24ca90714f214757a265f1eaf6552a5327eeea08

Download Submit
C:\Users\Admin\AppData\Roaming\30DD.659

Filesize
1KB

MD5
adebcf32f272ca44f8f39c45bce9821e

SHA1
3ec019cac623b114d4b175848c618d04078dc164

SHA256
2c77674aa98906864df57983e096b791af4f1bbbff9447b1994ac0f1777e7dfc

SHA512
a54b68f7a81150af53cdf6da791cdad4daa3701e3a39b45dfd8e4117248266e2bf8546b5907ef2d5113a6615233ab2577ebebe8e3af9adb1aef2947eae2fd624

Download Submit
C:\Users\Admin\AppData\Roaming\30DD.659

Filesize
600B

MD5
3ce0ec483e5a7b5c33b07a8c91e74191

SHA1
5f0d35393b7a96b5acc8b8c1d1ccf078a41dd241

SHA256
f665451a4ff324ce73eb1890ca5c4abb4d4b3c3a139326bd2aead70b7afdf6c8

SHA512
34412469e5649e66d4fd61b69844b4e8ba2e4d18aa1283757d7da10ad3457095af016b844be78e41a7dfeab9e9b5213c763f4fa24b10b680fa5932ea8ba5ec85

Download Submit
C:\Users\Admin\AppData\Roaming\30DD.659

Filesize
996B

MD5
659b2a184db5805ba870ae8d0e93efaf

SHA1
81470573c04f70b192e6a04ae33b032c02bce35f

SHA256
0b7f694d3b283e49413256c1e0276bf9782f946baf86e3461bca8924f7ac0382

SHA512
7b46ddae66150c2a4d1ff927eb06ab70fedbf3173b0158edae38ad3fa24ff28965bb86a27e8d42da0f98c751ba043b0153e0421720885c2ca1922d6fca7f9070

Download Submit
memory/1336-84-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2744-1-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2744-2-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2744-15-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2744-180-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2800-5-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2800-7-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download

Analysis

Sharing