cycbot | f30ecd3b615bd035fd637393d72651d50bb50038711605383ac113c496bae059

General

Target

JaffaCakes118_1fb7fc9d81bd33551df132bea26bd15a.exe
Size

183KB
MD5

1fb7fc9d81bd33551df132bea26bd15a
SHA1

8ff9701bea9b9fcb24bb6e9b5dbcbfa491608c4b
SHA256

f30ecd3b615bd035fd637393d72651d50bb50038711605383ac113c496bae059
SHA512

234187f76519f28db09bd2210097b422556c9a82cc2d5a573d6761c766b34096ec3a713aeb92d50aeb7129ff5942022e629235ff09b85b9a0351056c90a65a01
SSDEEP

3072:FPtYq2Qpzi0kjLKs41P2lKq5KlaqBnakrBliXvtYhWEgPdn2kZIBJr+vYsWSYLj:b2d0kjWFEKIOiXFY0n2FDBr

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2696-7-0x0000000000400000-0x0000000000469000-memory.dmp	family_cycbot
behavioral1/memory/2696-9-0x0000000000400000-0x0000000000469000-memory.dmp	family_cycbot
behavioral1/memory/1064-14-0x0000000000400000-0x0000000000469000-memory.dmp	family_cycbot
behavioral1/memory/2924-75-0x0000000000400000-0x0000000000469000-memory.dmp	family_cycbot
behavioral1/memory/1064-171-0x0000000000400000-0x0000000000469000-memory.dmp	family_cycbot
behavioral1/memory/1064-206-0x0000000000400000-0x0000000000469000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1064-2-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2696-7-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2696-9-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/1064-14-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2924-75-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/1064-171-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/1064-206-0x0000000000400000-0x0000000000469000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1fb7fc9d81bd33551df132bea26bd15a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1fb7fc9d81bd33551df132bea26bd15a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1fb7fc9d81bd33551df132bea26bd15a.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1064 wrote to memory of 2696	1064	JaffaCakes118_1fb7fc9d81bd33551df132bea26bd15a.exe	30
PID 1064 wrote to memory of 2696	1064	JaffaCakes118_1fb7fc9d81bd33551df132bea26bd15a.exe	30
PID 1064 wrote to memory of 2696	1064	JaffaCakes118_1fb7fc9d81bd33551df132bea26bd15a.exe	30
PID 1064 wrote to memory of 2696	1064	JaffaCakes118_1fb7fc9d81bd33551df132bea26bd15a.exe	30
PID 1064 wrote to memory of 2924	1064	JaffaCakes118_1fb7fc9d81bd33551df132bea26bd15a.exe	32
PID 1064 wrote to memory of 2924	1064	JaffaCakes118_1fb7fc9d81bd33551df132bea26bd15a.exe	32
PID 1064 wrote to memory of 2924	1064	JaffaCakes118_1fb7fc9d81bd33551df132bea26bd15a.exe	32
PID 1064 wrote to memory of 2924	1064	JaffaCakes118_1fb7fc9d81bd33551df132bea26bd15a.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fb7fc9d81bd33551df132bea26bd15a.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fb7fc9d81bd33551df132bea26bd15a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fb7fc9d81bd33551df132bea26bd15a.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fb7fc9d81bd33551df132bea26bd15a.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2696
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fb7fc9d81bd33551df132bea26bd15a.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fb7fc9d81bd33551df132bea26bd15a.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\32CC.3A4

Filesize
1KB

MD5
0d5df3ded8b796d7fcc717d96c92ef91

SHA1
48d3bf044e59f8ce1969f124e69134a30d76fae7

SHA256
892f8428bb3828f3b0996b5be5c8a9857231773ec0d96bada7c39a3c77fa210c

SHA512
3b1a998151ea6caf77a93fb6a80aade11a441c13f352418229c1b28566ec303a89cc923292def00618ec8fdf9bac3b906f5e12379527fefab6ea59efa1cc5a27

Download Submit
C:\Users\Admin\AppData\Roaming\32CC.3A4

Filesize
1KB

MD5
550d8e549b76c9cde38791cd05b6ef91

SHA1
795a1cbd358549cca1499fbd8a245847935a3bc9

SHA256
6782c9a77e9844803364c838bbe2e459bf3ff8892c2e26fa9f303925d611071f

SHA512
7450ddcfc1b59fdd335dc6898f9c5ae20b0e34c76f51c889a2ef69c9c9961d1ad86ddaaa21eb91cf2b7318615f9bcb584374110e2c624a7cacebd470dd46e71b

Download Submit
C:\Users\Admin\AppData\Roaming\32CC.3A4

Filesize
600B

MD5
fb120281a0d78e467e1e1e7ee82c6cb2

SHA1
d650f3a44d4762eea2a8c12b701e71abe8fac80e

SHA256
27fdcd5c0f146000952fb401a6b54b08c3297bd68c0bd51a2c906248e9f2c078

SHA512
637fee40f461b8f33aaa8d7c5ee7eee1e5548c9693bb29c60d376966cbe2e8288b351fe906b4a090dae72468163770571891dd82fc4cf180778574e50c9892f8

Download Submit
C:\Users\Admin\AppData\Roaming\32CC.3A4

Filesize
900B

MD5
062bd9006c7958f3b8f25043a7f9c8de

SHA1
e6b5a154a538dfd5ca4f3cfa91080dcbfca6ae28

SHA256
608b4dcaeb9bb09311c1bde927ef161c7555e843a97fcc44efb3fc4cf3c2d744

SHA512
508424138b2dad341266263f9795e065b9709feaee7060f5ebaddcc9c5aed0ab9b1ef3efad726904a975257af1312e33cb6e1e94a250d2ae33120f4c3b8c3e89

Download Submit
C:\Users\Admin\AppData\Roaming\32CC.3A4

Filesize
1KB

MD5
10c1221158d8d903699528658cccdf84

SHA1
d3a3907b6bb3cd7547cd287cd0ab4fa1c5dcf7bd

SHA256
3f19e45a9e63ae91ff562ffa2a237a01c0ea35be410739b2d7662d665cefa07d

SHA512
3de83d145d6dc23ae7829df59ccbca65525021f4e99007b8280abd743a4b89ae33ba4c9f53dbcae8ac344e09261f9a6834963c3ae6662e0bc690cd1631e53052

Download Submit
memory/1064-14-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1064-1-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1064-2-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1064-171-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1064-206-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2696-9-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2696-7-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2924-75-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2924-73-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download

Analysis

Sharing