cycbot | ef44f098cf3112b389d0a7ef1a62c22f17dde8aee78a60da4f9ce5175871d31d

General

Target

JaffaCakes118_55f7b37e36a3f44ea9c6c8f27e8f6acb.exe
Size

241KB
MD5

55f7b37e36a3f44ea9c6c8f27e8f6acb
SHA1

6c9f61aa33c46b7d225f09589e1f186874207446
SHA256

ef44f098cf3112b389d0a7ef1a62c22f17dde8aee78a60da4f9ce5175871d31d
SHA512

9bd41b98f5746bff481524cfe373505715b1ea90f0b83c35981d15cd57978cf58d9887eac773cd64e72af6c79779e5ec8bd92674d1632827b6eb4123605309c1
SSDEEP

3072:lPCFD64MQCLGydmAR18TwbB5bMsMSNcUn8lHftDuNtvrXGBBC6ZZHLPbxVczjtK:leD/zZAP/B5Aq8fuLSzCuZrNY5//z4

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/1648-7-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral1/memory/2900-15-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral1/memory/2672-80-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot
behavioral1/memory/2900-184-0x0000000000400000-0x000000000044C000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2900-2-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/1648-5-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/1648-7-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/2900-15-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/2672-80-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral1/memory/2900-184-0x0000000000400000-0x000000000044C000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_55f7b37e36a3f44ea9c6c8f27e8f6acb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_55f7b37e36a3f44ea9c6c8f27e8f6acb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_55f7b37e36a3f44ea9c6c8f27e8f6acb.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2900 wrote to memory of 1648	2900	JaffaCakes118_55f7b37e36a3f44ea9c6c8f27e8f6acb.exe	28
PID 2900 wrote to memory of 1648	2900	JaffaCakes118_55f7b37e36a3f44ea9c6c8f27e8f6acb.exe	28
PID 2900 wrote to memory of 1648	2900	JaffaCakes118_55f7b37e36a3f44ea9c6c8f27e8f6acb.exe	28
PID 2900 wrote to memory of 1648	2900	JaffaCakes118_55f7b37e36a3f44ea9c6c8f27e8f6acb.exe	28
PID 2900 wrote to memory of 2672	2900	JaffaCakes118_55f7b37e36a3f44ea9c6c8f27e8f6acb.exe	30
PID 2900 wrote to memory of 2672	2900	JaffaCakes118_55f7b37e36a3f44ea9c6c8f27e8f6acb.exe	30
PID 2900 wrote to memory of 2672	2900	JaffaCakes118_55f7b37e36a3f44ea9c6c8f27e8f6acb.exe	30
PID 2900 wrote to memory of 2672	2900	JaffaCakes118_55f7b37e36a3f44ea9c6c8f27e8f6acb.exe	30

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_55f7b37e36a3f44ea9c6c8f27e8f6acb.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_55f7b37e36a3f44ea9c6c8f27e8f6acb.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_55f7b37e36a3f44ea9c6c8f27e8f6acb.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_55f7b37e36a3f44ea9c6c8f27e8f6acb.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1648
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_55f7b37e36a3f44ea9c6c8f27e8f6acb.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_55f7b37e36a3f44ea9c6c8f27e8f6acb.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\03B6.1BE

Filesize
1KB

MD5
df2e4233144fda99bec39523aa9dd750

SHA1
8b8549a7711d25d1dc0e7f12b8bed41c8d78a626

SHA256
0f7eda852dd1d7a009d507db90bf0d1e80d5caa31f3c3852441c74b8f137c93f

SHA512
76a62489206b84196343b3a87dfef4afa95ca3c67aeb5d07e499a9720dd8f8b28e9d02fca936565eb27179ce27a1452a3ee445474d71974027b977ff409c4fdf

Download Submit
C:\Users\Admin\AppData\Roaming\03B6.1BE

Filesize
1KB

MD5
f3a1d6e88b3ef38d3e2a430836d94ad3

SHA1
6dbb9fc0b3750002623a0829d706a09f3d9427a9

SHA256
679e2bb3f50660f3ef8877a7e14328b576990197fc03924cdb88cfe57c0cda69

SHA512
0b781825015a9f753ae84b3cedae0057f992930f00aa0f9cc93b0cf968a3224dca0c5c494379580ce5d0ddb655665ce56e16f9b0c6b8930352254941c413b018

Download Submit
C:\Users\Admin\AppData\Roaming\03B6.1BE

Filesize
600B

MD5
b073c1f7d54139173cce4e97ca3f6322

SHA1
3594a4e010b57af10bdd42bb7d99fb996269c6e7

SHA256
291f54728dd240ff22e2f436303d000014666d6ae7515e605fbece9fa79900f3

SHA512
b20a849cdee35a0c65df8b6bceeb677d3493ba0a773b236fe9747327bf1b8771eeed7e2642afdd83c1a9dade579102a759f99d94c7070a8bdf216d634dd1d6bc

Download Submit
C:\Users\Admin\AppData\Roaming\03B6.1BE

Filesize
996B

MD5
8fc889eb2c218754390b64d9e904b973

SHA1
ab13a1aa69e6036ea937787b4d5aeae29161f9d4

SHA256
9dd8e2789557b90a01cf24c88fab594f8e49eb366169c5a997665f45e0d6a91c

SHA512
7b0b406309988a17001ca37c015be7b79ac284300e5c4c5edd552877835786739fe8bed262fafcbd33a7f10692e547f2f7b82f1b51b569ea376615cb2faa0ad9

Download Submit
memory/1648-5-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1648-7-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2672-80-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2900-1-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2900-2-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2900-15-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2900-184-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing