cycbot | 102110cdaca235a056e98f2291e135823a25bcbe9da6148c51e67d6a07dd7f1f

General

Target

JaffaCakes118_57e0ebe1fb48a799fddef850f1b5e332.exe
Size

154KB
MD5

57e0ebe1fb48a799fddef850f1b5e332
SHA1

379f0536df5c8c7af67c68998d486847101023e8
SHA256

102110cdaca235a056e98f2291e135823a25bcbe9da6148c51e67d6a07dd7f1f
SHA512

25a365ee1587f5ec2a738c62a07b83dec1acff8a9bde38471eb1f154918e6d7109504eb9f1d1a3a2b366bbcbc6d87bb8a9bf20de7e58df50411efea1cb583358
SSDEEP

3072:K6m0IdyJ0vriWnYMGLtwMyJfAO0/5tuR3fNVHiwzJ/wV1sDGeQA3+r5:K6FjJ0FnY/wMaz0/XuBfN5iwzJJDG0+

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2376-8-0x0000000000400000-0x0000000000468000-memory.dmp	family_cycbot
behavioral1/memory/2376-6-0x0000000000400000-0x0000000000468000-memory.dmp	family_cycbot
behavioral1/memory/2552-16-0x0000000000400000-0x0000000000468000-memory.dmp	family_cycbot
behavioral1/memory/2252-88-0x0000000000400000-0x0000000000468000-memory.dmp	family_cycbot
behavioral1/memory/2552-204-0x0000000000400000-0x0000000000468000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2552-2-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2376-8-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2376-6-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2376-5-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2552-16-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2252-88-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2252-87-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2552-204-0x0000000000400000-0x0000000000468000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_57e0ebe1fb48a799fddef850f1b5e332.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_57e0ebe1fb48a799fddef850f1b5e332.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_57e0ebe1fb48a799fddef850f1b5e332.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 2376	2552	JaffaCakes118_57e0ebe1fb48a799fddef850f1b5e332.exe	30
PID 2552 wrote to memory of 2376	2552	JaffaCakes118_57e0ebe1fb48a799fddef850f1b5e332.exe	30
PID 2552 wrote to memory of 2376	2552	JaffaCakes118_57e0ebe1fb48a799fddef850f1b5e332.exe	30
PID 2552 wrote to memory of 2376	2552	JaffaCakes118_57e0ebe1fb48a799fddef850f1b5e332.exe	30
PID 2552 wrote to memory of 2252	2552	JaffaCakes118_57e0ebe1fb48a799fddef850f1b5e332.exe	33
PID 2552 wrote to memory of 2252	2552	JaffaCakes118_57e0ebe1fb48a799fddef850f1b5e332.exe	33
PID 2552 wrote to memory of 2252	2552	JaffaCakes118_57e0ebe1fb48a799fddef850f1b5e332.exe	33
PID 2552 wrote to memory of 2252	2552	JaffaCakes118_57e0ebe1fb48a799fddef850f1b5e332.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_57e0ebe1fb48a799fddef850f1b5e332.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_57e0ebe1fb48a799fddef850f1b5e332.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_57e0ebe1fb48a799fddef850f1b5e332.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_57e0ebe1fb48a799fddef850f1b5e332.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2376
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_57e0ebe1fb48a799fddef850f1b5e332.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_57e0ebe1fb48a799fddef850f1b5e332.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\824E.299

Filesize
1KB

MD5
9c97818c6fc1f1253d0572dbc748c262

SHA1
b640caade52d741ba080b8afcc9aa94a9dfc68a6

SHA256
bac1c2cf4e4478aa4de7d8b3626f443ee9914531c329d18876b061a01c5abf9c

SHA512
b28113efc515f8e0d8b84b895653462043ab6840dc5678e2860d1923864c3bc48f30b497a6b8f37744b14486336b5e921d4627f8c7236ddf803ae5ede2150a28

Download Submit
C:\Users\Admin\AppData\Roaming\824E.299

Filesize
600B

MD5
b6ba94b6285843295a110681be96477e

SHA1
e404de9301ac8bbcb9bb2c2f2efd06722c26a74d

SHA256
3e2085d61bd425e6519debd8a3e7651e5725484898cbb95010fa4c0a9206875a

SHA512
b20a0685c0cac8b5a10814896b0b90ba895a7f9aa4b86e9513d7604759d3d21e45cd88624a09ce933337e4f9d5b7978a18b257864a7f2996f956923a541c8b51

Download Submit
C:\Users\Admin\AppData\Roaming\824E.299

Filesize
996B

MD5
122b7eadbe2f190b2c3e9e54fc7a813b

SHA1
a03c284e9773c611513abea44a89fa0cab90cd51

SHA256
5c75f575ef2862c06441a83a8b46a7e978d1057e7f87b81a8215992330084d53

SHA512
81a62427bd20bd963c5e7f3a50e72b7713e702742d42fd8416107e087f71dbddc037c4167e4c15173f821aeab0435f4e803164acddee3d131a482a0f9e5b7788

Download Submit
memory/2252-87-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2252-85-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2252-88-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2376-5-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2376-6-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2376-8-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2552-16-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2552-1-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2552-2-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2552-204-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download

Analysis

Sharing