cycbot | 1149181e6502631a5554aae635b4e4e0516b5b239ed402b91303d8b5148c2b78

General

Target

JaffaCakes118_60106147f86f2499e3bb563a27e9d14e.exe
Size

175KB
MD5

60106147f86f2499e3bb563a27e9d14e
SHA1

052d99aac36d998099e7e4ab6c7fcfc65ea5e847
SHA256

1149181e6502631a5554aae635b4e4e0516b5b239ed402b91303d8b5148c2b78
SHA512

0051f325ac3d310537728dce767338f3139663b331abd54c03281deeb1ac18f379f2a41b8edfea49d6c2eef5e6cd026a0271d8312c2069bb3f4c8817ca9b7036
SSDEEP

3072:tyyVOeUy/4VzfRm2GdehfBd7nxszBfX7/zMdWFXXaYIv06Hd8xdz:tzYhy/4tJmBApBuBv7/fFnpIvl9kd

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2148-7-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/2740-15-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/592-87-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/2740-189-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2740-2-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2148-5-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2148-7-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2740-15-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/592-86-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/592-87-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2740-189-0x0000000000400000-0x000000000044B000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_60106147f86f2499e3bb563a27e9d14e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_60106147f86f2499e3bb563a27e9d14e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_60106147f86f2499e3bb563a27e9d14e.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 2148	2740	JaffaCakes118_60106147f86f2499e3bb563a27e9d14e.exe	30
PID 2740 wrote to memory of 2148	2740	JaffaCakes118_60106147f86f2499e3bb563a27e9d14e.exe	30
PID 2740 wrote to memory of 2148	2740	JaffaCakes118_60106147f86f2499e3bb563a27e9d14e.exe	30
PID 2740 wrote to memory of 2148	2740	JaffaCakes118_60106147f86f2499e3bb563a27e9d14e.exe	30
PID 2740 wrote to memory of 592	2740	JaffaCakes118_60106147f86f2499e3bb563a27e9d14e.exe	32
PID 2740 wrote to memory of 592	2740	JaffaCakes118_60106147f86f2499e3bb563a27e9d14e.exe	32
PID 2740 wrote to memory of 592	2740	JaffaCakes118_60106147f86f2499e3bb563a27e9d14e.exe	32
PID 2740 wrote to memory of 592	2740	JaffaCakes118_60106147f86f2499e3bb563a27e9d14e.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60106147f86f2499e3bb563a27e9d14e.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60106147f86f2499e3bb563a27e9d14e.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60106147f86f2499e3bb563a27e9d14e.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60106147f86f2499e3bb563a27e9d14e.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2148
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60106147f86f2499e3bb563a27e9d14e.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60106147f86f2499e3bb563a27e9d14e.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\C879.6F5

Filesize
1KB

MD5
a81b00262bc031c8c20c08aff8585208

SHA1
b31f771c4d0eb208ecb9d1014cae861b21225b76

SHA256
9481c7bd16fee7bcd3c8b1788c626f98ac72f3b4d65b560905dc292fafb98dd9

SHA512
4eb5c9277118d4c3de44153fca3e2b0b024518815d43857a8dda29794777165bd97d5ccadedbc3d02b14c50514ef05c8d6a534078319088fcb916abb841082f9

Download Submit
C:\Users\Admin\AppData\Roaming\C879.6F5

Filesize
600B

MD5
8b2f1f9d925d174838c28c53a7c35541

SHA1
6f6778843f9d17f6481d0b57c74fb8fbaf797a99

SHA256
9e57c93088cdeafac36ec39d2d39af74155815167eb08168c5eac51827ddf906

SHA512
a938b775bb6c256f3346834ebde15e50afd47c252f193fea38305930590be4d500618d0a0c41e54bb01bef2c35ecaac74c0503de21193c8ebdf135d412acd936

Download Submit
C:\Users\Admin\AppData\Roaming\C879.6F5

Filesize
996B

MD5
9ffc86d9f2507ee63106054e348a0697

SHA1
44ede3484493533179bc4c63c02642b995291dda

SHA256
a36d01b07e36dae536dd7a45b08ec6123aaa7549cd45b925128dd015ad4ea7d7

SHA512
2e3327ac7cc8cebd35abdda09675564d75ffc86e85025db9c7a3dccb3d839ff3ea99d167eaaf91d5a1571583359a9e73aa329211377b26b5c347a485b369a6e4

Download Submit
memory/592-86-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/592-85-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/592-87-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2148-5-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2148-7-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2740-1-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2740-2-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2740-15-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2740-189-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download

Analysis

Sharing