cycbot | e49ea3ce4c862db5e507cfb2ab55c469dc14c050721c18ca11fd071ab9c28f63

General

Target

JaffaCakes118_6a934cebdad405e11ca1883bc620069b.exe
Size

206KB
MD5

6a934cebdad405e11ca1883bc620069b
SHA1

37e5f2c797f375aebe4fb2795adba1bf71b15735
SHA256

e49ea3ce4c862db5e507cfb2ab55c469dc14c050721c18ca11fd071ab9c28f63
SHA512

f7fb32930bc163970c48d1234dffbed39f29ff2026e1aa0e5ee46efb4dbb61442850a6b5215bea32dde14ab896b1165b4292260973c265b0012844c29c01fb4e
SSDEEP

6144:pI/9zgWclaAr9sMd+s/t5Ud9VxGFkWhY9A/BU3e:pI/RgWclaApD/t5uuFk9SU3e

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2888-7-0x0000000000400000-0x000000000044D000-memory.dmp	family_cycbot
behavioral1/memory/2712-15-0x0000000000400000-0x000000000044D000-memory.dmp	family_cycbot
behavioral1/memory/3012-78-0x0000000000400000-0x000000000044D000-memory.dmp	family_cycbot
behavioral1/memory/2712-182-0x0000000000400000-0x000000000044D000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2712-2-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral1/memory/2888-6-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral1/memory/2888-7-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral1/memory/2712-15-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral1/memory/3012-78-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral1/memory/2712-182-0x0000000000400000-0x000000000044D000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6a934cebdad405e11ca1883bc620069b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6a934cebdad405e11ca1883bc620069b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6a934cebdad405e11ca1883bc620069b.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2712 wrote to memory of 2888	2712	JaffaCakes118_6a934cebdad405e11ca1883bc620069b.exe	31
PID 2712 wrote to memory of 2888	2712	JaffaCakes118_6a934cebdad405e11ca1883bc620069b.exe	31
PID 2712 wrote to memory of 2888	2712	JaffaCakes118_6a934cebdad405e11ca1883bc620069b.exe	31
PID 2712 wrote to memory of 2888	2712	JaffaCakes118_6a934cebdad405e11ca1883bc620069b.exe	31
PID 2712 wrote to memory of 3012	2712	JaffaCakes118_6a934cebdad405e11ca1883bc620069b.exe	33
PID 2712 wrote to memory of 3012	2712	JaffaCakes118_6a934cebdad405e11ca1883bc620069b.exe	33
PID 2712 wrote to memory of 3012	2712	JaffaCakes118_6a934cebdad405e11ca1883bc620069b.exe	33
PID 2712 wrote to memory of 3012	2712	JaffaCakes118_6a934cebdad405e11ca1883bc620069b.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6a934cebdad405e11ca1883bc620069b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6a934cebdad405e11ca1883bc620069b.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6a934cebdad405e11ca1883bc620069b.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6a934cebdad405e11ca1883bc620069b.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2888
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6a934cebdad405e11ca1883bc620069b.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6a934cebdad405e11ca1883bc620069b.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\3001.9C1

Filesize
1KB

MD5
b31f78757cbed3a7f11b4bc54838b39c

SHA1
64b4cd90b9e53219fa6592d6496e8369b8ed5097

SHA256
8305081287e7f1c45148c93324fec29d285b5b893816b36a62428f22b7b25127

SHA512
eab3256b26a0f9d2301380b39d7ad21a07fb23544346afeff724a99ecf0549179490682d7a1d82f9e306863599199ebf1b711d48b8dae60f8fcaae4955714d77

Download Submit
C:\Users\Admin\AppData\Roaming\3001.9C1

Filesize
600B

MD5
edf6add773d3d2a25fa78452572f3fff

SHA1
99d38829a7b07239b684bbd7e7a2651696f6f78f

SHA256
6d54353b031de80878b8f4f86fe83d882e277d4142b4b440ca62da03d45c53fd

SHA512
2bed91cdfab929ad23fb0b19293dc17bd23ae3b32656ce9db79bcf115c7bf17d9ecda901d37ba864096d2fd604aaa445a352f949dd98e3acd2c0fe6d92a7dbf6

Download Submit
C:\Users\Admin\AppData\Roaming\3001.9C1

Filesize
996B

MD5
c22ef5d44f75498113eb773ecaef46ed

SHA1
f4eb57fbf17c32e8315eeb97480145981dd15aab

SHA256
443fe4e81425eab08689f9a400ab77dc6ffe3be50b097b4d35b586c36ae8b726

SHA512
d5747967f4e43ef2c3e3b8fb7d09421723ee279824f65394c78564dc933adc5a448582992fdee4e40bf59c7c89db39613f40691a1b3af455d6ca5b492f2f511f

Download Submit
memory/2712-1-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2712-2-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2712-15-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2712-182-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2888-6-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2888-5-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2888-7-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/3012-78-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download

Analysis

Sharing