cycbot | 0c3dbf68572d567efb371ddcae62f7d46d61b521229f25e5a4ab7d0fe8d2f05f

General

Target

JaffaCakes118_6ae4a2ceb9f9f1ed673bfec8dd83b395.exe
Size

191KB
MD5

6ae4a2ceb9f9f1ed673bfec8dd83b395
SHA1

c19c873e6e8c47ec55f528cd07c25e451276c79a
SHA256

0c3dbf68572d567efb371ddcae62f7d46d61b521229f25e5a4ab7d0fe8d2f05f
SHA512

a9fdeeaf451318e2285ef651d3330e3d65694813d1f77dcc6c32f72e794838c9ad2168b2a86d5a65c0bc28dbbcb8500e0653c7a83bd646d6d5be40bed1d0d723
SSDEEP

3072:OknNn5Ur+pyqj1LWr289k2ipEADxj8t5UK8CAxVOOA4JIA/QdEfFvLeb:TnN5ZHorLH7ADxj8t5eCAxVOOyA/EEte

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2368-14-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral1/memory/1616-15-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral1/memory/1320-83-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral1/memory/1616-196-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1616-2-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2368-12-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2368-14-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/1616-15-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/1320-83-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/1616-196-0x0000000000400000-0x000000000044E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6ae4a2ceb9f9f1ed673bfec8dd83b395.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6ae4a2ceb9f9f1ed673bfec8dd83b395.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6ae4a2ceb9f9f1ed673bfec8dd83b395.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1616 wrote to memory of 2368	1616	JaffaCakes118_6ae4a2ceb9f9f1ed673bfec8dd83b395.exe	30
PID 1616 wrote to memory of 2368	1616	JaffaCakes118_6ae4a2ceb9f9f1ed673bfec8dd83b395.exe	30
PID 1616 wrote to memory of 2368	1616	JaffaCakes118_6ae4a2ceb9f9f1ed673bfec8dd83b395.exe	30
PID 1616 wrote to memory of 2368	1616	JaffaCakes118_6ae4a2ceb9f9f1ed673bfec8dd83b395.exe	30
PID 1616 wrote to memory of 1320	1616	JaffaCakes118_6ae4a2ceb9f9f1ed673bfec8dd83b395.exe	33
PID 1616 wrote to memory of 1320	1616	JaffaCakes118_6ae4a2ceb9f9f1ed673bfec8dd83b395.exe	33
PID 1616 wrote to memory of 1320	1616	JaffaCakes118_6ae4a2ceb9f9f1ed673bfec8dd83b395.exe	33
PID 1616 wrote to memory of 1320	1616	JaffaCakes118_6ae4a2ceb9f9f1ed673bfec8dd83b395.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6ae4a2ceb9f9f1ed673bfec8dd83b395.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6ae4a2ceb9f9f1ed673bfec8dd83b395.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1616
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6ae4a2ceb9f9f1ed673bfec8dd83b395.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6ae4a2ceb9f9f1ed673bfec8dd83b395.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2368
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6ae4a2ceb9f9f1ed673bfec8dd83b395.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6ae4a2ceb9f9f1ed673bfec8dd83b395.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\EA50.7EE

Filesize
1KB

MD5
50561c40feb0878465320842c2c77767

SHA1
5854b97841265dff3bee62043c4686ca83dd2d9c

SHA256
0a6d73d67bd0eaf9eb47059b7c492599ec4448c1ca4121af85396733f4b829b3

SHA512
6ced77b5cb8bd16778899c5b5c0d90dbec6610ca37ed08f7dbd50ab702edc699d1476ab1d7ed94ef1ef0859c5aa0a8a4b4db188f6939abd86eb95b54fc8d2a02

Download Submit
C:\Users\Admin\AppData\Roaming\EA50.7EE

Filesize
600B

MD5
74ac658b14cba1fbea8a206fffa4db3f

SHA1
9f3af5889316b47d4845c64fc6fdca165c463167

SHA256
09d6134d2e6eeb8ac6f90ac34d81aba0c1974cda076da3160076cb0025234d76

SHA512
f182a90f70e0320f45585b70e87345e1ba49946609e23e792953c6afa48aa9a3717c75aafefea1f0c23e631d5d454c6921befb0289bdc87b6f3a27c17f683bfd

Download Submit
C:\Users\Admin\AppData\Roaming\EA50.7EE

Filesize
996B

MD5
e5977e2163dd1401c302386d4eec7dbc

SHA1
2f08c30be20363df41904e583c61ebcf922a561e

SHA256
6faa8b5009f9ae27fee53a96cdcc775ff715fd93e80437f75197177eb8760e54

SHA512
692dab2b435acb83d54b08ac298b96e24cd5ecadb1b8ad297176ecc59944020c00d947a5fd349474b8d5ba3e34198b2ba76db2fdcbcc30ceaf87de516bfce3a8

Download Submit
memory/1320-83-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1616-1-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1616-2-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1616-15-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1616-196-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2368-12-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2368-14-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing