cycbot | 786aa1e9f98fabbcd356c1cd1ea1c5dd115d33bbfa02d140391247c66dfc45f3

General

Target

JaffaCakes118_76446975071b3d7bca4551b4a9fa53a5.exe
Size

200KB
MD5

76446975071b3d7bca4551b4a9fa53a5
SHA1

22ac8497f32e8aebcc95a174558265917ca07350
SHA256

786aa1e9f98fabbcd356c1cd1ea1c5dd115d33bbfa02d140391247c66dfc45f3
SHA512

7df707885ca926145a1220d8a385f88e3d404477681e6ee333ae028070badb1abddf3435b7452bb0c0e64382ef550ad16930fdc36bd648018bb99822a3047d82
SSDEEP

6144:cZilzeAzEQJFqNU407ZrZNhuuqEMqstq6y0yLMs3:KiljzvKNyBfhuXEiCFL

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2728-7-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot
behavioral1/memory/2732-15-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot
behavioral1/memory/2032-80-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot
behavioral1/memory/2732-180-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2732-2-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2728-5-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2728-7-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2732-15-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2032-78-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2032-80-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2732-180-0x0000000000400000-0x000000000046B000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_76446975071b3d7bca4551b4a9fa53a5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_76446975071b3d7bca4551b4a9fa53a5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_76446975071b3d7bca4551b4a9fa53a5.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 2728	2732	JaffaCakes118_76446975071b3d7bca4551b4a9fa53a5.exe	30
PID 2732 wrote to memory of 2728	2732	JaffaCakes118_76446975071b3d7bca4551b4a9fa53a5.exe	30
PID 2732 wrote to memory of 2728	2732	JaffaCakes118_76446975071b3d7bca4551b4a9fa53a5.exe	30
PID 2732 wrote to memory of 2728	2732	JaffaCakes118_76446975071b3d7bca4551b4a9fa53a5.exe	30
PID 2732 wrote to memory of 2032	2732	JaffaCakes118_76446975071b3d7bca4551b4a9fa53a5.exe	32
PID 2732 wrote to memory of 2032	2732	JaffaCakes118_76446975071b3d7bca4551b4a9fa53a5.exe	32
PID 2732 wrote to memory of 2032	2732	JaffaCakes118_76446975071b3d7bca4551b4a9fa53a5.exe	32
PID 2732 wrote to memory of 2032	2732	JaffaCakes118_76446975071b3d7bca4551b4a9fa53a5.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_76446975071b3d7bca4551b4a9fa53a5.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_76446975071b3d7bca4551b4a9fa53a5.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_76446975071b3d7bca4551b4a9fa53a5.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_76446975071b3d7bca4551b4a9fa53a5.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2728
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_76446975071b3d7bca4551b4a9fa53a5.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_76446975071b3d7bca4551b4a9fa53a5.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AEF6.F85

Filesize
996B

MD5
471a50b18f6bf31449533df7da65587e

SHA1
c85e58cfd5c03916c7e6428a879ac1ce477b4ea0

SHA256
b8c55875fa08ca73ca9d3b6b0a4f5d7bc34baaece0f5b3660eedf393d1cff77e

SHA512
baaf8106d877344e1255ae417ef9e32e7faf19697a18c753b04daba056c1d640b258a70ac6705d0e57ceb88fc75f8bc9772ca0f3c50b7ea6376999217494509e

Download Submit
C:\Users\Admin\AppData\Roaming\AEF6.F85

Filesize
1KB

MD5
658ae73268ef0a968e1a67026e6a850a

SHA1
4b0fe2fc5302ee2daf305e55acc8564211deab1b

SHA256
83b0dbbb49d3fa7aee65a0fbbcb3b2049f64d848e1ad5b85b8f7f1abc01d5827

SHA512
6688414658adba83b5e9cf0dfb6d9b9ff9abf592480e558c6ba8d405acb8ebf801a900bf7fdfb0e86f12eed394efaff77e668b4303f74f65bf1561c22f56dfe2

Download Submit
C:\Users\Admin\AppData\Roaming\AEF6.F85

Filesize
600B

MD5
67736d40862fbf09f3aa6e722fe12b26

SHA1
f782a3c3b0821dd7067ffe92378d6ca0d8ff44af

SHA256
81d93e6de8733726c076bdfc7261c6cae9d1bbe10182083f9a34550b6f23ec55

SHA512
3b85d1d9688b12ebe45598a3e5ac589366175ba53523ecdf4b0380972562550893faaf68ac3f917391e295a9e16df4afb839cf507abaccb03e1b6c8b17357e56

Download Submit
memory/2032-78-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2032-80-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2728-5-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2728-7-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2732-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2732-2-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2732-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2732-180-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing