cycbot | 0ff8b19635e74795f89635e81c8478a3f1a08c7b7a2c0dd842b218b7c9755941

General

Target

JaffaCakes118_76292ec163591beb993ea1b6ff9518e2.exe
Size

183KB
MD5

76292ec163591beb993ea1b6ff9518e2
SHA1

293bfbed8cd5639c6bb705ed96f6cddd4370bd5d
SHA256

0ff8b19635e74795f89635e81c8478a3f1a08c7b7a2c0dd842b218b7c9755941
SHA512

25bd43e9a3f0764fb6b0b0ec45c2f2c1976cc21f269f020ccccc8f26d32cda2f531f11ea250ab79c1d1fd11902c0e5fbb2aeb7f60fe404012bc5652cb090a1e3
SSDEEP

3072:HlV+x57RtcT6sQ9QnpQxYNj6oLq2RhwU20So2QX6Za8BTLzV8TeAjEJeJHo:FVS57DxsQYQxYNusqDo2QqzBT/V8efcI

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2300-15-0x0000000000400000-0x000000000044F000-memory.dmp	family_cycbot
behavioral1/memory/1972-16-0x0000000000400000-0x000000000044F000-memory.dmp	family_cycbot
behavioral1/memory/2800-87-0x0000000000400000-0x000000000044F000-memory.dmp	family_cycbot
behavioral1/memory/1972-200-0x0000000000400000-0x000000000044F000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1972-2-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2300-13-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2300-12-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2300-15-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/1972-16-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2800-85-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2800-87-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/1972-200-0x0000000000400000-0x000000000044F000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_76292ec163591beb993ea1b6ff9518e2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_76292ec163591beb993ea1b6ff9518e2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_76292ec163591beb993ea1b6ff9518e2.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 2300	1972	JaffaCakes118_76292ec163591beb993ea1b6ff9518e2.exe	30
PID 1972 wrote to memory of 2300	1972	JaffaCakes118_76292ec163591beb993ea1b6ff9518e2.exe	30
PID 1972 wrote to memory of 2300	1972	JaffaCakes118_76292ec163591beb993ea1b6ff9518e2.exe	30
PID 1972 wrote to memory of 2300	1972	JaffaCakes118_76292ec163591beb993ea1b6ff9518e2.exe	30
PID 1972 wrote to memory of 2800	1972	JaffaCakes118_76292ec163591beb993ea1b6ff9518e2.exe	33
PID 1972 wrote to memory of 2800	1972	JaffaCakes118_76292ec163591beb993ea1b6ff9518e2.exe	33
PID 1972 wrote to memory of 2800	1972	JaffaCakes118_76292ec163591beb993ea1b6ff9518e2.exe	33
PID 1972 wrote to memory of 2800	1972	JaffaCakes118_76292ec163591beb993ea1b6ff9518e2.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_76292ec163591beb993ea1b6ff9518e2.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_76292ec163591beb993ea1b6ff9518e2.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_76292ec163591beb993ea1b6ff9518e2.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_76292ec163591beb993ea1b6ff9518e2.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2300
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_76292ec163591beb993ea1b6ff9518e2.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_76292ec163591beb993ea1b6ff9518e2.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\C70B.EC4

Filesize
1KB

MD5
769a7678c0781b51608b80238de30c8c

SHA1
800ca3f0f86534e1c424270b691af6440b036a75

SHA256
96cde77e562f76dcf0eaa9a7b7fc7d538df50a8624f46bb762d426b91c4f62e3

SHA512
2a87bd715a4cae24de6d88e3987fe19f2fc8bff0fdba3d31d8100beff2d45e3f9cdb29734318222468397f59aaf83eb0a097f29d49acf81891bd001e844bd655

Download Submit
C:\Users\Admin\AppData\Roaming\C70B.EC4

Filesize
600B

MD5
df6838ea3e3a534c577738ca2d51a90f

SHA1
ed4c45d095155e6b416e053a2c095e7afdb7b19f

SHA256
398b2f3eb600696a15bb79716b234d2fc69bf5e373b31ec6350d8e427d08e7ab

SHA512
90d360c1e824ea6471add29b623382607ce966cbcc004b2e0af53dfd8245e32e17a5598f304b00fac0716295af84705cdace94ca0cae0f58079e1e23c2df6f47

Download Submit
C:\Users\Admin\AppData\Roaming\C70B.EC4

Filesize
996B

MD5
abf71cf1e08037063bd61bafd95f4126

SHA1
5a0331cb152aacd2eabe73b6097e0d90cf56aa03

SHA256
ecb72cb2eeb0ba3abaa4814fb3f4fa88bbf3a69275a0b94ffc35eacc6493437c

SHA512
268d0bfd1bb990bfe41552bb62b3905d3951bb1d86d1ab8dbb48ad3d874808e1363cfcb3ded725c14ba5143cb83f132612b7421790590e4b3483cfc6ea60322b

Download Submit
memory/1972-1-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1972-2-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1972-16-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1972-200-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2300-13-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2300-12-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2300-15-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2800-85-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2800-87-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download

Analysis

Sharing