cycbot | df8ae7b67ad4dece60dfe921d2320d5f353f973488247e9280634686cde5a786

General

Target

JaffaCakes118_6fd58d0b82026b04e51105a546fd5f27.exe
Size

169KB
MD5

6fd58d0b82026b04e51105a546fd5f27
SHA1

3f3c5d12d0549d18be014de42867ef9dd95b4c0d
SHA256

df8ae7b67ad4dece60dfe921d2320d5f353f973488247e9280634686cde5a786
SHA512

b700ce80cceb35bf6804ee6427a8b8967e73b92516b4bf9a64f53a20065e552c0b2ac7578a31651c2a15f27d81bb1cd26e5cf3a1a4f4e9e0173b4053dfbc8551
SSDEEP

3072:Ni3pVQmKSSKmqKTi836jEbul6ZZ8AMsWIh72s69WBtzmWw0Db3OB:Y5K7pqCig5bulK8AMsp72j9W7zmIO

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2568-7-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/2568-8-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/2300-16-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/2080-83-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/2300-190-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2300-2-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2568-5-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2568-7-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2568-8-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2300-16-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2080-82-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2080-83-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2300-190-0x0000000000400000-0x000000000046A000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6fd58d0b82026b04e51105a546fd5f27.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6fd58d0b82026b04e51105a546fd5f27.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6fd58d0b82026b04e51105a546fd5f27.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 2568	2300	JaffaCakes118_6fd58d0b82026b04e51105a546fd5f27.exe	30
PID 2300 wrote to memory of 2568	2300	JaffaCakes118_6fd58d0b82026b04e51105a546fd5f27.exe	30
PID 2300 wrote to memory of 2568	2300	JaffaCakes118_6fd58d0b82026b04e51105a546fd5f27.exe	30
PID 2300 wrote to memory of 2568	2300	JaffaCakes118_6fd58d0b82026b04e51105a546fd5f27.exe	30
PID 2300 wrote to memory of 2080	2300	JaffaCakes118_6fd58d0b82026b04e51105a546fd5f27.exe	32
PID 2300 wrote to memory of 2080	2300	JaffaCakes118_6fd58d0b82026b04e51105a546fd5f27.exe	32
PID 2300 wrote to memory of 2080	2300	JaffaCakes118_6fd58d0b82026b04e51105a546fd5f27.exe	32
PID 2300 wrote to memory of 2080	2300	JaffaCakes118_6fd58d0b82026b04e51105a546fd5f27.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6fd58d0b82026b04e51105a546fd5f27.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6fd58d0b82026b04e51105a546fd5f27.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6fd58d0b82026b04e51105a546fd5f27.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6fd58d0b82026b04e51105a546fd5f27.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2568
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6fd58d0b82026b04e51105a546fd5f27.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6fd58d0b82026b04e51105a546fd5f27.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\B9CA.954

Filesize
1KB

MD5
2c3c7f659d6261229f510383e75f715c

SHA1
69a0cc4676715c824a4c7602d7fb7ae75c54c658

SHA256
8938196899cddba3065b839ab46362babc840107244b3ffd5733081b6cc72166

SHA512
3abaaf5ed195f8d3b0b9ee49b7c66925692fd6d114cd09c3167b1c82784512a243831343fd562e13ed5e2ae44217bd790dfe596d5e5d839cd3b96d2cba7ebaf4

Download Submit
C:\Users\Admin\AppData\Roaming\B9CA.954

Filesize
600B

MD5
a8ebafd3ed7d8d6b4dcab7b71a3f2ead

SHA1
f8393760fc9f2943ecd0719d555ae2fd9003d87e

SHA256
f016ce98b439395a049cd9ebcd114bfcc432699bd83083012df2c37010e5681c

SHA512
6169f65b006fcfb369a1256184c526e148416bc21f1264c1234159ac61b38647d2a4f537bc684158cc588c015a7a69d077e986881f649f82037ef4832abd042f

Download Submit
C:\Users\Admin\AppData\Roaming\B9CA.954

Filesize
996B

MD5
79d996189ecb2e22eb82f248307693aa

SHA1
708f38ea20e5248bd2e0491afc15ac5ba6c5a7b3

SHA256
cd6ed2c878f86779f7a3e40a11d11f2052316c0cec2b30ca613ecc5f0d684b3d

SHA512
fe118a78ff24a5f2ed0fb6df03b0fb8cd1645f236e14721c9e6174e211b9ff5a3d077555c1f14663632958e0e338b3939755264b19de3242e863dfd6398ffe1c

Download Submit
memory/2080-83-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2080-82-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2080-81-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2300-16-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2300-1-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2300-2-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2300-190-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2568-8-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2568-7-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2568-5-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download

Analysis

Sharing