cycbot | a981b56dca8903a4cb4fb154f36b021d2aecf70e16f05815461650666af4f9c2

General

Target

JaffaCakes118_72016edb08a7fdd7f1f8643ee3d4192a.exe
Size

197KB
MD5

72016edb08a7fdd7f1f8643ee3d4192a
SHA1

f47032dfe1fa7594b518fb247bbe9ae7ef7263d0
SHA256

a981b56dca8903a4cb4fb154f36b021d2aecf70e16f05815461650666af4f9c2
SHA512

cf1e50ca8a9bd3692d77a8846e63f9aba5d782a55664fd9fcbfa518fb8adcc5e358a4cff22d2627a5b49f20f6e12f8515615f16811f5d8db16b68aaedc93fd95
SSDEEP

3072:IJh43aJK0KdhDzgHKEevptK3GibiqZP+KBOFXpoSbZpL4QIm436qSukrTNj:8e3zgqEi03GiOCDgdpjlpL4bb6Fpj

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2780-7-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot
behavioral1/memory/3020-15-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot
behavioral1/memory/1576-73-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot
behavioral1/memory/3020-173-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3020-2-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2780-5-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2780-7-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/3020-15-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/1576-74-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/1576-73-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/3020-173-0x0000000000400000-0x000000000046B000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_72016edb08a7fdd7f1f8643ee3d4192a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_72016edb08a7fdd7f1f8643ee3d4192a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_72016edb08a7fdd7f1f8643ee3d4192a.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 2780	3020	JaffaCakes118_72016edb08a7fdd7f1f8643ee3d4192a.exe	30
PID 3020 wrote to memory of 2780	3020	JaffaCakes118_72016edb08a7fdd7f1f8643ee3d4192a.exe	30
PID 3020 wrote to memory of 2780	3020	JaffaCakes118_72016edb08a7fdd7f1f8643ee3d4192a.exe	30
PID 3020 wrote to memory of 2780	3020	JaffaCakes118_72016edb08a7fdd7f1f8643ee3d4192a.exe	30
PID 3020 wrote to memory of 1576	3020	JaffaCakes118_72016edb08a7fdd7f1f8643ee3d4192a.exe	32
PID 3020 wrote to memory of 1576	3020	JaffaCakes118_72016edb08a7fdd7f1f8643ee3d4192a.exe	32
PID 3020 wrote to memory of 1576	3020	JaffaCakes118_72016edb08a7fdd7f1f8643ee3d4192a.exe	32
PID 3020 wrote to memory of 1576	3020	JaffaCakes118_72016edb08a7fdd7f1f8643ee3d4192a.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_72016edb08a7fdd7f1f8643ee3d4192a.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_72016edb08a7fdd7f1f8643ee3d4192a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_72016edb08a7fdd7f1f8643ee3d4192a.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_72016edb08a7fdd7f1f8643ee3d4192a.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2780
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_72016edb08a7fdd7f1f8643ee3d4192a.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_72016edb08a7fdd7f1f8643ee3d4192a.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\5BAE.D53

Filesize
600B

MD5
0d9a2398910be3853ca09cb59671b866

SHA1
72b4c2578a9363ed3c380dde3bb85f95f31d34ad

SHA256
91535099f49d970b8bef2c08d204b7a5e29edca19551cfc526131cf8e51ba432

SHA512
14e7480959d34f30d34c0566548d615aee33b3de151e00d4ab42fa171f957bd7f7feb403b181cf51a014079b8266caeb033ee4c937ad4ea19a76497f2c0e7ffe

Download Submit
C:\Users\Admin\AppData\Roaming\5BAE.D53

Filesize
996B

MD5
23fd1e51936fab4f3b8fe67d7f7e9910

SHA1
f8af20af9d721827c2be97f5b53541f487d5c83b

SHA256
40e366de5442690145cc719d0c4c4c9f68c6916972d2230924995ea9dc7ff4fe

SHA512
0578652fc91c7dddcfddb51c7c9f5a42b83850a46f5b49d0b87e52a944deaad7cb11b161369fc6c87abc523d2be2033534cdd70951d3a8dd73f6862d1bf809cc

Download Submit
memory/1576-74-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1576-73-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1576-72-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2780-5-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2780-7-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3020-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3020-2-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3020-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3020-173-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing