cycbot | e67571a8d06c6c8db3628e56e15ef67a0f4837e9b070422e15ed99538199d1c6

General

Target

JaffaCakes118_72a407647c25fde25a0636b4dd72e454.exe
Size

191KB
MD5

72a407647c25fde25a0636b4dd72e454
SHA1

d59788e3d2e8a20f456004a449a27e3ee259ad74
SHA256

e67571a8d06c6c8db3628e56e15ef67a0f4837e9b070422e15ed99538199d1c6
SHA512

fd405efe8bc78ff1643e6593ce0b8647821a517619fe177af07c75ef459e366699497aae21df680e47f32ca1715667b9bfde15b8330713a2ec492983401f7982
SSDEEP

3072:F0KQ7j7t6AFb2Yrkt0RSFFx6YevU9/7O8Bg5DoSLb1eDPhIW3AzOil6oUVgEab5:WK47j5rkxeM9yg2oSLb1erhIW3AzUuEy

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2164-7-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral1/memory/2708-15-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral1/memory/2536-83-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral1/memory/2708-171-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2708-1-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2164-7-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2164-5-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2708-15-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2536-82-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2536-83-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2708-171-0x0000000000400000-0x000000000044E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_72a407647c25fde25a0636b4dd72e454.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_72a407647c25fde25a0636b4dd72e454.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_72a407647c25fde25a0636b4dd72e454.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 2164	2708	JaffaCakes118_72a407647c25fde25a0636b4dd72e454.exe	31
PID 2708 wrote to memory of 2164	2708	JaffaCakes118_72a407647c25fde25a0636b4dd72e454.exe	31
PID 2708 wrote to memory of 2164	2708	JaffaCakes118_72a407647c25fde25a0636b4dd72e454.exe	31
PID 2708 wrote to memory of 2164	2708	JaffaCakes118_72a407647c25fde25a0636b4dd72e454.exe	31
PID 2708 wrote to memory of 2536	2708	JaffaCakes118_72a407647c25fde25a0636b4dd72e454.exe	33
PID 2708 wrote to memory of 2536	2708	JaffaCakes118_72a407647c25fde25a0636b4dd72e454.exe	33
PID 2708 wrote to memory of 2536	2708	JaffaCakes118_72a407647c25fde25a0636b4dd72e454.exe	33
PID 2708 wrote to memory of 2536	2708	JaffaCakes118_72a407647c25fde25a0636b4dd72e454.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_72a407647c25fde25a0636b4dd72e454.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_72a407647c25fde25a0636b4dd72e454.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_72a407647c25fde25a0636b4dd72e454.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_72a407647c25fde25a0636b4dd72e454.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2164
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_72a407647c25fde25a0636b4dd72e454.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_72a407647c25fde25a0636b4dd72e454.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\7AA5.38C

Filesize
1KB

MD5
223c9978c9e8c9cda7ed49fe7c1d0f00

SHA1
ae08d725fef2028af2b86a29beb54e53bdf380a0

SHA256
baed0525f628853fb774921d4d0e0d65a15fffc901b6224d25a17e8df5d55ee7

SHA512
cb7156bb929596e0fded8a40d2e699d29e2b6ea333f5d926699f3f8748e446b4e694a43feb97810390476cedcd4b6d4e2dbaf75f2395a99d9c1f612f1ce314a0

Download Submit
C:\Users\Admin\AppData\Roaming\7AA5.38C

Filesize
600B

MD5
1e9ba3a10fa348178a3a97a7898e5f80

SHA1
c0b8c1188c1ff17f1a1d9d1a060ccfa87febef8d

SHA256
130e9a4e907f369119e2e1ce7ce7c133e335ff75b94693212e86dc4f6b4250ff

SHA512
7387025c69eb07f0cdf2be64a15b2466c73966f8b25c30979be306d2e6f3c21c83fcdaa208e63406ece106c4e9afa89371ee2c31ca1e04fc94496b51264a5a31

Download Submit
C:\Users\Admin\AppData\Roaming\7AA5.38C

Filesize
996B

MD5
073ebdc4227e2290a7415d37078056a6

SHA1
6336ebac0a2697d9d3dc5a4948edec347a1e9948

SHA256
317149920679fdd3830de06b239f82469b0a03b9b12662e4b07102c835f5d197

SHA512
d62487f57617323998a29268425300434f930289deebb5244dbef1c2c9f6b2696c3795d8f6500ba44e363ddc2697b21e11152cd7627100d05d304f2f3c1d01db

Download Submit
memory/2164-7-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2164-5-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2164-4-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2536-82-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2536-83-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2708-1-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2708-15-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2708-171-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing