cycbot | e210cfa253f6667ee4f2f826a2ee4f680935d22a69d63c8193d856da4e8faf33

General

Target

JaffaCakes118_7526cf75b567cf639f51b348f22dbe61.exe
Size

176KB
MD5

7526cf75b567cf639f51b348f22dbe61
SHA1

df123d1a563ed7560f4a6724eb5e8ba7e9723560
SHA256

e210cfa253f6667ee4f2f826a2ee4f680935d22a69d63c8193d856da4e8faf33
SHA512

e2c3573c74298eac91705a4631fc15f205cdcd7fb1d3ab5bad14e4076dca2cb29968ef68122d8713bc3b74001a4916b8b0a249c6d9822a0eebbad197ec42fb9e
SSDEEP

3072:Awga6smIAjNp9zqOQN0eMjaVOM+KimKFgIXrqYi8Xzl2j0F+5D0s5PZ:MGAZpJqH/cFgITz20F+N0s5

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2840-9-0x0000000000400000-0x0000000000463000-memory.dmp	family_cycbot
behavioral1/memory/2172-19-0x0000000000400000-0x0000000000463000-memory.dmp	family_cycbot
behavioral1/memory/2172-77-0x0000000000400000-0x0000000000463000-memory.dmp	family_cycbot
behavioral1/memory/1264-79-0x0000000000400000-0x0000000000463000-memory.dmp	family_cycbot
behavioral1/memory/2172-133-0x0000000000400000-0x0000000000463000-memory.dmp	family_cycbot
behavioral1/memory/2172-173-0x0000000000400000-0x0000000000463000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2172-2-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2840-8-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2840-9-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2172-19-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2172-77-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/1264-79-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2172-133-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2172-173-0x0000000000400000-0x0000000000463000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7526cf75b567cf639f51b348f22dbe61.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7526cf75b567cf639f51b348f22dbe61.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7526cf75b567cf639f51b348f22dbe61.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2840	2172	JaffaCakes118_7526cf75b567cf639f51b348f22dbe61.exe	31
PID 2172 wrote to memory of 2840	2172	JaffaCakes118_7526cf75b567cf639f51b348f22dbe61.exe	31
PID 2172 wrote to memory of 2840	2172	JaffaCakes118_7526cf75b567cf639f51b348f22dbe61.exe	31
PID 2172 wrote to memory of 2840	2172	JaffaCakes118_7526cf75b567cf639f51b348f22dbe61.exe	31
PID 2172 wrote to memory of 1264	2172	JaffaCakes118_7526cf75b567cf639f51b348f22dbe61.exe	33
PID 2172 wrote to memory of 1264	2172	JaffaCakes118_7526cf75b567cf639f51b348f22dbe61.exe	33
PID 2172 wrote to memory of 1264	2172	JaffaCakes118_7526cf75b567cf639f51b348f22dbe61.exe	33
PID 2172 wrote to memory of 1264	2172	JaffaCakes118_7526cf75b567cf639f51b348f22dbe61.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7526cf75b567cf639f51b348f22dbe61.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7526cf75b567cf639f51b348f22dbe61.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7526cf75b567cf639f51b348f22dbe61.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7526cf75b567cf639f51b348f22dbe61.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2840
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7526cf75b567cf639f51b348f22dbe61.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7526cf75b567cf639f51b348f22dbe61.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\5034.F7B

Filesize
597B

MD5
9b30263c4966f5b760bd2541bc5e5ea0

SHA1
85c45276487cb1b1f4402d723acf7dac68fa8f01

SHA256
ede5a59c77740172f1b3de387e2275ef3742b01b57e090a4f50b99672e757b2b

SHA512
18fca8fd9cb3f27b693b161f598de722cfbaa30ddd023c6bfa928e3df49d98eed55e9f7305df88a1caa3023fc0282ed5dafd49b7b1ea013e45dbe7dbb9122086

Download Submit
C:\Users\Admin\AppData\Roaming\5034.F7B

Filesize
1KB

MD5
ee975d04a9c9101347d1f9ebacf69cb6

SHA1
5af19e0602224ad8b871b0a4a44a2fa2d23e5d28

SHA256
538d9f7c00baa9fc273182d8d05d8a53f2a79b64719899d03ca4f967dcd3941a

SHA512
ce370b0e9b1cb496b213d75092377c4b7ad931b5cc2025183537e56d4a3a5569db85c889743ac13a7b9f551c63cf8e954afb40ebb482d06ba98b5618b324637f

Download Submit
C:\Users\Admin\AppData\Roaming\5034.F7B

Filesize
897B

MD5
28153962125057cb326ea85cf97fa6e3

SHA1
a3e91cbeeb3adbf1d747295717b943c98a72166a

SHA256
93405ce1c583c94e1bf2db879e31499d1f7c7fb0a2dc8a86f93a30792d9caba0

SHA512
a7166b3248544b97f4be0872536d95359c4281bb4eb889878b35e2edc4c6e07cb97e14ebb2d3fbf2c53f88e97b53e9e4dc20cdf4981bc71456bae2325797218b

Download Submit
C:\Users\Admin\AppData\Roaming\5034.F7B

Filesize
1KB

MD5
c369116e3b8e11179821e293ec885cf7

SHA1
5c0e1ac5f996625f7885005fef6b227f96588335

SHA256
cab76c72ad71c4bd06fc8b82c5efaedfe20b46928601e2eb63f74dea4da265cd

SHA512
1a4147e12cdb6d6359304a9254da74003059f78c971408c43eeb96c1b1249352168fb19e3253ecb0923e759086ec11b4edacf8dfce15f3dc1158d3e240185f9a

Download Submit
memory/1264-79-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2172-19-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2172-1-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2172-77-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2172-133-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2172-2-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2172-173-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2840-6-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2840-9-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2840-8-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download

Analysis

Sharing