cycbot | c0eff96d090b32f6b6f0ca7ade85b60cea071d75e02348a08ccba8cae8f73d5e

General

Target

JaffaCakes118_938060f647b1fcd24a7a807228c9f92f.exe
Size

205KB
MD5

938060f647b1fcd24a7a807228c9f92f
SHA1

d9f4d0b347f80b24922bae1777cb79e7276f5d5e
SHA256

c0eff96d090b32f6b6f0ca7ade85b60cea071d75e02348a08ccba8cae8f73d5e
SHA512

6e1f97585243e7b4abba67b07a6c5e1d5edc8be57b4adcec868e7637b88af971202ffd2fcc3d9e8b1f4e12350f31fb33bf04b7405f047c3f27b29b814334d8e3
SSDEEP

6144:8aE9xeFTXduDJAie3Ltz1Ljqw9ViCGfWT9Bpm:1Eusa3LtxfqwFg

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2836-15-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/2780-16-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/1636-20-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/2780-122-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2780-2-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2836-12-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2836-15-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2780-16-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1636-20-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2780-122-0x0000000000400000-0x0000000000455000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_938060f647b1fcd24a7a807228c9f92f.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 2836	2780	JaffaCakes118_938060f647b1fcd24a7a807228c9f92f.exe	30
PID 2780 wrote to memory of 2836	2780	JaffaCakes118_938060f647b1fcd24a7a807228c9f92f.exe	30
PID 2780 wrote to memory of 2836	2780	JaffaCakes118_938060f647b1fcd24a7a807228c9f92f.exe	30
PID 2780 wrote to memory of 2836	2780	JaffaCakes118_938060f647b1fcd24a7a807228c9f92f.exe	30
PID 2780 wrote to memory of 1636	2780	JaffaCakes118_938060f647b1fcd24a7a807228c9f92f.exe	32
PID 2780 wrote to memory of 1636	2780	JaffaCakes118_938060f647b1fcd24a7a807228c9f92f.exe	32
PID 2780 wrote to memory of 1636	2780	JaffaCakes118_938060f647b1fcd24a7a807228c9f92f.exe	32
PID 2780 wrote to memory of 1636	2780	JaffaCakes118_938060f647b1fcd24a7a807228c9f92f.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_938060f647b1fcd24a7a807228c9f92f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_938060f647b1fcd24a7a807228c9f92f.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_938060f647b1fcd24a7a807228c9f92f.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_938060f647b1fcd24a7a807228c9f92f.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  PID:2836
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_938060f647b1fcd24a7a807228c9f92f.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_938060f647b1fcd24a7a807228c9f92f.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  PID:1636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\7265.9EB

Filesize
600B

MD5
91cc9dc5ec3aa4c75de62222987add39

SHA1
498a19b93b88c442b4502c38c23c1214427aa943

SHA256
95e3e78989c2ae25b43617d74029aece05827f3b9b8b16f47792b0a2d9ec45d1

SHA512
ae6afe576595b5e7c5da0cc7d6a9a90e74921b34c6bb902bdf7680a365d43a2fea5a3e47c32b629d57f0747c8bd3090f9fe8d8ba7fea995332a704bbe19c5fc2

Download Submit
C:\Users\Admin\AppData\Roaming\7265.9EB

Filesize
996B

MD5
4c365f6dbce45480761290a971827562

SHA1
0aedf51e054164f05908f80a5e40ecb2adbcc799

SHA256
9a4dc6305c19fa0a7531fcb5f8d05960e12024d8f5e99095d72d901658f62c1f

SHA512
b21dd55cea36467755d8218306c3346a08e709d18b906d1f2fb0a0c9b7d9dd90b190f70c2901ef8262b3b185d338ea80103cb0e35527684a548125131a2ffeb8

Download Submit
C:\Users\Admin\AppData\Roaming\7265.9EB

Filesize
1KB

MD5
916f9da031628e6e72f82fe37014d3ab

SHA1
58053be44ee0fc0221339cc5c80d41289064576b

SHA256
9282f1a99a6e3652a040bc2b2aae4d78bb7c584559853c0d188028bbf57cc7c8

SHA512
10738c092be321a950d38bf5b9145ab233d09d054e4fd0a376a2414ef94f3bd0a254165b69f6c8e3e75f1508273cc1dea87845e6db8157370dd3df1261f94e29

Download Submit
memory/1636-20-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2780-1-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2780-2-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2780-16-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2780-122-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2836-12-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2836-15-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing