cycbot | 43aa93ad0b4fdd2ea8e186dc35071e8dd7687257140e1df2f4f6b37fba9269b1

General

Target

JaffaCakes118_9537debb7289782c406d57c66fe1be97.exe
Size

182KB
MD5

9537debb7289782c406d57c66fe1be97
SHA1

5a99bb746a9525b17fad20a9dde911eeb9bb4a58
SHA256

43aa93ad0b4fdd2ea8e186dc35071e8dd7687257140e1df2f4f6b37fba9269b1
SHA512

6b75fec4c2f4d2665536a7afb63062794422938cdebe7f9b326a1c0a426c880d027933b1a012a109417be99f6b4c2183982484e17cb1c2575756f0bf8925d22e
SSDEEP

3072:6AhLl3XTUiOwuQWZxf1Y5MNFarIGXi3aaiv1zseg74lAPR0NxHEoibheObyvXWie:6Ah5rYxG5eFarIGXi3aak1zseg74SR0r

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2788-10-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral1/memory/2420-15-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral1/memory/2064-86-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral1/memory/2420-191-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2420-2-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2788-10-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2788-8-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2420-15-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2064-85-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2064-86-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2420-191-0x0000000000400000-0x000000000044E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_9537debb7289782c406d57c66fe1be97.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_9537debb7289782c406d57c66fe1be97.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_9537debb7289782c406d57c66fe1be97.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 2788	2420	JaffaCakes118_9537debb7289782c406d57c66fe1be97.exe	30
PID 2420 wrote to memory of 2788	2420	JaffaCakes118_9537debb7289782c406d57c66fe1be97.exe	30
PID 2420 wrote to memory of 2788	2420	JaffaCakes118_9537debb7289782c406d57c66fe1be97.exe	30
PID 2420 wrote to memory of 2788	2420	JaffaCakes118_9537debb7289782c406d57c66fe1be97.exe	30
PID 2420 wrote to memory of 2064	2420	JaffaCakes118_9537debb7289782c406d57c66fe1be97.exe	32
PID 2420 wrote to memory of 2064	2420	JaffaCakes118_9537debb7289782c406d57c66fe1be97.exe	32
PID 2420 wrote to memory of 2064	2420	JaffaCakes118_9537debb7289782c406d57c66fe1be97.exe	32
PID 2420 wrote to memory of 2064	2420	JaffaCakes118_9537debb7289782c406d57c66fe1be97.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9537debb7289782c406d57c66fe1be97.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9537debb7289782c406d57c66fe1be97.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9537debb7289782c406d57c66fe1be97.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9537debb7289782c406d57c66fe1be97.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2788
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9537debb7289782c406d57c66fe1be97.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9537debb7289782c406d57c66fe1be97.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\0093.9B9

Filesize
1KB

MD5
7e9378dda940fa4b13490a5442c30f22

SHA1
b4a98c35752a03587153790710d56108a60e888e

SHA256
1b79d5294da282a1242dd159befca83e44e9d627b5775fe790aaa5708b281d78

SHA512
9e7f76dad1127f036987c6b1e5bde8bd04f5dcb259f9cfbaf405641238d83f80bf4cdda05caab49b0b88e5a81fbc786072b243fe70310eb412c1e554883b241a

Download Submit
C:\Users\Admin\AppData\Roaming\0093.9B9

Filesize
600B

MD5
908aa56af08adb72e6ac13749b4e4e8d

SHA1
8bc0b19e55f61a6ebb5bc0752231e511c07b7991

SHA256
60f9ce14f90a69b9bf10c74f4cd407b3a81be62b99f850ac7705b9946b0b022a

SHA512
42c7f9c057b6530104975cf90136edef4e5de914d85c7c046661f6ab911eb4a4eddf47df189cc40f55fde69ecccd6113455fe7da6989e0827313f7124c3952ff

Download Submit
C:\Users\Admin\AppData\Roaming\0093.9B9

Filesize
996B

MD5
38e79d585d420903fb598507f75e7615

SHA1
3b9d0ca48736abd77d40661ee3e99db8035af05e

SHA256
5a42d41d82adf14c98a6ca5e56c8bb6424d743773ec603cce3a9fdfc3475ce39

SHA512
56df956aae311ff4c09044636ea3f348f040be5d7cb467c2fbd4da66eae62606a424f5389eaa90687535d6c0b902032013120c081f8a9773ebda04aaaa8ca16a

Download Submit
memory/2064-85-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2064-86-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2420-2-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2420-1-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2420-15-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2420-191-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2788-10-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2788-8-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing