cycbot | c3aedb214cba93a8ee5bd5e66f82f7af56d337ec37daaa4788f0c67fb95aa4f8

General

Target

JaffaCakes118_962184d85a3c347a4c89582a94a673d6.exe
Size

173KB
MD5

962184d85a3c347a4c89582a94a673d6
SHA1

f351f3e4816cf9b09dcae516b16983c2cc622c4e
SHA256

c3aedb214cba93a8ee5bd5e66f82f7af56d337ec37daaa4788f0c67fb95aa4f8
SHA512

714b39c58f329e02326b4cec6cf852c8359533d3df8fac9ff77b940f3503c65ab7d42fff2120ba093f1ebf2f9bc44563e464c62881a108e106a3fb2baea8ac9e
SSDEEP

3072:BvA07MarmdOLq35essMyprfMywF0VeV2/QnB1mFGDn5xwqgAmkCClzvsg/grnxyQ:tMaaUC6My0F0VysoBgFwsc5vn8nxJ

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2580-7-0x0000000000400000-0x0000000000463000-memory.dmp	family_cycbot
behavioral1/memory/2104-14-0x0000000000400000-0x0000000000463000-memory.dmp	family_cycbot
behavioral1/memory/2104-64-0x0000000000400000-0x0000000000463000-memory.dmp	family_cycbot
behavioral1/memory/2612-68-0x0000000000400000-0x0000000000463000-memory.dmp	family_cycbot
behavioral1/memory/2104-138-0x0000000000400000-0x0000000000463000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2104-2-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2580-7-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2580-6-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2104-14-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2104-64-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2612-66-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2612-68-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2104-138-0x0000000000400000-0x0000000000463000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_962184d85a3c347a4c89582a94a673d6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_962184d85a3c347a4c89582a94a673d6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_962184d85a3c347a4c89582a94a673d6.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 2580	2104	JaffaCakes118_962184d85a3c347a4c89582a94a673d6.exe	30
PID 2104 wrote to memory of 2580	2104	JaffaCakes118_962184d85a3c347a4c89582a94a673d6.exe	30
PID 2104 wrote to memory of 2580	2104	JaffaCakes118_962184d85a3c347a4c89582a94a673d6.exe	30
PID 2104 wrote to memory of 2580	2104	JaffaCakes118_962184d85a3c347a4c89582a94a673d6.exe	30
PID 2104 wrote to memory of 2612	2104	JaffaCakes118_962184d85a3c347a4c89582a94a673d6.exe	33
PID 2104 wrote to memory of 2612	2104	JaffaCakes118_962184d85a3c347a4c89582a94a673d6.exe	33
PID 2104 wrote to memory of 2612	2104	JaffaCakes118_962184d85a3c347a4c89582a94a673d6.exe	33
PID 2104 wrote to memory of 2612	2104	JaffaCakes118_962184d85a3c347a4c89582a94a673d6.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_962184d85a3c347a4c89582a94a673d6.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_962184d85a3c347a4c89582a94a673d6.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_962184d85a3c347a4c89582a94a673d6.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_962184d85a3c347a4c89582a94a673d6.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2580
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_962184d85a3c347a4c89582a94a673d6.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_962184d85a3c347a4c89582a94a673d6.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\6680.376

Filesize
1KB

MD5
2565bd89af51e4f61da1c234482879fd

SHA1
41603357e544b46bacfee7519eb697354eed00ac

SHA256
aa594fa71676eb6edb367a32c8eefc9e1fcaed758f41fbee7342d38bebcde475

SHA512
5cd8e83cd231043e1919cf92bd3acc51dd18ebbd7fe7df4124d8d7b1a91a989ff49aa58fecb47642817fb752436bb438ca8ee5275da9ba92cb755f4b76f24c1a

Download Submit
C:\Users\Admin\AppData\Roaming\6680.376

Filesize
600B

MD5
c0f7354b327ac5920623b67d7eb3ccad

SHA1
8c1fd98b6c4af2ac5066979377f5799f842dcda8

SHA256
9ec65fcbed84509df2e1afc67a99aa7dd4aea1c5d1410ece16fbde3b64747562

SHA512
26c0c6604cb2885ebfa2f8ff27251a43d6e9a334e932a23be362c2da86d1be5b3e4598d6eedb9d7a6e213f838890d46ea8e1788a33ce63616901e980fac03480

Download Submit
C:\Users\Admin\AppData\Roaming\6680.376

Filesize
996B

MD5
8d868d836998ef55423513663ef7acbf

SHA1
4f6896f157d0022dc64750698fef7e5732bcf7b8

SHA256
72ede4e1b772a8223f296b179edda4297ac63de29f403ee4da15b866e83bfbc0

SHA512
e5c6d6bbc8dd3fa4701abe9da10673d3c8146b66d46a47faac98dd0cffb84c114bcc86627068cd46f29bc7c743afe9763591967549a849fba571e3483f73705e

Download Submit
memory/2104-2-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2104-1-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2104-138-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2104-14-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2104-64-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2580-6-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2580-5-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2580-7-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2612-68-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2612-66-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download

Analysis

Sharing