cycbot | 04bd328544ac52d322ed83deb1c98e895a22e8936c0b0f49c2e541d27a420249

General

Target

JaffaCakes118_975f564f04afa41186f64eecf105d1a4.exe
Size

159KB
MD5

975f564f04afa41186f64eecf105d1a4
SHA1

4b2fd3fa1e7367c9f25337c19c8c42f185024c16
SHA256

04bd328544ac52d322ed83deb1c98e895a22e8936c0b0f49c2e541d27a420249
SHA512

72283d0e29078424bfb302044f2cfada2331e0ca0ed3b612b93a6fdc4322478a34cff59b0a85a0006c5d92dcfc898c275fa371238c352ca2efd7dbfcd05df4cc
SSDEEP

3072:piUyvp4hVLbutToP751vSOAPl4Ek6sJWyt5PD6nr0foJgG:cPvAVL62P7PbWy3D6n4wJ

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2516-5-0x0000000000400000-0x0000000000468000-memory.dmp	family_cycbot
behavioral1/memory/2516-7-0x0000000000400000-0x0000000000468000-memory.dmp	family_cycbot
behavioral1/memory/2624-15-0x0000000000400000-0x0000000000468000-memory.dmp	family_cycbot
behavioral1/memory/2356-91-0x0000000000400000-0x0000000000468000-memory.dmp	family_cycbot
behavioral1/memory/2624-196-0x0000000000400000-0x0000000000468000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2624-1-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2516-5-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2516-7-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2624-15-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2356-89-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2356-91-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2624-196-0x0000000000400000-0x0000000000468000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_975f564f04afa41186f64eecf105d1a4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_975f564f04afa41186f64eecf105d1a4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_975f564f04afa41186f64eecf105d1a4.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2624 wrote to memory of 2516	2624	JaffaCakes118_975f564f04afa41186f64eecf105d1a4.exe	30
PID 2624 wrote to memory of 2516	2624	JaffaCakes118_975f564f04afa41186f64eecf105d1a4.exe	30
PID 2624 wrote to memory of 2516	2624	JaffaCakes118_975f564f04afa41186f64eecf105d1a4.exe	30
PID 2624 wrote to memory of 2516	2624	JaffaCakes118_975f564f04afa41186f64eecf105d1a4.exe	30
PID 2624 wrote to memory of 2356	2624	JaffaCakes118_975f564f04afa41186f64eecf105d1a4.exe	32
PID 2624 wrote to memory of 2356	2624	JaffaCakes118_975f564f04afa41186f64eecf105d1a4.exe	32
PID 2624 wrote to memory of 2356	2624	JaffaCakes118_975f564f04afa41186f64eecf105d1a4.exe	32
PID 2624 wrote to memory of 2356	2624	JaffaCakes118_975f564f04afa41186f64eecf105d1a4.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_975f564f04afa41186f64eecf105d1a4.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_975f564f04afa41186f64eecf105d1a4.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2624
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_975f564f04afa41186f64eecf105d1a4.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_975f564f04afa41186f64eecf105d1a4.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2516
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_975f564f04afa41186f64eecf105d1a4.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_975f564f04afa41186f64eecf105d1a4.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\5474.F86

Filesize
1KB

MD5
a0517b0b3d82c17d29215ac92730d543

SHA1
a7d4eaa2f576e32eec7a1faae210c6c7bc1b3153

SHA256
4ad19ebe4df80c122821e845d77ac0eed6d83ca7ba75e585512c61c093f75908

SHA512
049eedd158795bf72530a7148e3cd592d0492a736b46c07f7210599357e756ea31a0cc48f718fe08760a5e971486db0c1988cad213866097dcab1e11a527826a

Download Submit
C:\Users\Admin\AppData\Roaming\5474.F86

Filesize
600B

MD5
9446b12672df00cfa78a7b24846e624d

SHA1
b7e76aec1b468aec0285104db411e330af35241d

SHA256
4db55b507710e87ddce89bbb6a2c2afe9089a0b8497bd43d43123d54e94d4440

SHA512
3a3e8b5f404b95dba6bbe5965d670ad0cf73aa2a8ea83a8fda6e61c37fbab7cf6a4e5c2090a97d60cc24905dc1f64d9d123a98f63782b0dc09e7af0a29091961

Download Submit
C:\Users\Admin\AppData\Roaming\5474.F86

Filesize
996B

MD5
b82ec81baa0ace15b6bb23ff6e1600be

SHA1
0e6ec2f9e255b05f08596ea9c3cba5b4e7498e8b

SHA256
4e022d7c4f092fbe5b77ab40a8586d5f1a5f18f5de4bd28eedf88a4843e841f8

SHA512
860029d6779c097cd87670f813cbb6720de66e4f934a0c22bdfaf2b8347ad14b4508f069a2b9124418ab5930a14e103f0d3047c2a25571ab368ae88e73f09f4d

Download Submit
memory/2356-88-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2356-89-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2356-91-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2516-4-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2516-5-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2516-7-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2624-1-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2624-15-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2624-196-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download

Analysis

Sharing