cycbot | 0212e33dee80b3e7f1df74d8c5f5dcb48885e379d1a6c44cca4aa59f5296d78b

General

Target

9006ee2d0014b4aec1e1716c14ce208f_JaffaCakes118.exe
Size

191KB
MD5

9006ee2d0014b4aec1e1716c14ce208f
SHA1

59d6433990b26f5fe8e56945c9f5f0f9e6baf699
SHA256

0212e33dee80b3e7f1df74d8c5f5dcb48885e379d1a6c44cca4aa59f5296d78b
SHA512

e3d45ffc9bee5825f284fdf8d82bd353c24b7e6bfaca2b5475627dcb183c9786d6cd08f8379b76941f78cbb748bfcb2c058271df58d8ea775be6ec0ebf409641
SSDEEP

3072:0PHffjfzZ7fHlD47/T3BdCnCF2HwUcDbR+FZjRh2jBDveRhL57XFlE7pCU5gPh3y:6Hffjf17fHls7/zvCnw2oR+FZD2NDqLp

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

Processes:

resource	yara_rule
behavioral1/memory/1948-14-0x0000000000400000-0x0000000000469000-memory.dmp	family_cycbot
behavioral1/memory/1948-15-0x0000000000400000-0x0000000000469000-memory.dmp	family_cycbot
behavioral1/memory/2296-16-0x0000000000400000-0x0000000000469000-memory.dmp	family_cycbot
behavioral1/memory/1912-78-0x0000000000400000-0x0000000000469000-memory.dmp	family_cycbot
behavioral1/memory/1912-79-0x0000000000400000-0x0000000000469000-memory.dmp	family_cycbot
behavioral1/memory/2296-193-0x0000000000400000-0x0000000000469000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2296-2-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/1948-14-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/1948-13-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/1948-15-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2296-16-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/1912-78-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/1912-79-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2296-193-0x0000000000400000-0x0000000000469000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

9006ee2d0014b4aec1e1716c14ce208f_JaffaCakes118.exe9006ee2d0014b4aec1e1716c14ce208f_JaffaCakes118.exe9006ee2d0014b4aec1e1716c14ce208f_JaffaCakes118.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9006ee2d0014b4aec1e1716c14ce208f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9006ee2d0014b4aec1e1716c14ce208f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9006ee2d0014b4aec1e1716c14ce208f_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

9006ee2d0014b4aec1e1716c14ce208f_JaffaCakes118.exe

description	pid	Process	procid_target
PID 2296 wrote to memory of 1948	2296	9006ee2d0014b4aec1e1716c14ce208f_JaffaCakes118.exe	31
PID 2296 wrote to memory of 1948	2296	9006ee2d0014b4aec1e1716c14ce208f_JaffaCakes118.exe	31
PID 2296 wrote to memory of 1948	2296	9006ee2d0014b4aec1e1716c14ce208f_JaffaCakes118.exe	31
PID 2296 wrote to memory of 1948	2296	9006ee2d0014b4aec1e1716c14ce208f_JaffaCakes118.exe	31
PID 2296 wrote to memory of 1912	2296	9006ee2d0014b4aec1e1716c14ce208f_JaffaCakes118.exe	33
PID 2296 wrote to memory of 1912	2296	9006ee2d0014b4aec1e1716c14ce208f_JaffaCakes118.exe	33
PID 2296 wrote to memory of 1912	2296	9006ee2d0014b4aec1e1716c14ce208f_JaffaCakes118.exe	33
PID 2296 wrote to memory of 1912	2296	9006ee2d0014b4aec1e1716c14ce208f_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\9006ee2d0014b4aec1e1716c14ce208f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9006ee2d0014b4aec1e1716c14ce208f_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Users\Admin\AppData\Local\Temp\9006ee2d0014b4aec1e1716c14ce208f_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\9006ee2d0014b4aec1e1716c14ce208f_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1948
- C:\Users\Admin\AppData\Local\Temp\9006ee2d0014b4aec1e1716c14ce208f_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\9006ee2d0014b4aec1e1716c14ce208f_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\5358.313

Filesize
1KB

MD5
cff1d248e3e0cf53b2b6436d4dacd25e

SHA1
57972d886f8c09f6ed20d5aef7f436a332d77dea

SHA256
bedb579cbabae48e4e29d3d3afac5daad7ca2a48b702dbc5058ea5521756be73

SHA512
5fb697f249a099135170fe7f7f6d0e85f10ed1fab0bb9ca57640c7de972defe2cd07406816b96f39fb699ec4a220dd05336dae4e01226b5571979ecf29d8f2d2

Download Submit
C:\Users\Admin\AppData\Roaming\5358.313

Filesize
1KB

MD5
157af8840b7fdb7e3327344affdb8248

SHA1
019467f67df5e14d0b42f2d147d594c478df233b

SHA256
768e40c96b915adc6cfad74020ef2bf3d9c11e9392b754351c2220304d38d3c9

SHA512
70953cd0b17f83f69e1ff1d3b52e83d1786397ec731c95f2d4758eca3e9466366caf20103d3ca89d8f87a96e6061b0fe5c13e8f5f60bbd5aa42d6358efa25e85

Download Submit
C:\Users\Admin\AppData\Roaming\5358.313

Filesize
600B

MD5
24d86c0a71a548252f7bef19bc822f7d

SHA1
62c720706471875c524462479e62fd5e8af03dd6

SHA256
1d92e9751ecbf2b4b30f2f7e6ce3dea36b24b1f161d76989808c91400e56cf56

SHA512
a884395b53bf1c71fdc062a0cf1d7ef8ee37ca9bd6c32c85fac667747225cfbaf3cbae999398f7a6b3648d4baa15c2021e1b2524bf71e1e712fdb950236333ac

Download Submit
C:\Users\Admin\AppData\Roaming\5358.313

Filesize
996B

MD5
55877afe4434f974225a5410daf2f080

SHA1
27ef60dc7e8755df70e03271e23f0c4010f38b69

SHA256
a70690c47347646cf1732ddcf8017dcc0da804b36735896a6d505a4397d356f1

SHA512
1fb3d3e7cbcb44f4c7210e7a1a1a6d54c4a183daea9cd7f9e2adc0932570bbfdb6010d622a8efcea9ab671050d6f07be1593938ae6714e0a41bff40f82cf03cb

Download Submit
memory/1912-79-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1912-78-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1912-77-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1948-15-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1948-13-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1948-14-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2296-16-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2296-1-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2296-2-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2296-193-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads