cycbot | eb1ab3410743f955d78e984fa926c1794ac235f5b852a1bb14b66a6a1ccebb69

General

Target

9595f24627dc2b8d0e3305ebc60dd424_JaffaCakes118.exe
Size

191KB
MD5

9595f24627dc2b8d0e3305ebc60dd424
SHA1

efd13f451f2d7df8bc5f1eeef00b8f0c99f47c65
SHA256

eb1ab3410743f955d78e984fa926c1794ac235f5b852a1bb14b66a6a1ccebb69
SHA512

45f5da36c878365b6a623a275a5ed670ec4c46418b1aa75f32f2642dcdf759ef1f37340f5e57c76749383d3a4de0b11ba67adf90270ba399db583c09d1b86a92
SSDEEP

3072:hvxwXAFqJNvYU6Kx72vo3WiKlrud4Kli/acnC9yGerfUQ9c:4XA2JYU+vVhlr64Kw/PCIGerf

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

Processes:

resource	yara_rule
behavioral1/memory/1724-7-0x0000000000400000-0x0000000000447000-memory.dmp	family_cycbot
behavioral1/memory/304-14-0x0000000000400000-0x0000000000447000-memory.dmp	family_cycbot
behavioral1/memory/2656-73-0x0000000000400000-0x0000000000447000-memory.dmp	family_cycbot
behavioral1/memory/304-175-0x0000000000400000-0x0000000000447000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/304-2-0x0000000000400000-0x0000000000447000-memory.dmp	upx
behavioral1/memory/1724-5-0x0000000000400000-0x0000000000447000-memory.dmp	upx
behavioral1/memory/1724-7-0x0000000000400000-0x0000000000447000-memory.dmp	upx
behavioral1/memory/304-14-0x0000000000400000-0x0000000000447000-memory.dmp	upx
behavioral1/memory/2656-72-0x0000000000400000-0x0000000000447000-memory.dmp	upx
behavioral1/memory/2656-73-0x0000000000400000-0x0000000000447000-memory.dmp	upx
behavioral1/memory/304-175-0x0000000000400000-0x0000000000447000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

9595f24627dc2b8d0e3305ebc60dd424_JaffaCakes118.exe9595f24627dc2b8d0e3305ebc60dd424_JaffaCakes118.exe9595f24627dc2b8d0e3305ebc60dd424_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9595f24627dc2b8d0e3305ebc60dd424_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9595f24627dc2b8d0e3305ebc60dd424_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9595f24627dc2b8d0e3305ebc60dd424_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

9595f24627dc2b8d0e3305ebc60dd424_JaffaCakes118.exe

description	pid	process	target process
PID 304 wrote to memory of 1724	304	9595f24627dc2b8d0e3305ebc60dd424_JaffaCakes118.exe	9595f24627dc2b8d0e3305ebc60dd424_JaffaCakes118.exe
PID 304 wrote to memory of 1724	304	9595f24627dc2b8d0e3305ebc60dd424_JaffaCakes118.exe	9595f24627dc2b8d0e3305ebc60dd424_JaffaCakes118.exe
PID 304 wrote to memory of 1724	304	9595f24627dc2b8d0e3305ebc60dd424_JaffaCakes118.exe	9595f24627dc2b8d0e3305ebc60dd424_JaffaCakes118.exe
PID 304 wrote to memory of 1724	304	9595f24627dc2b8d0e3305ebc60dd424_JaffaCakes118.exe	9595f24627dc2b8d0e3305ebc60dd424_JaffaCakes118.exe
PID 304 wrote to memory of 2656	304	9595f24627dc2b8d0e3305ebc60dd424_JaffaCakes118.exe	9595f24627dc2b8d0e3305ebc60dd424_JaffaCakes118.exe
PID 304 wrote to memory of 2656	304	9595f24627dc2b8d0e3305ebc60dd424_JaffaCakes118.exe	9595f24627dc2b8d0e3305ebc60dd424_JaffaCakes118.exe
PID 304 wrote to memory of 2656	304	9595f24627dc2b8d0e3305ebc60dd424_JaffaCakes118.exe	9595f24627dc2b8d0e3305ebc60dd424_JaffaCakes118.exe
PID 304 wrote to memory of 2656	304	9595f24627dc2b8d0e3305ebc60dd424_JaffaCakes118.exe	9595f24627dc2b8d0e3305ebc60dd424_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\9595f24627dc2b8d0e3305ebc60dd424_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9595f24627dc2b8d0e3305ebc60dd424_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:304
- C:\Users\Admin\AppData\Local\Temp\9595f24627dc2b8d0e3305ebc60dd424_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\9595f24627dc2b8d0e3305ebc60dd424_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1724
- C:\Users\Admin\AppData\Local\Temp\9595f24627dc2b8d0e3305ebc60dd424_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\9595f24627dc2b8d0e3305ebc60dd424_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\861C.F5A

Filesize
1KB

MD5
c2e16e6c0c23be697adc8f365ec55836

SHA1
858fd1f596659e6b8764f29e338ad02e561c6de7

SHA256
42130d4627b4b42dd91915aff615dda2dd842f1b18beb9c4b01a9fa0005b8eec

SHA512
772d9d653abaf292c393db369be671aae0a64fb5355a42e9d716680e4f9b6cf0851e0e5b14542b784bc2ca15bf062a0dd686791c6e29eba5fb525e5f273f4ade

Download Submit
C:\Users\Admin\AppData\Roaming\861C.F5A

Filesize
600B

MD5
5e5298e8c82e6ee299ca54f00d3ce3ef

SHA1
e9c88c027d1180fe53085048660eb8fb7e6fbe21

SHA256
7d8d1032fabf8acac0688f5045e67950026046c3a997c601fb3f449178af0b7d

SHA512
addae406c2c12380e0f5cb174a109ed0e19ac36435b5c4ba626f522f79f67f0b18fcf059f6f64edd367c56238bd954ea3eaa966858683a6d8bd58e3ee7196efb

Download Submit
C:\Users\Admin\AppData\Roaming\861C.F5A

Filesize
996B

MD5
ed79898af2419b80cb769d4df1f5a220

SHA1
e062ee7e18f3e47620f772844d2179c546e57fc5

SHA256
d8145fc19b566f0c1d800be799f9a8ca68e7200ba576c2efd93a3f829bd3161a

SHA512
96512abffa2ae9f7d9f487099ee55beca262bf839cf8f5fb4f5a9c1a893b28d62d92d009a399a40b86e0cbab4f9872b4a73a527640dc47fb8538c9477006e85c

Download Submit
memory/304-1-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/304-2-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/304-14-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/304-175-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1724-5-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1724-7-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2656-72-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2656-73-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads