cycbot | b33d5c427d5a4218d80ffb5e6385d52fe2ba5a3e7b1042d4b87f8946ff3e2798

General

Target

9e650ebe1f98f3d263a6da174c98b14e_JaffaCakes118.exe
Size

182KB
MD5

9e650ebe1f98f3d263a6da174c98b14e
SHA1

af1c67d5bce5346e668ce1e1bdba050b53f9de77
SHA256

b33d5c427d5a4218d80ffb5e6385d52fe2ba5a3e7b1042d4b87f8946ff3e2798
SHA512

cec9e29da0b057342f9958a908b03e905a56136dadb2c5f49f088fbb948bfa2d7272382a6a01803ce219c0a5a7c39a047d7afead0eef27ec3429bf7e23ae55d5
SSDEEP

3072:SvQFgZstVrL4m7LlJSWuFwexJwA0vv9Baee/jdA4+wR/6R44w/TkiWDLjtIv:J505WuaexSt94xWMwR44w/4TPjty

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2796-6-0x0000000000400000-0x0000000000446000-memory.dmp	family_cycbot
behavioral1/memory/1508-13-0x0000000000400000-0x0000000000446000-memory.dmp	family_cycbot
behavioral1/memory/1508-71-0x0000000000400000-0x0000000000446000-memory.dmp	family_cycbot
behavioral1/memory/576-79-0x0000000000400000-0x0000000000446000-memory.dmp	family_cycbot
behavioral1/memory/1508-169-0x0000000000400000-0x0000000000446000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1508-2-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2796-5-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2796-6-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/1508-13-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/1508-71-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/576-77-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/576-79-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/1508-169-0x0000000000400000-0x0000000000446000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9e650ebe1f98f3d263a6da174c98b14e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9e650ebe1f98f3d263a6da174c98b14e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9e650ebe1f98f3d263a6da174c98b14e_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 2796	1508	9e650ebe1f98f3d263a6da174c98b14e_JaffaCakes118.exe	30
PID 1508 wrote to memory of 2796	1508	9e650ebe1f98f3d263a6da174c98b14e_JaffaCakes118.exe	30
PID 1508 wrote to memory of 2796	1508	9e650ebe1f98f3d263a6da174c98b14e_JaffaCakes118.exe	30
PID 1508 wrote to memory of 2796	1508	9e650ebe1f98f3d263a6da174c98b14e_JaffaCakes118.exe	30
PID 1508 wrote to memory of 576	1508	9e650ebe1f98f3d263a6da174c98b14e_JaffaCakes118.exe	32
PID 1508 wrote to memory of 576	1508	9e650ebe1f98f3d263a6da174c98b14e_JaffaCakes118.exe	32
PID 1508 wrote to memory of 576	1508	9e650ebe1f98f3d263a6da174c98b14e_JaffaCakes118.exe	32
PID 1508 wrote to memory of 576	1508	9e650ebe1f98f3d263a6da174c98b14e_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\9e650ebe1f98f3d263a6da174c98b14e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9e650ebe1f98f3d263a6da174c98b14e_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Users\Admin\AppData\Local\Temp\9e650ebe1f98f3d263a6da174c98b14e_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\9e650ebe1f98f3d263a6da174c98b14e_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2796
- C:\Users\Admin\AppData\Local\Temp\9e650ebe1f98f3d263a6da174c98b14e_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\9e650ebe1f98f3d263a6da174c98b14e_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\2B1C.F94

Filesize
1KB

MD5
f3fd7f734765c2ea52dc431e63e19ff2

SHA1
cc7cf2031f49aafcee7195337fb672ea15888aaa

SHA256
16464be4336cbcf732d583af62b61687121a433323a1bf917df2f634b2af190d

SHA512
9c4bff911e893d1593e11aabd678be6e9256af9cb0d9c0e8562dc6a28ae6bc2613ccb06522a078236e68b74a4e22b90a476bac283a8418db5bf4688ab9a5f171

Download Submit
C:\Users\Admin\AppData\Roaming\2B1C.F94

Filesize
600B

MD5
5d78a3dcf9f42a007abe3b447e7ab88f

SHA1
809d83339d2f3d1e3adcc806799984639ccf8e99

SHA256
dcb1f3ff30daa3f176d0e1f2043fdf92b763ea2d93b540b6f64273bb3f8ba028

SHA512
7431762cfe5fb36f697796107b2d0cbb7e8d12e96d438adc04be325f3b7755faab4045a4db44582f06bae0153a3256503636332d4cafa0b24313123eaa26eaa0

Download Submit
C:\Users\Admin\AppData\Roaming\2B1C.F94

Filesize
996B

MD5
02654628e1cf8893bea24107fcbb5f2a

SHA1
4ec7bbe6dcbf2fcd7968cec4c45664d4530560c3

SHA256
43af74cc6e99c30f29d1c48141f644e187f6a9a1f647ef6eb240ed582a883b60

SHA512
1c1bac5af83c46b7e93e83e496631f0d7fdeb94077267ddb9c8a712835b0a1e4643fac563f830ae9bd9fcb4c47865a44a114618104679fea8441efbcb12e7bf7

Download Submit
memory/576-77-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/576-79-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1508-2-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1508-1-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1508-13-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1508-71-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1508-169-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2796-5-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2796-6-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download

Analysis

Sharing