cycbot | 11cc39fb0708c55cdcb25a234719321f8ae0b319baa9023106498e12fc7e8ebc

General

Target

9859d1174b5baf5e20a214a5fdd43d66_JaffaCakes118.exe
Size

211KB
MD5

9859d1174b5baf5e20a214a5fdd43d66
SHA1

143e91a34336a58fb1970b78e58560abeae89c75
SHA256

11cc39fb0708c55cdcb25a234719321f8ae0b319baa9023106498e12fc7e8ebc
SHA512

0e3cea265eae92885995dde369fc9fa7269f8a1976d8d552545c0ede92e4103ff8d94318f1530a3fb01a88e0cddb86438d9fe7389c31267fcdf250acb69c1804
SSDEEP

6144:RYL80RD/VjhEV4/C47SU7G2XGEjwSMzF:iI8d9I4/3C2zwZF

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2776-8-0x0000000000400000-0x000000000044F000-memory.dmp	family_cycbot
behavioral1/memory/2232-16-0x0000000000400000-0x000000000044F000-memory.dmp	family_cycbot
behavioral1/memory/2484-76-0x0000000000400000-0x000000000044F000-memory.dmp	family_cycbot
behavioral1/memory/2232-181-0x0000000000400000-0x000000000044F000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2232-2-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2776-6-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2776-8-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2232-16-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2484-75-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2484-76-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2232-181-0x0000000000400000-0x000000000044F000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9859d1174b5baf5e20a214a5fdd43d66_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9859d1174b5baf5e20a214a5fdd43d66_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9859d1174b5baf5e20a214a5fdd43d66_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2776	2232	9859d1174b5baf5e20a214a5fdd43d66_JaffaCakes118.exe	31
PID 2232 wrote to memory of 2776	2232	9859d1174b5baf5e20a214a5fdd43d66_JaffaCakes118.exe	31
PID 2232 wrote to memory of 2776	2232	9859d1174b5baf5e20a214a5fdd43d66_JaffaCakes118.exe	31
PID 2232 wrote to memory of 2776	2232	9859d1174b5baf5e20a214a5fdd43d66_JaffaCakes118.exe	31
PID 2232 wrote to memory of 2484	2232	9859d1174b5baf5e20a214a5fdd43d66_JaffaCakes118.exe	33
PID 2232 wrote to memory of 2484	2232	9859d1174b5baf5e20a214a5fdd43d66_JaffaCakes118.exe	33
PID 2232 wrote to memory of 2484	2232	9859d1174b5baf5e20a214a5fdd43d66_JaffaCakes118.exe	33
PID 2232 wrote to memory of 2484	2232	9859d1174b5baf5e20a214a5fdd43d66_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\9859d1174b5baf5e20a214a5fdd43d66_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9859d1174b5baf5e20a214a5fdd43d66_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Users\Admin\AppData\Local\Temp\9859d1174b5baf5e20a214a5fdd43d66_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\9859d1174b5baf5e20a214a5fdd43d66_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2776
- C:\Users\Admin\AppData\Local\Temp\9859d1174b5baf5e20a214a5fdd43d66_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\9859d1174b5baf5e20a214a5fdd43d66_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\E526.0AE

Filesize
1KB

MD5
909162975a6c696cce3829374152f542

SHA1
533bb260f5c19710c709ffbf30d91dabe5203728

SHA256
e7957b9b460cc7be3cd4ae245fc94f9e309bc1def60495abfb423113ab760e89

SHA512
454c97a2aeea4ea694b15ae7e0010fe6f70bf3dc50842572358c613c00fe25baceb6f1658f2102beb70b20bb066eef9dd656612a21d42f5c08c800bcb82e1f13

Download Submit
C:\Users\Admin\AppData\Roaming\E526.0AE

Filesize
600B

MD5
0ca024f9756da03a7acb9752cfbb0b75

SHA1
d011cc873e376e401b6a6ca81b6d94c5cb7d1e12

SHA256
2f00e80d136bafb05a5f2f88592f7be29033597066c9cb8950bd6301da498124

SHA512
cb10e64c04ba247adddf558cfed1986f91a404197ca41500093f5135c9868a7c96a5cc02691d61fef0b901934d0dfd520d1a6c39b78f58c6bf51513587dcbd8c

Download Submit
C:\Users\Admin\AppData\Roaming\E526.0AE

Filesize
996B

MD5
44abb3db0b7ee37410f12929f085dac5

SHA1
5bc999bd0c8e9e40b16f8b42e0509e595d184fc2

SHA256
174c9049c48658b013fc2c5f27e833a5ff02600dda632074d11f892e98d420a9

SHA512
191cc4be90dd4524718b4d2e04ffa634aca45c9f1792a1bf2f456a6e5d3770c9106c45fbd883e9c31e80270b9a5f9519764d67fa9d7765fea7de429ba325ba1f

Download Submit
memory/2232-1-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2232-2-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2232-16-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2232-181-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2484-75-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2484-76-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2776-6-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2776-5-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2776-8-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download

Analysis

Sharing