cycbot | ab70fbbaace936789134eeb5fd44487fcc4e4d4d6a515a55198c56ede890e22a

General

Target

9f4143d53ede1d1cccd420b6f11b1c85_JaffaCakes118.exe
Size

193KB
MD5

9f4143d53ede1d1cccd420b6f11b1c85
SHA1

2eaa73512b6b7d4ba114375b52a83686c5a41bfb
SHA256

ab70fbbaace936789134eeb5fd44487fcc4e4d4d6a515a55198c56ede890e22a
SHA512

14ded7cd5b61000ddade9176906a76d9f3a4ccd908a238fcc6c2cdd932265cd6914e4d09d69ca5348d2f28305b82b1d882fe5c16f2a10a68e4baf3dec7bca952
SSDEEP

6144:PUm6IeNjMgdL6Q5SL6+JFst4LH3lX82x6cyH5f3wR:cRNj96Q56Fst4L1TxZi5PwR

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2332-8-0x0000000000400000-0x0000000000469000-memory.dmp	family_cycbot
behavioral1/memory/2552-16-0x0000000000400000-0x0000000000469000-memory.dmp	family_cycbot
behavioral1/memory/2328-79-0x0000000000400000-0x0000000000469000-memory.dmp	family_cycbot
behavioral1/memory/2552-178-0x0000000000400000-0x0000000000469000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2552-2-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2332-8-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2332-6-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2552-16-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2328-79-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2552-178-0x0000000000400000-0x0000000000469000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9f4143d53ede1d1cccd420b6f11b1c85_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9f4143d53ede1d1cccd420b6f11b1c85_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9f4143d53ede1d1cccd420b6f11b1c85_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 2332	2552	9f4143d53ede1d1cccd420b6f11b1c85_JaffaCakes118.exe	30
PID 2552 wrote to memory of 2332	2552	9f4143d53ede1d1cccd420b6f11b1c85_JaffaCakes118.exe	30
PID 2552 wrote to memory of 2332	2552	9f4143d53ede1d1cccd420b6f11b1c85_JaffaCakes118.exe	30
PID 2552 wrote to memory of 2332	2552	9f4143d53ede1d1cccd420b6f11b1c85_JaffaCakes118.exe	30
PID 2552 wrote to memory of 2328	2552	9f4143d53ede1d1cccd420b6f11b1c85_JaffaCakes118.exe	32
PID 2552 wrote to memory of 2328	2552	9f4143d53ede1d1cccd420b6f11b1c85_JaffaCakes118.exe	32
PID 2552 wrote to memory of 2328	2552	9f4143d53ede1d1cccd420b6f11b1c85_JaffaCakes118.exe	32
PID 2552 wrote to memory of 2328	2552	9f4143d53ede1d1cccd420b6f11b1c85_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\9f4143d53ede1d1cccd420b6f11b1c85_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9f4143d53ede1d1cccd420b6f11b1c85_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Users\Admin\AppData\Local\Temp\9f4143d53ede1d1cccd420b6f11b1c85_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\9f4143d53ede1d1cccd420b6f11b1c85_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2332
- C:\Users\Admin\AppData\Local\Temp\9f4143d53ede1d1cccd420b6f11b1c85_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\9f4143d53ede1d1cccd420b6f11b1c85_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\102E.701

Filesize
1KB

MD5
c9ed5a62a20742dc48d97bc7a7795843

SHA1
fef15097b241b6ed1ea4bb0badbcd16f131b93ef

SHA256
d29ae63f1493eae5891ed232d458bd85a056cab7dae719f197975cf3df2ff767

SHA512
b44d3dbcc00d27cbf727feed36ff4c55e9d2b0650fa6a89fe4522003ff49f13bb0aef02f223fc05ad3322ea83a5a8ea3fcd69f475644e3398e9e736df92ee4eb

Download Submit
C:\Users\Admin\AppData\Roaming\102E.701

Filesize
600B

MD5
1c28e045c203e6b607b276ac794360b6

SHA1
df144e11bbafc7c5763ee581c261214a3c0a943d

SHA256
936ca355ebefbb2ee7264b668148876fcec042f6f0209b3704bdbd925b99785d

SHA512
b03a47ad4dd9d8b19e7ae7e4680ab3115ee341ce174cd951212c00ea2d275fbe84db21a7bcbbca9cceabb52152e7baa6887fe57c8945ee2974aeb532b29d269d

Download Submit
C:\Users\Admin\AppData\Roaming\102E.701

Filesize
996B

MD5
679398a7b4d2fa8837c6bdb875b266dd

SHA1
c28c1aef1c39a3ac9d7bb76efdf40e2c47ebb7d8

SHA256
6c2606bbb4a311b70259e143bd39f331adac5565134e1d5ebfb1d2126d3d5a97

SHA512
2de440f0769e9c34eebf1639d35d8b79e3d34954a99a5efd0bcf12dcb52b36192faee250757d9fd615c417600da4e1ab53fa24049d6d89f0b0f2eaf1c2048e18

Download Submit
memory/2328-79-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2332-5-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2332-8-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2332-6-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2552-1-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2552-2-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2552-16-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2552-178-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download

Analysis

Sharing