cycbot | e161d4a4ec075de6f327f14db302f5f0df5efe6a05f83c0a7130d20869ec162d

General

Target

a17add97a84776d46ffd445104d93633_JaffaCakes118.exe
Size

169KB
MD5

a17add97a84776d46ffd445104d93633
SHA1

ac65d123408b6b09ef444c3270912e5e8fd163ea
SHA256

e161d4a4ec075de6f327f14db302f5f0df5efe6a05f83c0a7130d20869ec162d
SHA512

244d98e8cf0cfc7d0ae66e58c1781a763900a4678dacd5da4e2c516c6ce13bf2363d3ba0c32c2772e02c90c1c5c11bbb9504bcb9cb95c7f1513f44fba83736ab
SSDEEP

3072:0aC+E0218y7tsCulUu1qRD3afS2mkNYwfJITgGVWG8PfM904OWo:0aC+EZ/xZuau1n6CbM904OW

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2652-6-0x0000000000400000-0x0000000000462000-memory.dmp	family_cycbot
behavioral1/memory/3036-13-0x0000000000400000-0x0000000000462000-memory.dmp	family_cycbot
behavioral1/memory/2864-78-0x0000000000400000-0x0000000000462000-memory.dmp	family_cycbot
behavioral1/memory/3036-166-0x0000000000400000-0x0000000000462000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3036-2-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/memory/2652-5-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/memory/2652-6-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/memory/3036-13-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/memory/2864-77-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/memory/2864-78-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/memory/3036-166-0x0000000000400000-0x0000000000462000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a17add97a84776d46ffd445104d93633_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a17add97a84776d46ffd445104d93633_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a17add97a84776d46ffd445104d93633_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 2652	3036	a17add97a84776d46ffd445104d93633_JaffaCakes118.exe	30
PID 3036 wrote to memory of 2652	3036	a17add97a84776d46ffd445104d93633_JaffaCakes118.exe	30
PID 3036 wrote to memory of 2652	3036	a17add97a84776d46ffd445104d93633_JaffaCakes118.exe	30
PID 3036 wrote to memory of 2652	3036	a17add97a84776d46ffd445104d93633_JaffaCakes118.exe	30
PID 3036 wrote to memory of 2864	3036	a17add97a84776d46ffd445104d93633_JaffaCakes118.exe	32
PID 3036 wrote to memory of 2864	3036	a17add97a84776d46ffd445104d93633_JaffaCakes118.exe	32
PID 3036 wrote to memory of 2864	3036	a17add97a84776d46ffd445104d93633_JaffaCakes118.exe	32
PID 3036 wrote to memory of 2864	3036	a17add97a84776d46ffd445104d93633_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\a17add97a84776d46ffd445104d93633_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a17add97a84776d46ffd445104d93633_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Users\Admin\AppData\Local\Temp\a17add97a84776d46ffd445104d93633_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\a17add97a84776d46ffd445104d93633_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2652
- C:\Users\Admin\AppData\Local\Temp\a17add97a84776d46ffd445104d93633_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\a17add97a84776d46ffd445104d93633_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\6392.1E8

Filesize
1KB

MD5
50b0f3273a7eb47e8151dbe7b8d93ee1

SHA1
6debc6525606abfe63a8d9e059fb0cce3c1980ca

SHA256
802df57b7ae71375f5fb7f7ee2e4185953a0af4c543a2f887882cc7d15876175

SHA512
f3d9c5fda8b815ddd083fd56e6b0425213d09bae89158a4dd3f4c5161741275dea7e94904a644124b37d1e20b4ac73d35ecf87451595741c750c93871f935c21

Download Submit
C:\Users\Admin\AppData\Roaming\6392.1E8

Filesize
600B

MD5
1a00c8716c10c15ebf5d24628ed00f3e

SHA1
d1aeba3514c6308b4b85341b3337719b477d98c5

SHA256
f944343becd0de981a5736fc40598d8f96a5b1e8cd1f5925a5e323b2baa3d877

SHA512
89c6faa84a960c614d59c4dba1a4d19f6745d370c3514b5effec26a62eafe337300cf688fffb7ccd19b99604b55f63ccd4006c408a2cea7d5059ba710b924df4

Download Submit
C:\Users\Admin\AppData\Roaming\6392.1E8

Filesize
996B

MD5
13b155bbd61eb5d23682e289c1a52c1c

SHA1
22db5bf36dc72d496848198118c2a80464979bcc

SHA256
4fc5d9f93f3db3a094671459fbde3a26ed321034a360e8db995da7afadd8b743

SHA512
69e5a0ff785018d89e0ce83700aaeb7db7835f9b0f04d17062306751a7cc0906fdc76508361628f5c1d8eb1ce5bfa0d5e4c4c73366b348c7f23a97bc22d47e4b

Download Submit
memory/2652-5-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2652-6-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2864-77-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2864-78-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3036-1-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3036-2-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3036-13-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3036-166-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download

Analysis

Sharing