cycbot | d7ba9793304e4c8d42668c0ea3dd36ba121714b7d2920c6685aeb64128dc7499

General

Target

a24cc87fadfcdbda3488c8e07c44d4aa_JaffaCakes118.exe
Size

193KB
MD5

a24cc87fadfcdbda3488c8e07c44d4aa
SHA1

0c13ff0810879d56418b5c6401ee6cee13ea7da0
SHA256

d7ba9793304e4c8d42668c0ea3dd36ba121714b7d2920c6685aeb64128dc7499
SHA512

757e24e69c99a5121ea1eb3b40940c2b785fbe7fecac8ef0f5432b20f1ddeb83deebcd78777f26dd12c7a736337d93a6f3b677d04ef6980f8e585324da38fb43
SSDEEP

6144:Wcb4V4syDyiAEGiS5aL2to11CuWYQQAYYYYFF0:WcbU4JDZAErSYae7d0QAY+FF0

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2796-7-0x0000000000400000-0x0000000000469000-memory.dmp	family_cycbot
behavioral1/memory/2644-15-0x0000000000400000-0x0000000000469000-memory.dmp	family_cycbot
behavioral1/memory/1152-83-0x0000000000400000-0x0000000000469000-memory.dmp	family_cycbot
behavioral1/memory/2644-182-0x0000000000400000-0x0000000000469000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2644-2-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2796-7-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2796-6-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2644-15-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/1152-82-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/1152-83-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2644-182-0x0000000000400000-0x0000000000469000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a24cc87fadfcdbda3488c8e07c44d4aa_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a24cc87fadfcdbda3488c8e07c44d4aa_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a24cc87fadfcdbda3488c8e07c44d4aa_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 2796	2644	a24cc87fadfcdbda3488c8e07c44d4aa_JaffaCakes118.exe	30
PID 2644 wrote to memory of 2796	2644	a24cc87fadfcdbda3488c8e07c44d4aa_JaffaCakes118.exe	30
PID 2644 wrote to memory of 2796	2644	a24cc87fadfcdbda3488c8e07c44d4aa_JaffaCakes118.exe	30
PID 2644 wrote to memory of 2796	2644	a24cc87fadfcdbda3488c8e07c44d4aa_JaffaCakes118.exe	30
PID 2644 wrote to memory of 1152	2644	a24cc87fadfcdbda3488c8e07c44d4aa_JaffaCakes118.exe	32
PID 2644 wrote to memory of 1152	2644	a24cc87fadfcdbda3488c8e07c44d4aa_JaffaCakes118.exe	32
PID 2644 wrote to memory of 1152	2644	a24cc87fadfcdbda3488c8e07c44d4aa_JaffaCakes118.exe	32
PID 2644 wrote to memory of 1152	2644	a24cc87fadfcdbda3488c8e07c44d4aa_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\a24cc87fadfcdbda3488c8e07c44d4aa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a24cc87fadfcdbda3488c8e07c44d4aa_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Users\Admin\AppData\Local\Temp\a24cc87fadfcdbda3488c8e07c44d4aa_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\a24cc87fadfcdbda3488c8e07c44d4aa_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2796
- C:\Users\Admin\AppData\Local\Temp\a24cc87fadfcdbda3488c8e07c44d4aa_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\a24cc87fadfcdbda3488c8e07c44d4aa_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\60CF.B7D

Filesize
1KB

MD5
b26c368168007eb8b3e467f77e6d379e

SHA1
10c9b067e106f4d4157624bf445bcefeb6355d82

SHA256
6c8be950423b2335b3faca1cacdf6410fbf2f0ecc336f370152050d43e640bbd

SHA512
aab5ff577281b0fc400fe69246108ed5b02948be711a71b369ce752d7ac5c7252500ebb6afb88d0cff8216d0656194a2dd977d7fd585445e237f4d7448e40662

Download Submit
C:\Users\Admin\AppData\Roaming\60CF.B7D

Filesize
1KB

MD5
a891b0e81eba038d4fe3fecc196fa085

SHA1
83093aa1c09bf7b52435804e5b1ef1aa0ff869ef

SHA256
3ba9eb542040e35288db34c5f7a9dc144e274d43f89aca0395a9339c78c6c288

SHA512
0ff99bb6c4242688df195e47cd9cd92c82d7df530ebeeee78041a0da076ce5c934f5fe79695df97037aafbd3908ea9eeb1283191450b7f69732c02541a09d52c

Download Submit
C:\Users\Admin\AppData\Roaming\60CF.B7D

Filesize
600B

MD5
0625404690cf5f18cb16a8825868297f

SHA1
39e677ec61f61c23e61d7ad7f9a8fe043ea3631e

SHA256
5d4a74b4e73753e8e33c77d4439c47a9108af198c9763d7f7f65f0db8bb6e7a4

SHA512
3289241eebecac2db96af41feebbd4e4702721e7e19b6040d338b09f7eb3ec00f20a6b49f026a017f6f24ff3d65471fe0a930a16c38be77c971263431900d2c5

Download Submit
C:\Users\Admin\AppData\Roaming\60CF.B7D

Filesize
996B

MD5
b8b4b8929d67e493efb6b4f9be737cf3

SHA1
0a056e55b7ec6b6341dde97fb8bcabf87cacaf91

SHA256
d4f76904d50af02187203b604b7691cb6539e6b0a2c9dd462dbeba11092ca934

SHA512
435ca6ac4e5ad2156e22d2d3ecdb615c432c09a88fd81f8b717f28e6b2a06184b45fc455426d72baa66da066c76ed9bdcd63af8334ae5628e5713e06684f879e

Download Submit
memory/1152-82-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1152-83-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2644-15-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2644-1-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2644-2-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2644-182-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2796-5-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2796-6-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2796-7-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download

Analysis

Sharing