cycbot | e9e505847ba63f69437c8a44a1ea2e427c49ec8f7b473aa2cd5345e4146fadf4

General

Target

c60d1ebe30b0cec37a80c0727d66eaca_JaffaCakes118.exe
Size

213KB
MD5

c60d1ebe30b0cec37a80c0727d66eaca
SHA1

aaa09764dccf7dae7f5e1ab5f19685463b6c533f
SHA256

e9e505847ba63f69437c8a44a1ea2e427c49ec8f7b473aa2cd5345e4146fadf4
SHA512

e6413d5da88c83155b0fb8560a415efb1e739a3f6a8b03a28a1abe15bc33e704058f7b3f78ea58f0c7591f2aef4f9fbe7f90479891ad91668ad093a74412a111
SSDEEP

3072:AHNK5/7rSKZe11eiV5Aok9SUVd/n4d8jiITCRD8bPsv6adrQoJyc/7SD9G0xNVZz:AtMDGKI1YXoqSSdOlvX0oJyc/730xNV

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2396-6-0x0000000000400000-0x000000000044F000-memory.dmp	family_cycbot
behavioral1/memory/2408-14-0x0000000000400000-0x000000000044F000-memory.dmp	family_cycbot
behavioral1/memory/672-90-0x0000000000400000-0x000000000044F000-memory.dmp	family_cycbot
behavioral1/memory/2408-198-0x0000000000400000-0x000000000044F000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2408-2-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2396-5-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2396-6-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2408-14-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/672-89-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/672-90-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2408-198-0x0000000000400000-0x000000000044F000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c60d1ebe30b0cec37a80c0727d66eaca_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c60d1ebe30b0cec37a80c0727d66eaca_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c60d1ebe30b0cec37a80c0727d66eaca_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 2396	2408	c60d1ebe30b0cec37a80c0727d66eaca_JaffaCakes118.exe	30
PID 2408 wrote to memory of 2396	2408	c60d1ebe30b0cec37a80c0727d66eaca_JaffaCakes118.exe	30
PID 2408 wrote to memory of 2396	2408	c60d1ebe30b0cec37a80c0727d66eaca_JaffaCakes118.exe	30
PID 2408 wrote to memory of 2396	2408	c60d1ebe30b0cec37a80c0727d66eaca_JaffaCakes118.exe	30
PID 2408 wrote to memory of 672	2408	c60d1ebe30b0cec37a80c0727d66eaca_JaffaCakes118.exe	32
PID 2408 wrote to memory of 672	2408	c60d1ebe30b0cec37a80c0727d66eaca_JaffaCakes118.exe	32
PID 2408 wrote to memory of 672	2408	c60d1ebe30b0cec37a80c0727d66eaca_JaffaCakes118.exe	32
PID 2408 wrote to memory of 672	2408	c60d1ebe30b0cec37a80c0727d66eaca_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\c60d1ebe30b0cec37a80c0727d66eaca_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c60d1ebe30b0cec37a80c0727d66eaca_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Users\Admin\AppData\Local\Temp\c60d1ebe30b0cec37a80c0727d66eaca_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\c60d1ebe30b0cec37a80c0727d66eaca_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2396
- C:\Users\Admin\AppData\Local\Temp\c60d1ebe30b0cec37a80c0727d66eaca_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\c60d1ebe30b0cec37a80c0727d66eaca_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\5B85.B75

Filesize
1KB

MD5
c0c682de6637d44b33171978250f38a4

SHA1
2e9c16a99335e8355291bcc91d53f60fd4a1b81e

SHA256
f4fb26821b19f69dbf13decc40f484454b4e727761b1d15916b896f34c53e4e4

SHA512
e554a8804caec572e03f2a9a1f63b35dc8a8ac9be30f6a4fd886a43d878eaa849d1df19dcb5a4ec0e87639008b5712f2d8e286921376eefad7e3ec7c855bb0b8

Download Submit
C:\Users\Admin\AppData\Roaming\5B85.B75

Filesize
600B

MD5
a3d1b8cd8a7cb9d709a56c9b5902383f

SHA1
e1706896e7c585f92636ec376ecc9cc29f752160

SHA256
168e03c14a2edeffddc26f34bb494ff3a3376e33354522d91f39073d6cd0d512

SHA512
e2098d1dc5d433e54ea330bdac60b52f49201628ba8632fe748a7cb8e152b7300019848f6f0369bc321186aa0ee0737fbf39bd2730822ba9602906c2dd22d0f3

Download Submit
C:\Users\Admin\AppData\Roaming\5B85.B75

Filesize
996B

MD5
7cc69689cafb8808e380d11d6e6b1571

SHA1
ff59b63200076f8a5df2f1f44d3960831b070d01

SHA256
9375a27f64e6db24f91fa4a3a786186fbab449815ddeddab08d44f76754ef894

SHA512
7a5ebf5bf940ad217834fd232423f105e6620c2cc5a4d75e22d2fa56a3b34ddc8636b12d02148b6cdde1e8c9102ef50bd79d318a0a91cf530cbf4b4d81a420bf

Download Submit
memory/672-89-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/672-90-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2396-5-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2396-6-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2408-1-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2408-2-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2408-14-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2408-198-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download

Analysis

Sharing