cycbot | b5a6fd94288252ba8849b0e2a626c072b037a8eb6dd0c3e82d631969b6f4fda2

General

Target

cf9a4e373b940f0c2f0ca9f67b9670d9_JaffaCakes118.exe
Size

181KB
MD5

cf9a4e373b940f0c2f0ca9f67b9670d9
SHA1

505d13eb1f7f399f3b59e9a892da2fa794da74d6
SHA256

b5a6fd94288252ba8849b0e2a626c072b037a8eb6dd0c3e82d631969b6f4fda2
SHA512

c56e799ffa79a42dc1798dbfa12b477e2f24596243ba7e9d9616fe05dd827107a8aca2421d32eb0111880cec773f09137c6aa99d23e762481a63b78287d753f9
SSDEEP

3072:DYV8IYFjFmPmGAxJDMiSK9+JWf/6OmE0FsaoPdzvg6JfR7oCr3jL:DUnmYP8f/pf/6DFsaizv1R7

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2824-13-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral1/memory/2176-14-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral1/memory/2560-77-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral1/memory/2176-181-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2176-2-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2824-12-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2824-13-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2176-14-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2560-77-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2176-181-0x0000000000400000-0x000000000044E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf9a4e373b940f0c2f0ca9f67b9670d9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf9a4e373b940f0c2f0ca9f67b9670d9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf9a4e373b940f0c2f0ca9f67b9670d9_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 2824	2176	cf9a4e373b940f0c2f0ca9f67b9670d9_JaffaCakes118.exe	30
PID 2176 wrote to memory of 2824	2176	cf9a4e373b940f0c2f0ca9f67b9670d9_JaffaCakes118.exe	30
PID 2176 wrote to memory of 2824	2176	cf9a4e373b940f0c2f0ca9f67b9670d9_JaffaCakes118.exe	30
PID 2176 wrote to memory of 2824	2176	cf9a4e373b940f0c2f0ca9f67b9670d9_JaffaCakes118.exe	30
PID 2176 wrote to memory of 2560	2176	cf9a4e373b940f0c2f0ca9f67b9670d9_JaffaCakes118.exe	32
PID 2176 wrote to memory of 2560	2176	cf9a4e373b940f0c2f0ca9f67b9670d9_JaffaCakes118.exe	32
PID 2176 wrote to memory of 2560	2176	cf9a4e373b940f0c2f0ca9f67b9670d9_JaffaCakes118.exe	32
PID 2176 wrote to memory of 2560	2176	cf9a4e373b940f0c2f0ca9f67b9670d9_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\cf9a4e373b940f0c2f0ca9f67b9670d9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cf9a4e373b940f0c2f0ca9f67b9670d9_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Users\Admin\AppData\Local\Temp\cf9a4e373b940f0c2f0ca9f67b9670d9_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\cf9a4e373b940f0c2f0ca9f67b9670d9_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2824
- C:\Users\Admin\AppData\Local\Temp\cf9a4e373b940f0c2f0ca9f67b9670d9_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\cf9a4e373b940f0c2f0ca9f67b9670d9_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\B208.426

Filesize
1KB

MD5
8ab87b43166ae20b3b3f24e5d0aff438

SHA1
1022ec56f473a4cdede3d9c1c0cb3ccda79cb9f0

SHA256
548341f83ce5fa88e0e34d39071207944f8c417988ad77a8018e29bf2b787428

SHA512
2848865917c77687dfe71b024c2efa85aacf8885d715df7a59a6deced1a42349ee81a9032f12657bacab609bc5b65a10c701fa10e01733c938df654fe376a9ae

Download Submit
C:\Users\Admin\AppData\Roaming\B208.426

Filesize
1KB

MD5
e1ca426d3e99d16539b23bd0eef42094

SHA1
45973d5236f57cb8fb48ea4e2f52839644911e4a

SHA256
c8a502cc78b6743008b2c279f5e7f0aa2479954fb3b164bf4799decd83db1683

SHA512
605d8fe874b08dcb72d71174a7e518295cc57bd8c0466320c0e1ce626d3cbd4ae97e623e74024dc29452656d722081a4bcded856a603203fb3351bf1da8aeeea

Download Submit
C:\Users\Admin\AppData\Roaming\B208.426

Filesize
600B

MD5
8f788f5e5543eec49e1c0c873b352836

SHA1
cca96e86f2b1b57e07c96a120d8a1e704ee81c89

SHA256
e26ad00123ffa3c219a1c7aa55879a8332d9b4690f1fd5a0515f7d1e17068e74

SHA512
04c6b8090b0ee903c3a2f006c86dd96ee1b33ea7b5a68594cbfe1044a5d919c53b4b5ab97172ada13ede07f3dfea72424b3b946ac957639288338395bbde7029

Download Submit
C:\Users\Admin\AppData\Roaming\B208.426

Filesize
996B

MD5
3acab76f85821684591b5e95ba03c8f2

SHA1
34d8a7d5d7c6df636ed970274f3cca95ccdad0af

SHA256
3f33a89db2221129bb6f487eea2e7ee1b1d9f9292a3340b33a13c2965439c45c

SHA512
0440fe9e1d19f47f33ce2bac029a3aa49d2c5f01f69c394eb55340e87f146f9ca516218f23f1fb282b66d7d2f314bee1038c394660a8f3259848bac7a98062c9

Download Submit
memory/2176-1-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2176-2-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2176-14-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2176-181-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2560-77-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2824-12-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2824-13-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing