cycbot | 9e797e2a0e977ca727e298287a90a223d40a950f4a7126af1fbdf99e03e39b46

General

Target

ccc098c32b2f8d8bf219f2b2417f0967_JaffaCakes118.exe
Size

177KB
MD5

ccc098c32b2f8d8bf219f2b2417f0967
SHA1

b0b5297e4cc1797230890c46433f22a5d7c9042a
SHA256

9e797e2a0e977ca727e298287a90a223d40a950f4a7126af1fbdf99e03e39b46
SHA512

67dfe74c2e98e57af134f5e50c95fdb500f5c1880a99087dbc4191cb2249d2f865a68b638b9fcceaf557487cd69746389f0819b617c91bd7b1929ec64efca38e
SSDEEP

3072:NFPzJiOI/uXX2IQO3FT4HBV836ixVe4ZojZMWutBSkaB8pP:XPzMOGuv9TIV83hbebjqWutBSka

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2336-15-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot
behavioral1/memory/2488-16-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot
behavioral1/memory/540-83-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot
behavioral1/memory/2488-183-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2488-2-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2336-13-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2336-12-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2336-15-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2488-16-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/540-81-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/540-83-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2488-183-0x0000000000400000-0x000000000046B000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ccc098c32b2f8d8bf219f2b2417f0967_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ccc098c32b2f8d8bf219f2b2417f0967_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ccc098c32b2f8d8bf219f2b2417f0967_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 2336	2488	ccc098c32b2f8d8bf219f2b2417f0967_JaffaCakes118.exe	31
PID 2488 wrote to memory of 2336	2488	ccc098c32b2f8d8bf219f2b2417f0967_JaffaCakes118.exe	31
PID 2488 wrote to memory of 2336	2488	ccc098c32b2f8d8bf219f2b2417f0967_JaffaCakes118.exe	31
PID 2488 wrote to memory of 2336	2488	ccc098c32b2f8d8bf219f2b2417f0967_JaffaCakes118.exe	31
PID 2488 wrote to memory of 540	2488	ccc098c32b2f8d8bf219f2b2417f0967_JaffaCakes118.exe	33
PID 2488 wrote to memory of 540	2488	ccc098c32b2f8d8bf219f2b2417f0967_JaffaCakes118.exe	33
PID 2488 wrote to memory of 540	2488	ccc098c32b2f8d8bf219f2b2417f0967_JaffaCakes118.exe	33
PID 2488 wrote to memory of 540	2488	ccc098c32b2f8d8bf219f2b2417f0967_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\ccc098c32b2f8d8bf219f2b2417f0967_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ccc098c32b2f8d8bf219f2b2417f0967_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Users\Admin\AppData\Local\Temp\ccc098c32b2f8d8bf219f2b2417f0967_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\ccc098c32b2f8d8bf219f2b2417f0967_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2336
- C:\Users\Admin\AppData\Local\Temp\ccc098c32b2f8d8bf219f2b2417f0967_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\ccc098c32b2f8d8bf219f2b2417f0967_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\5B48.255

Filesize
1KB

MD5
275fa24445f085208c37aefd3ba29a27

SHA1
f0824fb5eefef4d3efe427ba6d0d0bc53c0abb7b

SHA256
ef7079a58b83a8e2ec9df368312ab6245c0a7c1407eff95ffa6bd658140d7e1d

SHA512
56e9a2d6f58e168afb881a1c98f720f8262b6d8c99993e7f465adac34e40451d0329fc62c60a671ff7437e2abf0835fb572c41a0950089c50f6a35f65e4d0765

Download Submit
C:\Users\Admin\AppData\Roaming\5B48.255

Filesize
600B

MD5
db934703805657d12b49675ea486c829

SHA1
93e83829443b5142b296047730fc537efa5be5bd

SHA256
258797454ca13dde746ee2fc471361221b703ccb4f93c0eaf65f2b41ea918bae

SHA512
898b89109e17b7f4312d2b178178021f360c5a917e8ca392d0c87eb1cd0ee263d2a9926e0d8baea9f36007a670eac101a9b9cd32695cb8c0a8f56423b1a67b51

Download Submit
C:\Users\Admin\AppData\Roaming\5B48.255

Filesize
996B

MD5
12cb64b2862b4f826cf24dafbae1d63b

SHA1
1455f3ab6e3a55bcba5eab1821c27eb5a1f1d4f1

SHA256
4ddf82924f2e79a625af3adffb11595958a590b9885df4b4950ad6471f8d9eae

SHA512
931fcbc22244c61142b79427223e19592b819832eb4ea24d1b1ab44d79046f927edc018c605d616297fad47b52ddad358d13d66a6ac48914f0eb5a45196793e0

Download Submit
memory/540-81-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/540-83-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2336-13-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2336-12-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2336-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2488-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2488-2-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2488-16-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2488-183-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing