cycbot | b61c1915025bf4252ee8f101ed2c392546466301584d6e93b72e49144ff39a5d

General

Target

cefec42acc092a5588221b10f29c36e7_JaffaCakes118.exe
Size

162KB
MD5

cefec42acc092a5588221b10f29c36e7
SHA1

873e8e6d3c3ba5006ae7811bc31c9da751e66926
SHA256

b61c1915025bf4252ee8f101ed2c392546466301584d6e93b72e49144ff39a5d
SHA512

3b5772b51658efde3f1701c3d97cd1543c6f59c25ac5aaefa35dce90f5ffe721606f27c053673261f967a0f459e43b3f795e2385fbfcbe9e2f33a57680780b80
SSDEEP

3072:8PyCt4CRzcJefyCj4s4Ln79U/46tejvxh/YqmwSf6KChmEFlsaN1ecxu/Vq3:CyKQef/4sGxjvxhrKklsG1esu/

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2980-6-0x0000000000400000-0x0000000000468000-memory.dmp	family_cycbot
behavioral1/memory/2980-8-0x0000000000400000-0x0000000000468000-memory.dmp	family_cycbot
behavioral1/memory/2708-16-0x0000000000400000-0x0000000000468000-memory.dmp	family_cycbot
behavioral1/memory/2424-78-0x0000000000400000-0x0000000000468000-memory.dmp	family_cycbot
behavioral1/memory/2708-188-0x0000000000400000-0x0000000000468000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2708-2-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2980-6-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2980-8-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2980-5-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2708-16-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2424-76-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2424-78-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2708-188-0x0000000000400000-0x0000000000468000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cefec42acc092a5588221b10f29c36e7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cefec42acc092a5588221b10f29c36e7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cefec42acc092a5588221b10f29c36e7_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 2980	2708	cefec42acc092a5588221b10f29c36e7_JaffaCakes118.exe	30
PID 2708 wrote to memory of 2980	2708	cefec42acc092a5588221b10f29c36e7_JaffaCakes118.exe	30
PID 2708 wrote to memory of 2980	2708	cefec42acc092a5588221b10f29c36e7_JaffaCakes118.exe	30
PID 2708 wrote to memory of 2980	2708	cefec42acc092a5588221b10f29c36e7_JaffaCakes118.exe	30
PID 2708 wrote to memory of 2424	2708	cefec42acc092a5588221b10f29c36e7_JaffaCakes118.exe	32
PID 2708 wrote to memory of 2424	2708	cefec42acc092a5588221b10f29c36e7_JaffaCakes118.exe	32
PID 2708 wrote to memory of 2424	2708	cefec42acc092a5588221b10f29c36e7_JaffaCakes118.exe	32
PID 2708 wrote to memory of 2424	2708	cefec42acc092a5588221b10f29c36e7_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\cefec42acc092a5588221b10f29c36e7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cefec42acc092a5588221b10f29c36e7_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Users\Admin\AppData\Local\Temp\cefec42acc092a5588221b10f29c36e7_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\cefec42acc092a5588221b10f29c36e7_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2980
- C:\Users\Admin\AppData\Local\Temp\cefec42acc092a5588221b10f29c36e7_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\cefec42acc092a5588221b10f29c36e7_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\7EA8.CA6

Filesize
1KB

MD5
cabbb39e9290d23a5f51099b0a7b2e44

SHA1
8ba484b4cd8afe1892cbda17cb03f58902294fd2

SHA256
8a437a7444c5b120a0644563238c1a701feb272b8c5c9d067df3c708703c61a4

SHA512
f1fc49f19f8e0023dc1feaba632d4e5bdda67a5a475bb90052db3e345afff6b4eb6ea0f9f897c434d190b1e7e4ab3095a8277fcde26cffb54340d3a999429280

Download Submit
C:\Users\Admin\AppData\Roaming\7EA8.CA6

Filesize
600B

MD5
08175babf18805f0f0cdb6d5b7fd45c4

SHA1
057aa0b1163b37485a22fbd438ebc947db8814c2

SHA256
30bfee7b111355ec8ab6d6b2bfeea39254fdbfd09308a737c3e526d13170c86a

SHA512
a5699a6588aa220f4e608d1474866ed12008b21b141aa777b636b8ff52af88e258e4ce0c3357cc4681f7383a430762bdfab689cf4eced1a2f095dc59bb906349

Download Submit
C:\Users\Admin\AppData\Roaming\7EA8.CA6

Filesize
996B

MD5
c0ec0cc7f4dfc58f43510edd76489b96

SHA1
e0e9ac1c6c76c27cc321575d18b96d6e9b9149dc

SHA256
fb18ef621b8433aee045d8bafb10b16367a874b56b52c0482a5a4f0e916afecc

SHA512
2d270c86ffb432b0b75fb3314514a61c7c8afae36c0cfff18704dd038e627b70dd074f2cd48f1fc6d00b8fd34575ded0a0025284fbfafeaccff05c0a6cf576da

Download Submit
memory/2424-78-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2424-76-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2424-75-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2708-16-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2708-1-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2708-2-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2708-188-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2980-5-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2980-8-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2980-6-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download

Analysis

Sharing