cycbot | 69ae7d81eb9d62b16a92c83c337f713c43c5c31b43d85b5ee3d82411381bf0fb

General

Target

d1acdfb5b72389d344febdafc9c3fb27_JaffaCakes118.exe
Size

193KB
MD5

d1acdfb5b72389d344febdafc9c3fb27
SHA1

d67ecd616a05deaebc54698dbe0cbd2db0ca8a15
SHA256

69ae7d81eb9d62b16a92c83c337f713c43c5c31b43d85b5ee3d82411381bf0fb
SHA512

f08c537f35bcd87d76c64bec876e4281bf7ab52ace2491844005a80e9d6691f2e3abead39aa5066731ed940aead2e427a98f1efbcd20515e5cac587cd1df5c86
SSDEEP

3072:QXebiNyM8ceOGd/L6Tr27tErhSAnvG6FJgztyvhobyv9Feyq+imnDXZKsz:QfivOI2+QhSANJg50KbuFeyq+imnDf

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2596-8-0x0000000000400000-0x0000000000469000-memory.dmp	family_cycbot
behavioral1/memory/2620-20-0x0000000000400000-0x0000000000469000-memory.dmp	family_cycbot
behavioral1/memory/1380-91-0x0000000000400000-0x0000000000469000-memory.dmp	family_cycbot
behavioral1/memory/2620-215-0x0000000000400000-0x0000000000469000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2620-2-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2596-7-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2596-8-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2620-20-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/1380-91-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2620-215-0x0000000000400000-0x0000000000469000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1acdfb5b72389d344febdafc9c3fb27_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1acdfb5b72389d344febdafc9c3fb27_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1acdfb5b72389d344febdafc9c3fb27_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2620 wrote to memory of 2596	2620	d1acdfb5b72389d344febdafc9c3fb27_JaffaCakes118.exe	30
PID 2620 wrote to memory of 2596	2620	d1acdfb5b72389d344febdafc9c3fb27_JaffaCakes118.exe	30
PID 2620 wrote to memory of 2596	2620	d1acdfb5b72389d344febdafc9c3fb27_JaffaCakes118.exe	30
PID 2620 wrote to memory of 2596	2620	d1acdfb5b72389d344febdafc9c3fb27_JaffaCakes118.exe	30
PID 2620 wrote to memory of 1380	2620	d1acdfb5b72389d344febdafc9c3fb27_JaffaCakes118.exe	33
PID 2620 wrote to memory of 1380	2620	d1acdfb5b72389d344febdafc9c3fb27_JaffaCakes118.exe	33
PID 2620 wrote to memory of 1380	2620	d1acdfb5b72389d344febdafc9c3fb27_JaffaCakes118.exe	33
PID 2620 wrote to memory of 1380	2620	d1acdfb5b72389d344febdafc9c3fb27_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\d1acdfb5b72389d344febdafc9c3fb27_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d1acdfb5b72389d344febdafc9c3fb27_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2620
- C:\Users\Admin\AppData\Local\Temp\d1acdfb5b72389d344febdafc9c3fb27_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d1acdfb5b72389d344febdafc9c3fb27_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2596
- C:\Users\Admin\AppData\Local\Temp\d1acdfb5b72389d344febdafc9c3fb27_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d1acdfb5b72389d344febdafc9c3fb27_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\0419.521

Filesize
597B

MD5
d1a9ea54f748ee27ece3e9b10fe7c9b3

SHA1
690b896598a060fdd7b346b40364d08c9419589f

SHA256
22ca1a6b821816b1b392522c3809e34a080c7d6bf46330d6d6f88f296172b6b0

SHA512
f964445b18cca034e8b2c7d3af994c10a782e2e13a6dc6658296c43718c968fbd4e37b6a16966388974a4e38fcfa68774cd3a1425e7342edd2c986738cbc2cf5

Download Submit
C:\Users\Admin\AppData\Roaming\0419.521

Filesize
2KB

MD5
2fd4897647c229e8ce0b39b36589be4d

SHA1
e373da641df4615484953546daddc6257edf0868

SHA256
3e5ba7d0ef8cd5a402af53e83287969a1e77d37d50639bbd68e4711b63b4a5dc

SHA512
52c3d2347d08f31b7ce6db30d3a08e1a97499190c3458978a69d37430525762827b931dc2be006b4bbe48fbdbca04f6f8890fd149f466194d1a266b726ef50ec

Download Submit
C:\Users\Admin\AppData\Roaming\0419.521

Filesize
897B

MD5
70b50d28a4a5edfdcce511834a0740fb

SHA1
602c44d9c50c9fef17066227d4908941eddaa2b4

SHA256
58c499b87ba836bbda24b0de435920d798d96dcade8c2e06a512fd75c7f4e023

SHA512
4b123b21e3637dd59436a52c4f218e6054d4bd4787a4c4c8c2d00b333f0a16ed4cbc8ab2cc43260caca407ef394c6867c043de9f1508637d58bcd1209c970559

Download Submit
C:\Users\Admin\AppData\Roaming\0419.521

Filesize
1KB

MD5
77c03af3a71d51eeea693bb13070b5d8

SHA1
dafd5dd38cf07570513086fb15448e3c08d66142

SHA256
c6af65ab527482ff053b05bf7e20b9874e8cb05915ca143967bb0c0f55eda746

SHA512
9b71aefc0e24169dcd96d4041c7d023b427f0c37cecf7083c2234fac94260256b1a2d565416d7a09eb5f5fdec0d08580f1ea0623662b741986af93523802fb11

Download Submit
memory/1380-91-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2596-7-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2596-8-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2620-2-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2620-1-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2620-20-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2620-215-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download

Analysis

Sharing