cycbot | f8cc35b3a05ef14f0d29cbb6dec90967c0f94481c6dee2a888b407ffa34599fc

General

Target

d2e1b84666f8d3601b3cac019065331d_JaffaCakes118.exe
Size

191KB
MD5

d2e1b84666f8d3601b3cac019065331d
SHA1

68c10f67795643a830b99573dd8f15ffa4c61867
SHA256

f8cc35b3a05ef14f0d29cbb6dec90967c0f94481c6dee2a888b407ffa34599fc
SHA512

8e697fddbd64e2bbb79c95bcc7da57c4aab9869c203e66fea365dd0e3a9d6d52b10a974078ef097d54a04e504c4a1513f4ffa9eedf481f690bcfc02190197c3a
SSDEEP

3072:aPrcNY+evWLp/is9W6kxl9NnBne6ItAKz1XDN3tGcjeGShKuBaGirak5LXzgQzsT:aANTevO3WHdHIeKz1TN3njeG7ak5Dzlf

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2748-7-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral1/memory/2748-9-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral1/memory/1900-14-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral1/memory/3012-87-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral1/memory/1900-155-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1900-1-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2748-7-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2748-9-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/1900-14-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/3012-87-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/1900-155-0x0000000000400000-0x000000000044E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d2e1b84666f8d3601b3cac019065331d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d2e1b84666f8d3601b3cac019065331d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d2e1b84666f8d3601b3cac019065331d_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 2748	1900	d2e1b84666f8d3601b3cac019065331d_JaffaCakes118.exe	30
PID 1900 wrote to memory of 2748	1900	d2e1b84666f8d3601b3cac019065331d_JaffaCakes118.exe	30
PID 1900 wrote to memory of 2748	1900	d2e1b84666f8d3601b3cac019065331d_JaffaCakes118.exe	30
PID 1900 wrote to memory of 2748	1900	d2e1b84666f8d3601b3cac019065331d_JaffaCakes118.exe	30
PID 1900 wrote to memory of 3012	1900	d2e1b84666f8d3601b3cac019065331d_JaffaCakes118.exe	32
PID 1900 wrote to memory of 3012	1900	d2e1b84666f8d3601b3cac019065331d_JaffaCakes118.exe	32
PID 1900 wrote to memory of 3012	1900	d2e1b84666f8d3601b3cac019065331d_JaffaCakes118.exe	32
PID 1900 wrote to memory of 3012	1900	d2e1b84666f8d3601b3cac019065331d_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\d2e1b84666f8d3601b3cac019065331d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d2e1b84666f8d3601b3cac019065331d_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Users\Admin\AppData\Local\Temp\d2e1b84666f8d3601b3cac019065331d_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d2e1b84666f8d3601b3cac019065331d_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2748
- C:\Users\Admin\AppData\Local\Temp\d2e1b84666f8d3601b3cac019065331d_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d2e1b84666f8d3601b3cac019065331d_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\65DE.DF4

Filesize
1KB

MD5
3229152a0e758efc6e41e1f7016fd374

SHA1
26c656338685bc777373f0ea83ad7bd0219ce30d

SHA256
93ad815892597d03d305c885220f97aab3c07bb461d755e66db08bd57939ba2d

SHA512
d2446b46a2585387f3ce685e5c0e4107546d5fd1655eb1adcb84bb00a669727f83811435c842fd4f3b8df9ceed1b349dedda485bf51fe00fe8d2fa09cc9c8ce3

Download Submit
C:\Users\Admin\AppData\Roaming\65DE.DF4

Filesize
600B

MD5
faeb9ed406836c46cfd12365864748e6

SHA1
a5d5c4d1f6c3f48c0f2ec8b99a171202435c4b70

SHA256
3fe10fca786373163c9f4a216f0134ec48718f94b4dde240ec4dcaf44dca090f

SHA512
dea9e9643d721d82c423e475b0aec8a2fe3f0a99a8fce072a9d62f1023b371a8043a63e5615b73fbd66c50f11bf0ee90176516dcefec51a045c4b6f1856ee5d1

Download Submit
C:\Users\Admin\AppData\Roaming\65DE.DF4

Filesize
996B

MD5
acae5d8e18dd3e2d2eaf8b81b891a363

SHA1
b693fbd884d71d32201db037ba623bd5e95bc7f8

SHA256
62a2120ba36767a60ef9f716ed43b626bfdd59b442f457cafe130a04595aa4b5

SHA512
10420262e21d34245966a81b97519257a68c57e108320849ec6c97e4aeb648193564a1565c321a6fec6d5a2dbed3e51d619db4eb9bfa82ca54eb2d88595c1865

Download Submit
memory/1900-1-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1900-14-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1900-155-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2748-7-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2748-9-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3012-85-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3012-87-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing