cycbot | bd66a4948e12eae6ef66adb51aa0ae8cab4b78176c82f804b762bd02ade6e0b1

General

Target

d473334c10fbb5e8b68e452f82492845_JaffaCakes118.exe
Size

173KB
MD5

d473334c10fbb5e8b68e452f82492845
SHA1

0492c5a3d403bbf3c47064a203c6865ef0d53aed
SHA256

bd66a4948e12eae6ef66adb51aa0ae8cab4b78176c82f804b762bd02ade6e0b1
SHA512

454a6ae52c684074b80f994a9e7c841b44d47811b1d07985a21b7cf8c5ddc7053558cfc9e0857e7513ac188b8e47f7558fe976f60aefc137823e63b231a660fe
SSDEEP

3072:uNcpYKEMRRB4EtgYosZVTdQohNTRlpa1zvRVg8pXAd9yE2iDqN3qmVjuZ:uNqrX/EYVZ7pau8pQy/i8s

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/3068-8-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/2140-19-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/1144-87-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/2140-189-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2140-1-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/3068-7-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/3068-6-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/3068-8-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2140-19-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1144-87-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2140-189-0x0000000000400000-0x000000000044B000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d473334c10fbb5e8b68e452f82492845_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d473334c10fbb5e8b68e452f82492845_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d473334c10fbb5e8b68e452f82492845_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 3068	2140	d473334c10fbb5e8b68e452f82492845_JaffaCakes118.exe	30
PID 2140 wrote to memory of 3068	2140	d473334c10fbb5e8b68e452f82492845_JaffaCakes118.exe	30
PID 2140 wrote to memory of 3068	2140	d473334c10fbb5e8b68e452f82492845_JaffaCakes118.exe	30
PID 2140 wrote to memory of 3068	2140	d473334c10fbb5e8b68e452f82492845_JaffaCakes118.exe	30
PID 2140 wrote to memory of 1144	2140	d473334c10fbb5e8b68e452f82492845_JaffaCakes118.exe	33
PID 2140 wrote to memory of 1144	2140	d473334c10fbb5e8b68e452f82492845_JaffaCakes118.exe	33
PID 2140 wrote to memory of 1144	2140	d473334c10fbb5e8b68e452f82492845_JaffaCakes118.exe	33
PID 2140 wrote to memory of 1144	2140	d473334c10fbb5e8b68e452f82492845_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\d473334c10fbb5e8b68e452f82492845_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d473334c10fbb5e8b68e452f82492845_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Users\Admin\AppData\Local\Temp\d473334c10fbb5e8b68e452f82492845_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d473334c10fbb5e8b68e452f82492845_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3068
- C:\Users\Admin\AppData\Local\Temp\d473334c10fbb5e8b68e452f82492845_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d473334c10fbb5e8b68e452f82492845_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\6F83.D10

Filesize
597B

MD5
2b192c88b7a3bd95358fbef79b011b5a

SHA1
e406da3c101e83799d972bea478ad99676a36a4a

SHA256
c91f8a0d40f1e2ce16cb605605b03c5991b8cf38295ca8fa6963653f5b009eea

SHA512
1a3b145fa306117dc531df827339ad6af5b0ec4c2094b2a39a392acf1ad91a5f8ce811e3e33cf3a56c49d273566c5b38b871906fae0a579b5b9a3b7bb342ba61

Download Submit
C:\Users\Admin\AppData\Roaming\6F83.D10

Filesize
1KB

MD5
28be50c8fe8055fe4ac910b3aa0453e4

SHA1
376b932e2c85da5523b15e8553ff3d73a4f6700c

SHA256
d566446782b81e24fd8b06af3a01d23b234e952946d57d152b0224053f1c07ed

SHA512
b0f339d064355dc9a459a17e63f8c63f5aa227a39320765b79cc485d3335350e9d73f2b2bb5735f4a4f933d9bb502d0073dfa0a2a6a4fab87e2c39a2f3821948

Download Submit
C:\Users\Admin\AppData\Roaming\6F83.D10

Filesize
897B

MD5
853fc78035db51891c35342ceae97cb6

SHA1
e3b3170df51545bee7ab485d932b23c71cc80b2b

SHA256
7df31ee6592150f4d8955d350fa27e9d0cee6a0f0b6e778ab0029e92efb38117

SHA512
6ecb3c6eeac84aa12291f8849a7a90d38d1a893ca8adceaff723d8c131a3e5f501cdf979ab33d819d6da22a2a5fe84125d23a80e64e2659b6da307dab5ea5b4d

Download Submit
C:\Users\Admin\AppData\Roaming\6F83.D10

Filesize
1KB

MD5
76a230cd5ce013caf43d88f3f1228f52

SHA1
e88a078e226e2b27bc05d6308399ffb21c625de0

SHA256
386c909dc79e95fe880adf61e4686cd62a196bc69c68cb40ff386d8b205c7a91

SHA512
02f6ff5be9bca9194780b9632658836bd463c2dcd5ecb1cc1bf6ae16cc3bf800c0e231e96a3e954559dfd7ae128a00afb6c459f7f2f88e6aba179e9c282fe711

Download Submit
memory/1144-85-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1144-87-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2140-1-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2140-19-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2140-189-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3068-7-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3068-6-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3068-8-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download

Analysis

Sharing