cycbot | a514b1f8445283de553ab005cf3a6d3936e72a61317a1e383712e5b88600de00

General

Target

d54dd394db41cf95dca5d9d1f07e544c_JaffaCakes118.exe
Size

175KB
MD5

d54dd394db41cf95dca5d9d1f07e544c
SHA1

79ff14e4d6d286d3e9e714d7adf5f1e23c4b5555
SHA256

a514b1f8445283de553ab005cf3a6d3936e72a61317a1e383712e5b88600de00
SHA512

ee2a83e14aaf33fd2cfb2c4df5a38c37b5a0f2afd3972fe4c2403e5ba94f74f7c744654731b6695b6ef0c26d4fa06e1c9f22273b0f21698952d23d9aefcb1cf2
SSDEEP

3072:uiqHCjjlKzGif18TNDKtgaguyTqkBod96P+AY5TxcunFpGlTT:rqHKczD8T5KtgpzqoY9o+F5NccsT

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2828-7-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/2716-15-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/2716-79-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/1140-81-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/2716-183-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2716-2-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2828-5-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2828-7-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2716-15-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2716-79-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1140-81-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2716-183-0x0000000000400000-0x000000000044B000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d54dd394db41cf95dca5d9d1f07e544c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d54dd394db41cf95dca5d9d1f07e544c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d54dd394db41cf95dca5d9d1f07e544c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 2828	2716	d54dd394db41cf95dca5d9d1f07e544c_JaffaCakes118.exe	30
PID 2716 wrote to memory of 2828	2716	d54dd394db41cf95dca5d9d1f07e544c_JaffaCakes118.exe	30
PID 2716 wrote to memory of 2828	2716	d54dd394db41cf95dca5d9d1f07e544c_JaffaCakes118.exe	30
PID 2716 wrote to memory of 2828	2716	d54dd394db41cf95dca5d9d1f07e544c_JaffaCakes118.exe	30
PID 2716 wrote to memory of 1140	2716	d54dd394db41cf95dca5d9d1f07e544c_JaffaCakes118.exe	32
PID 2716 wrote to memory of 1140	2716	d54dd394db41cf95dca5d9d1f07e544c_JaffaCakes118.exe	32
PID 2716 wrote to memory of 1140	2716	d54dd394db41cf95dca5d9d1f07e544c_JaffaCakes118.exe	32
PID 2716 wrote to memory of 1140	2716	d54dd394db41cf95dca5d9d1f07e544c_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\d54dd394db41cf95dca5d9d1f07e544c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d54dd394db41cf95dca5d9d1f07e544c_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Users\Admin\AppData\Local\Temp\d54dd394db41cf95dca5d9d1f07e544c_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d54dd394db41cf95dca5d9d1f07e544c_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2828
- C:\Users\Admin\AppData\Local\Temp\d54dd394db41cf95dca5d9d1f07e544c_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d54dd394db41cf95dca5d9d1f07e544c_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\1D03.DAA

Filesize
1KB

MD5
d3e23b63a44e44e934b56608d51b61cb

SHA1
07e489378453335f481b41e85893c36e78dcdd5f

SHA256
d9cb3e55e0e8086c4b64a5c683e54e9b5abb90ec0ecbaaf0ba5c41146c46d8b7

SHA512
f9c3db29a242b2d9a3b2515c5999f81c167fc76d61c9ec90722277f883d151a0202b017d3649c99cb54af0a87b5fac50738f21a0467b1910aad27e2694adfc9f

Download Submit
C:\Users\Admin\AppData\Roaming\1D03.DAA

Filesize
600B

MD5
140de9823d4b26aa7a95e53c85bc0a0c

SHA1
665441e9492a78c19095e0ce8bdda9c079cf5d26

SHA256
14d98dba00959a002656ae463e3b7ff5f1e929461b9d22bc2a16299fd987098e

SHA512
1eecf46d07d42e0e8f6ca313d0d75688b0766ad15ada8c38002e3d6638757c465fec865a0ab74959219976d4a7246a19fb0cdcf98bed0eb917ffda45ad82da8f

Download Submit
C:\Users\Admin\AppData\Roaming\1D03.DAA

Filesize
996B

MD5
564c1fab6034dd23babb7e28d5e41e15

SHA1
7e3f94a574cd5b3f94560e42785aefa9d13c0e7f

SHA256
be75bb1880f47a5296206b2fe18c6bc6ed150e0ccbfa853b2c6bdb038957c631

SHA512
77bc96879aa994d31812829e8187168a5e8dd34f960093b14d204c7baab5e227ce8c90dd34812eafd7eaad63f03ceb0b9d10db66df4b2655e3ac9262f956a71b

Download Submit
memory/1140-81-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2716-1-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2716-2-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2716-15-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2716-79-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2716-183-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2828-5-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2828-7-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download

Analysis

Sharing