cycbot | bd4b7960ce2b22637c5aaab2375a408adaf6df83cbb3225243697e6da434accb

General

Target

d5da4effb15b169bcc2f077601e1917b_JaffaCakes118.exe
Size

181KB
MD5

d5da4effb15b169bcc2f077601e1917b
SHA1

f30981bd956fe700e40754da40e1edbfa030ad5c
SHA256

bd4b7960ce2b22637c5aaab2375a408adaf6df83cbb3225243697e6da434accb
SHA512

77886b4900d5e2fd7b606bc2f8f2e1475d2b579b9df0b338dcfe5494c6ef5a2d3a938bf25820b424430fa7dd566212e8497a5e113ae477eb1b0d3cb5482f26d7
SSDEEP

3072:X1kLuoetGSs89EPMuJx+32JWVDNHv73lexURVQcW1rF4NBeDb:X1kuNtm/EuSxZf+cDB6b

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2844-12-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral1/memory/2876-13-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral1/memory/1968-74-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral1/memory/2876-188-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2876-2-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2844-12-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2876-13-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/1968-74-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2876-188-0x0000000000400000-0x000000000044E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d5da4effb15b169bcc2f077601e1917b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d5da4effb15b169bcc2f077601e1917b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d5da4effb15b169bcc2f077601e1917b_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 2844	2876	d5da4effb15b169bcc2f077601e1917b_JaffaCakes118.exe	30
PID 2876 wrote to memory of 2844	2876	d5da4effb15b169bcc2f077601e1917b_JaffaCakes118.exe	30
PID 2876 wrote to memory of 2844	2876	d5da4effb15b169bcc2f077601e1917b_JaffaCakes118.exe	30
PID 2876 wrote to memory of 2844	2876	d5da4effb15b169bcc2f077601e1917b_JaffaCakes118.exe	30
PID 2876 wrote to memory of 1968	2876	d5da4effb15b169bcc2f077601e1917b_JaffaCakes118.exe	32
PID 2876 wrote to memory of 1968	2876	d5da4effb15b169bcc2f077601e1917b_JaffaCakes118.exe	32
PID 2876 wrote to memory of 1968	2876	d5da4effb15b169bcc2f077601e1917b_JaffaCakes118.exe	32
PID 2876 wrote to memory of 1968	2876	d5da4effb15b169bcc2f077601e1917b_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\d5da4effb15b169bcc2f077601e1917b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d5da4effb15b169bcc2f077601e1917b_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Users\Admin\AppData\Local\Temp\d5da4effb15b169bcc2f077601e1917b_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d5da4effb15b169bcc2f077601e1917b_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2844
- C:\Users\Admin\AppData\Local\Temp\d5da4effb15b169bcc2f077601e1917b_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d5da4effb15b169bcc2f077601e1917b_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\2A44.1EF

Filesize
600B

MD5
c07bca8698ac65ea3661ed85ff6d8b4f

SHA1
821ec64f3393a1ce9ca6dd2584195a9a8b9c6099

SHA256
8125fafb6e0171672f279aa98dba82002a7caa271cee13516610dbdd6c1931a2

SHA512
ef44b72974c686489b7e3f5bec036e505454d75c9c99da53eb3c4ed4921dd19e4e155698452650343e6b1a958c99e284278a58a2781e956549ae2cf3d06c1aed

Download Submit
C:\Users\Admin\AppData\Roaming\2A44.1EF

Filesize
1KB

MD5
9b9411383107838802d9d9e7dc686b04

SHA1
197ded2e73a8ea38cb1e7834eba63681e23d87df

SHA256
ad9dd2737ffeb5963b7f9301652108f333d5031dcae6920f36db14e913f0baac

SHA512
dbe64440420c7ef5adc62c208955d06aaeb78cafa4db09d2cb00131e5f683de367c817e1ef1f8049d5b5e5b04b440488d59ca5dbf96b68a1fe017a16251d7f7c

Download Submit
C:\Users\Admin\AppData\Roaming\2A44.1EF

Filesize
996B

MD5
a6290796f9853d2185355c3d737b3260

SHA1
b47303763e1773f6e64a2b850b090c4d0af77952

SHA256
36e63e227ca43ffd7f701eebcbf425d4ffd511b7e79e68213be94c75c858803d

SHA512
352703b78c4a1046bbe884ab233930c34113fd4a51bd8d8ad6c3a521b6acb76289b5d8994721cbad2e7b50a8158ef13bc28135ee3cfcc3a2663f26983d2e9704

Download Submit
memory/1968-74-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2844-12-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2876-1-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2876-2-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2876-13-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2876-188-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing