cycbot | 762df47eebb891520784292b2a8d1b3be226cd07758d795dc4f92c64a08302cf

General

Target

d5e21c7e4e38da25440dde05bd77252b_JaffaCakes118.exe
Size

194KB
MD5

d5e21c7e4e38da25440dde05bd77252b
SHA1

09f7513476e57695ade71a788ed5671667974100
SHA256

762df47eebb891520784292b2a8d1b3be226cd07758d795dc4f92c64a08302cf
SHA512

9c854f8f3a1170ab2049eb4a1c4536659129edb8a4e731b44dc96271b4799450f19d0324cabe36b85c741f7137d12c662624178f9979af473b13304a424ccef8
SSDEEP

6144:ht15RY73OI0Gz5YWdUIckYzp8mDjyw/uQ:hBRaIMYMUIcrzWwjy7Q

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2984-14-0x0000000000400000-0x0000000000471000-memory.dmp	family_cycbot
behavioral1/memory/1940-15-0x0000000000400000-0x0000000000471000-memory.dmp	family_cycbot
behavioral1/memory/2888-88-0x0000000000400000-0x0000000000471000-memory.dmp	family_cycbot
behavioral1/memory/1940-163-0x0000000000400000-0x0000000000471000-memory.dmp	family_cycbot
behavioral1/memory/1940-200-0x0000000000400000-0x0000000000471000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1940-2-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral1/memory/2984-14-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral1/memory/2984-12-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral1/memory/1940-15-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral1/memory/2888-87-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral1/memory/2888-88-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral1/memory/1940-163-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral1/memory/1940-200-0x0000000000400000-0x0000000000471000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d5e21c7e4e38da25440dde05bd77252b_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 2984	1940	d5e21c7e4e38da25440dde05bd77252b_JaffaCakes118.exe	30
PID 1940 wrote to memory of 2984	1940	d5e21c7e4e38da25440dde05bd77252b_JaffaCakes118.exe	30
PID 1940 wrote to memory of 2984	1940	d5e21c7e4e38da25440dde05bd77252b_JaffaCakes118.exe	30
PID 1940 wrote to memory of 2984	1940	d5e21c7e4e38da25440dde05bd77252b_JaffaCakes118.exe	30
PID 1940 wrote to memory of 2888	1940	d5e21c7e4e38da25440dde05bd77252b_JaffaCakes118.exe	32
PID 1940 wrote to memory of 2888	1940	d5e21c7e4e38da25440dde05bd77252b_JaffaCakes118.exe	32
PID 1940 wrote to memory of 2888	1940	d5e21c7e4e38da25440dde05bd77252b_JaffaCakes118.exe	32
PID 1940 wrote to memory of 2888	1940	d5e21c7e4e38da25440dde05bd77252b_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\d5e21c7e4e38da25440dde05bd77252b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d5e21c7e4e38da25440dde05bd77252b_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Users\Admin\AppData\Local\Temp\d5e21c7e4e38da25440dde05bd77252b_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d5e21c7e4e38da25440dde05bd77252b_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  PID:2984
- C:\Users\Admin\AppData\Local\Temp\d5e21c7e4e38da25440dde05bd77252b_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d5e21c7e4e38da25440dde05bd77252b_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\8FD6.592

Filesize
600B

MD5
3008c8f9efc53b6be853f99fa89d6d1a

SHA1
ab3f1a448082ff169c8eb0261b932cea8f6798d9

SHA256
7c7c7bb0d3a0b72df67690f4926fb756bd70e0ed1c4d19ed89e6bef086c0f30d

SHA512
40271438a88881c57764f95e0f370b5b26722e1df06507832527731c8e548950a61edab39e5a3c412ab415315e7cb72583ceae8ca3b466a56e57b9a56e876657

Download Submit
C:\Users\Admin\AppData\Roaming\8FD6.592

Filesize
1KB

MD5
270f774fdfae5f1dfc47c9b6a91a49a6

SHA1
8f8af7cf9de4a64a1457bf9bd34d04e0846a47ee

SHA256
62d94495ed16810bf02d836c7c09985b36d8f2be25fe9abf2464495e3e971ea9

SHA512
688b990a02077f6c59b6e7eb9130555cf56c5a54303ecbc2b80214c854f0769a4febbf2e28093ad1dafdf92a3ba517827de06d6d286ee4c058362c931efff2a8

Download Submit
C:\Users\Admin\AppData\Roaming\8FD6.592

Filesize
996B

MD5
2dc87dc6bd4e724b4d96a2112e8d1477

SHA1
88da874d12fc86801eb9524840e3676e132a37c1

SHA256
694428aeed4ffd96d3f50880439ec793c9e4d8c114a6dfb317735b66cefe026a

SHA512
8fa342f4104cce935afa6e051599edd89f50c4f0433531cb001c8fe5450fcb2a979e2e05e4ad4db2f56f39bd5123e6582a7b21f1e723a0d47f401f5af2d81013

Download Submit
memory/1940-1-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1940-2-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1940-15-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1940-163-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1940-200-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2888-87-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2888-88-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2984-14-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2984-12-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing