cycbot | 2c1143f1d1d109301d28442b96adc59a595ceddd79913320246055a0dc926d3e

General

Target

d88212051f8d56ed72e7c5fe1e405d11_JaffaCakes118.exe
Size

169KB
MD5

d88212051f8d56ed72e7c5fe1e405d11
SHA1

dcaf5b5b6912bbb81b0712b61b19effb47a4fce4
SHA256

2c1143f1d1d109301d28442b96adc59a595ceddd79913320246055a0dc926d3e
SHA512

4192f8363b0bfe811d63246257cc7246edc4c499a0f96103ca8861de45531f05c293f0dab9b96aabcf65f6ba1c5e9ff3e20e731d240c7ebcd6ef09e49f3448c4
SSDEEP

3072:oziYY2gmIzcwjbs11Mtcz8bFdMw7fqjahFGV6JGCSy:wXTL6Pk111ydMUYyC6JGL

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/768-13-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/768-12-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/1304-15-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/2988-82-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/1304-185-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1304-2-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/768-13-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/768-12-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1304-15-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2988-80-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2988-82-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1304-185-0x0000000000400000-0x000000000046C000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d88212051f8d56ed72e7c5fe1e405d11_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d88212051f8d56ed72e7c5fe1e405d11_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d88212051f8d56ed72e7c5fe1e405d11_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1304 wrote to memory of 768	1304	d88212051f8d56ed72e7c5fe1e405d11_JaffaCakes118.exe	30
PID 1304 wrote to memory of 768	1304	d88212051f8d56ed72e7c5fe1e405d11_JaffaCakes118.exe	30
PID 1304 wrote to memory of 768	1304	d88212051f8d56ed72e7c5fe1e405d11_JaffaCakes118.exe	30
PID 1304 wrote to memory of 768	1304	d88212051f8d56ed72e7c5fe1e405d11_JaffaCakes118.exe	30
PID 1304 wrote to memory of 2988	1304	d88212051f8d56ed72e7c5fe1e405d11_JaffaCakes118.exe	33
PID 1304 wrote to memory of 2988	1304	d88212051f8d56ed72e7c5fe1e405d11_JaffaCakes118.exe	33
PID 1304 wrote to memory of 2988	1304	d88212051f8d56ed72e7c5fe1e405d11_JaffaCakes118.exe	33
PID 1304 wrote to memory of 2988	1304	d88212051f8d56ed72e7c5fe1e405d11_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\d88212051f8d56ed72e7c5fe1e405d11_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d88212051f8d56ed72e7c5fe1e405d11_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Users\Admin\AppData\Local\Temp\d88212051f8d56ed72e7c5fe1e405d11_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d88212051f8d56ed72e7c5fe1e405d11_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:768
- C:\Users\Admin\AppData\Local\Temp\d88212051f8d56ed72e7c5fe1e405d11_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d88212051f8d56ed72e7c5fe1e405d11_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\F317.026

Filesize
1KB

MD5
c32e02992715fcbc3df9d965675cb87d

SHA1
aa7ea28d6c4354cc3d69578984e3601067d43a97

SHA256
2c11474d60090bb3b2d7121bd44fb854256a74befd5d3a440337bd441e9a5eb6

SHA512
0796fd18b194e697d480d6c30f3c4b65c98d8ed696946241ddfcebb72544c13221dbf137e0b9b489ad3e0db275571ec6a6daf9cb0e7487c29536efb10f009ca0

Download Submit
C:\Users\Admin\AppData\Roaming\F317.026

Filesize
600B

MD5
707b70d38a598e1ff78f53aa8b540b07

SHA1
0ec3dcb66d97dc653b29fe00137b1e3143e21627

SHA256
6d7be984374047942ddb1a4c945a64bb5878dbbcd494535e638a5ad65fff9798

SHA512
b1277a293239dfacff2bc9d5fbd3f027925a14196508423d41798a7006b6f068e8c73933b5402aeb5532e20a6131d9c6ab856fb7ea3ea72af9a7fa8c0fd70bf3

Download Submit
C:\Users\Admin\AppData\Roaming\F317.026

Filesize
996B

MD5
59dd2be6c0c3b0ecf0187f7ce20236d4

SHA1
0a126b688780279622293472fe6f531792c881e5

SHA256
03a5779c7cf43e64bc56b65912c4442c1ae8d488af8388a840b763dbac3c1875

SHA512
8aea60c652a1ac466746e73a0f58a9c51909f7ad068c023a655989496ebd81b8776efc96b0c202d983672ba8671d18f37c86d5fc7f19adb816205928c3c60fd7

Download Submit
memory/768-13-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/768-12-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1304-1-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1304-2-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1304-15-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1304-185-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2988-80-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2988-82-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download

Analysis

Sharing