cycbot | 2ba503e949b0ffe0f34c9f272876d601ddfe6f62ae2905417cd94b967306a750

General

Target

dd19c08d2ad1c79437f2eba0aeed98c7_JaffaCakes118.exe
Size

181KB
MD5

dd19c08d2ad1c79437f2eba0aeed98c7
SHA1

bdf3e836add280221b737da34910547de40487a1
SHA256

2ba503e949b0ffe0f34c9f272876d601ddfe6f62ae2905417cd94b967306a750
SHA512

5c5ba89433a462870a8c73068a7170868a3d21fb8ae40fc6a5583de580c146d47e4755d18650ac7271acbfbf0e3128a1ef77dae3554c5f3ec0cbddd766080de8
SSDEEP

3072:qOm0gxELrERz+q2CloFU5uPQnRVifWRRKVxYYVxZQEvOU62BgWMYk:qagxAm+q2GVuPGRVi+XqLBvO1Zrj

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/3052-7-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/1920-15-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/2692-78-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot
behavioral1/memory/1920-182-0x0000000000400000-0x000000000044B000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1920-2-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/3052-5-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/3052-7-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1920-15-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2692-78-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1920-182-0x0000000000400000-0x000000000044B000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dd19c08d2ad1c79437f2eba0aeed98c7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dd19c08d2ad1c79437f2eba0aeed98c7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dd19c08d2ad1c79437f2eba0aeed98c7_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 3052	1920	dd19c08d2ad1c79437f2eba0aeed98c7_JaffaCakes118.exe	30
PID 1920 wrote to memory of 3052	1920	dd19c08d2ad1c79437f2eba0aeed98c7_JaffaCakes118.exe	30
PID 1920 wrote to memory of 3052	1920	dd19c08d2ad1c79437f2eba0aeed98c7_JaffaCakes118.exe	30
PID 1920 wrote to memory of 3052	1920	dd19c08d2ad1c79437f2eba0aeed98c7_JaffaCakes118.exe	30
PID 1920 wrote to memory of 2692	1920	dd19c08d2ad1c79437f2eba0aeed98c7_JaffaCakes118.exe	32
PID 1920 wrote to memory of 2692	1920	dd19c08d2ad1c79437f2eba0aeed98c7_JaffaCakes118.exe	32
PID 1920 wrote to memory of 2692	1920	dd19c08d2ad1c79437f2eba0aeed98c7_JaffaCakes118.exe	32
PID 1920 wrote to memory of 2692	1920	dd19c08d2ad1c79437f2eba0aeed98c7_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\dd19c08d2ad1c79437f2eba0aeed98c7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dd19c08d2ad1c79437f2eba0aeed98c7_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Users\Admin\AppData\Local\Temp\dd19c08d2ad1c79437f2eba0aeed98c7_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\dd19c08d2ad1c79437f2eba0aeed98c7_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3052
- C:\Users\Admin\AppData\Local\Temp\dd19c08d2ad1c79437f2eba0aeed98c7_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\dd19c08d2ad1c79437f2eba0aeed98c7_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\A077.172

Filesize
600B

MD5
6f46ee753f5c388470e6538f755b7d22

SHA1
079ffac7d71d27d88059171c149692143d0912a4

SHA256
8b927d2ac202c19a2c24d85bba258317622a26191e4f20f4f802257c7ecd4fd3

SHA512
bda7e997bc13011b54f0934c55e1740fa3c162b60a9bac67174cfacf7a417ec22e89fb24b3e494d25aa5f71563b057849f148bc44bd2757334c0888c9ee9eddc

Download Submit
C:\Users\Admin\AppData\Roaming\A077.172

Filesize
1KB

MD5
e836d2f0059aa942c9fa0a66a9871596

SHA1
bb9d706c6017a1e063034e36e4d9dd23ec658131

SHA256
4e9bfc4df6935e95747241bce45080c8402869c4947d04a5761097df541e40b7

SHA512
8e6d649abe06c8de9a5ec71d2e9de5e909ea7f0837f40ba8156f3ffc69056bfe5e1818d5694d83ba71776dae45f7c09b8846525dc41374bd8944f9e002d8dcdf

Download Submit
C:\Users\Admin\AppData\Roaming\A077.172

Filesize
996B

MD5
49a95fabc1d1532507c7e4e0180ea4d8

SHA1
5adf8d86bc4e8b6acf8c9a0d064432442bd4f2a5

SHA256
ee3b7a3e23291d274ffac3d3567823b7515b9b9e2304418fb81f31d2cda6c976

SHA512
3ec1bc19309c42071adaface1a61273decfb61a6da58d979fca1fc9ba7e5c161f79e62a991ef8e36f190939c6629e68ca01247975ff0b03597cd1b1d9f84fd51

Download Submit
memory/1920-1-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1920-2-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1920-15-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1920-182-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2692-78-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3052-5-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3052-7-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download

Analysis

Sharing