cycbot | a713ab6986f9c21944f0ee01c7fe5c4cd0c9291507e2c2d7e3e8f30c8b858c1d

General

Target

dfe1ef46d25884363e819d7f0098903d_JaffaCakes118.exe
Size

164KB
MD5

dfe1ef46d25884363e819d7f0098903d
SHA1

ae3e06a4d768971c59fd6f6e169330d076b88932
SHA256

a713ab6986f9c21944f0ee01c7fe5c4cd0c9291507e2c2d7e3e8f30c8b858c1d
SHA512

bedbd53664494efbe754fd3ea401f17e4dddacc96286c0a12be05c0b12828877df3a9a3c5917968773cd82888b474667e6dab5cd8bb359bdddc0470d76eff37a
SSDEEP

3072:L4urZQ8GkP9rSVL/hGcShwLxJzaBD3M8tTAtc1RhrSHul+muhqbY4ZLDWasu8cT8:EcF5uZ9g8xJIlitc1RhrSHZtwLDlsub

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2356-7-0x0000000000400000-0x0000000000468000-memory.dmp	family_cycbot
behavioral1/memory/2432-15-0x0000000000400000-0x0000000000468000-memory.dmp	family_cycbot
behavioral1/memory/2352-82-0x0000000000400000-0x0000000000468000-memory.dmp	family_cycbot
behavioral1/memory/2432-196-0x0000000000400000-0x0000000000468000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2432-2-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2356-5-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2356-7-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2432-15-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2352-80-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2352-82-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2432-196-0x0000000000400000-0x0000000000468000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dfe1ef46d25884363e819d7f0098903d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dfe1ef46d25884363e819d7f0098903d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dfe1ef46d25884363e819d7f0098903d_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 2356	2432	dfe1ef46d25884363e819d7f0098903d_JaffaCakes118.exe	30
PID 2432 wrote to memory of 2356	2432	dfe1ef46d25884363e819d7f0098903d_JaffaCakes118.exe	30
PID 2432 wrote to memory of 2356	2432	dfe1ef46d25884363e819d7f0098903d_JaffaCakes118.exe	30
PID 2432 wrote to memory of 2356	2432	dfe1ef46d25884363e819d7f0098903d_JaffaCakes118.exe	30
PID 2432 wrote to memory of 2352	2432	dfe1ef46d25884363e819d7f0098903d_JaffaCakes118.exe	32
PID 2432 wrote to memory of 2352	2432	dfe1ef46d25884363e819d7f0098903d_JaffaCakes118.exe	32
PID 2432 wrote to memory of 2352	2432	dfe1ef46d25884363e819d7f0098903d_JaffaCakes118.exe	32
PID 2432 wrote to memory of 2352	2432	dfe1ef46d25884363e819d7f0098903d_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\dfe1ef46d25884363e819d7f0098903d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dfe1ef46d25884363e819d7f0098903d_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Users\Admin\AppData\Local\Temp\dfe1ef46d25884363e819d7f0098903d_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\dfe1ef46d25884363e819d7f0098903d_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2356
- C:\Users\Admin\AppData\Local\Temp\dfe1ef46d25884363e819d7f0098903d_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\dfe1ef46d25884363e819d7f0098903d_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\4D7B.A1C

Filesize
1KB

MD5
c27eae477a204cc99cc2910a5242ed60

SHA1
63bdb2a9f6b8489787ecb30e2148b0fcc1528096

SHA256
29a002dfba8fb089fec264043d4c12ce8a3bd8312082af3a356ef3135b246e50

SHA512
1661692a2b29e807530347a0f035fa1bfef2c79481f30869eb24a6c10c374e1075d27c1e4d257bf6d604edc70db62ea5dc7477a4d7c763f385787e120e9f9da7

Download Submit
C:\Users\Admin\AppData\Roaming\4D7B.A1C

Filesize
600B

MD5
b18a69f58c79635db5097b33f9698ba2

SHA1
04b85dfaff5503578626a618a40f1e0c635a1f51

SHA256
3e68dc4290965ebfa91f0b542df16dda4a0452254b11c296c1587571d7602e14

SHA512
dab79109f0a492e6c9f4530823ea77a7dfae27d6a1b68b916d1d597d7653c48489f994926eea746a6f94a8876c5585418507e43099ce70a665fbe572d747febd

Download Submit
C:\Users\Admin\AppData\Roaming\4D7B.A1C

Filesize
996B

MD5
b5be829220961316b699d2a50c98f2f8

SHA1
d2e864bceddaa553c3f30025491093458c37d811

SHA256
4f081711e516b5ddf6c4acc3d45936bea1c585e5cad84d1207616a5874a2905b

SHA512
d634fd4d31ae15aac68718822dc9d64c242748c812266d270330e2b8918cf28ce34d638e04630a842cea8a0c58c164a7c796f211c9fb1993435352014e6d0100

Download Submit
memory/2352-80-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2352-82-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2356-5-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2356-7-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2432-1-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2432-2-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2432-15-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2432-196-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download

Analysis

Sharing