cycbot | 3c2f4d5670d70eb07264e142c870f66d168842cf6f9e783e7a41093f2f27566f

General

Target

e071758cda118bd560e386cc346afc0d_JaffaCakes118.exe
Size

193KB
MD5

e071758cda118bd560e386cc346afc0d
SHA1

0542052593e85c5aca8fd0f7a98e4ed6c24ad861
SHA256

3c2f4d5670d70eb07264e142c870f66d168842cf6f9e783e7a41093f2f27566f
SHA512

7b7c04f719b27ef47d45d1dc821e0b51a8ab47ed2c9bf6a04f668b577dbaad58e86b094bd18f3edfceaee605c00534f7d2012c0cdfd771d6342a5bb513b6e7af
SSDEEP

6144:scWG2K8+lZjDVanO1xzJscAjMd3V2ezaz4v90du:sVGFrnt1kAza8vwu

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2708-13-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/2088-14-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/2232-73-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/2088-172-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2088-2-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2708-12-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2708-13-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2088-14-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2232-73-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2088-172-0x0000000000400000-0x0000000000455000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e071758cda118bd560e386cc346afc0d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e071758cda118bd560e386cc346afc0d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e071758cda118bd560e386cc346afc0d_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 2708	2088	e071758cda118bd560e386cc346afc0d_JaffaCakes118.exe	30
PID 2088 wrote to memory of 2708	2088	e071758cda118bd560e386cc346afc0d_JaffaCakes118.exe	30
PID 2088 wrote to memory of 2708	2088	e071758cda118bd560e386cc346afc0d_JaffaCakes118.exe	30
PID 2088 wrote to memory of 2708	2088	e071758cda118bd560e386cc346afc0d_JaffaCakes118.exe	30
PID 2088 wrote to memory of 2232	2088	e071758cda118bd560e386cc346afc0d_JaffaCakes118.exe	32
PID 2088 wrote to memory of 2232	2088	e071758cda118bd560e386cc346afc0d_JaffaCakes118.exe	32
PID 2088 wrote to memory of 2232	2088	e071758cda118bd560e386cc346afc0d_JaffaCakes118.exe	32
PID 2088 wrote to memory of 2232	2088	e071758cda118bd560e386cc346afc0d_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\e071758cda118bd560e386cc346afc0d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e071758cda118bd560e386cc346afc0d_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Users\Admin\AppData\Local\Temp\e071758cda118bd560e386cc346afc0d_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\e071758cda118bd560e386cc346afc0d_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2708
- C:\Users\Admin\AppData\Local\Temp\e071758cda118bd560e386cc346afc0d_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\e071758cda118bd560e386cc346afc0d_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AEAD.44D

Filesize
1KB

MD5
6c757aad329ea2ddafdddaea5c7b0938

SHA1
018fa94b4ab032f58f3bb04e2d719a0ecae0e9bb

SHA256
f33dd272f14a7c6edc63681bb852b99b4da99b8dc798ebb4f56189d195fc8805

SHA512
e706db9d75d83466f8cfd8584345837cf4b3c3382ffb543d1ab3857031702e0e2c9f44a12545a093b36b7804009bc40b5be309176e088b48ba78182f6739645d

Download Submit
C:\Users\Admin\AppData\Roaming\AEAD.44D

Filesize
600B

MD5
1ace0ed5246777a9ce4e4ff075e2eae8

SHA1
9a4738a4dbab1f24002f8253f133e9ad31cb6f6f

SHA256
a92fa6e7f12ccdef444115b57083e52ec66eaa93756b7c98d2621dd1896465c7

SHA512
51bea036d02e397457835e4dd748e22fbf05731f3c3644021d8f425926dc7a3fb674f7afcf155463b35fe2fd2a495d3d2b903d8c1b2fe1e783f9151c38a04b7d

Download Submit
memory/2088-1-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2088-2-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2088-14-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2088-172-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2232-73-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2708-12-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2708-13-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing