cycbot | b1c009523e7737a3943d0e8cf838315d65a27e3e6bcf5cb4a475a48c9396d89e

General

Target

e2b6b4ba492e29d1f371cd7ee6009481_JaffaCakes118.exe
Size

164KB
MD5

e2b6b4ba492e29d1f371cd7ee6009481
SHA1

bd9a29a0373119f5b57b5cd0036f189031d74d05
SHA256

b1c009523e7737a3943d0e8cf838315d65a27e3e6bcf5cb4a475a48c9396d89e
SHA512

248a60a27646802e179e9d384dbdf87d144f31e80a52b5f392608f47faf0826807ea559f9e586c312461fb4c388009d7d6f89a5414159b44960efbcb5d518504
SSDEEP

3072:4E1OQ5robrIkju3n6LrL0p/doKH6NHeNcfEForE8EDFjmyNds+Bgy:4kncLju36LrLc/7hNhoADhmyNdVBgy

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2224-6-0x0000000000400000-0x0000000000468000-memory.dmp	family_cycbot
behavioral1/memory/3060-14-0x0000000000400000-0x0000000000468000-memory.dmp	family_cycbot
behavioral1/memory/2356-81-0x0000000000400000-0x0000000000468000-memory.dmp	family_cycbot
behavioral1/memory/3060-184-0x0000000000400000-0x0000000000468000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3060-2-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2224-6-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2224-5-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/3060-14-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2356-81-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/3060-184-0x0000000000400000-0x0000000000468000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2b6b4ba492e29d1f371cd7ee6009481_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2b6b4ba492e29d1f371cd7ee6009481_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2b6b4ba492e29d1f371cd7ee6009481_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 2224	3060	e2b6b4ba492e29d1f371cd7ee6009481_JaffaCakes118.exe	30
PID 3060 wrote to memory of 2224	3060	e2b6b4ba492e29d1f371cd7ee6009481_JaffaCakes118.exe	30
PID 3060 wrote to memory of 2224	3060	e2b6b4ba492e29d1f371cd7ee6009481_JaffaCakes118.exe	30
PID 3060 wrote to memory of 2224	3060	e2b6b4ba492e29d1f371cd7ee6009481_JaffaCakes118.exe	30
PID 3060 wrote to memory of 2356	3060	e2b6b4ba492e29d1f371cd7ee6009481_JaffaCakes118.exe	33
PID 3060 wrote to memory of 2356	3060	e2b6b4ba492e29d1f371cd7ee6009481_JaffaCakes118.exe	33
PID 3060 wrote to memory of 2356	3060	e2b6b4ba492e29d1f371cd7ee6009481_JaffaCakes118.exe	33
PID 3060 wrote to memory of 2356	3060	e2b6b4ba492e29d1f371cd7ee6009481_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\e2b6b4ba492e29d1f371cd7ee6009481_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e2b6b4ba492e29d1f371cd7ee6009481_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Users\Admin\AppData\Local\Temp\e2b6b4ba492e29d1f371cd7ee6009481_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\e2b6b4ba492e29d1f371cd7ee6009481_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2224
- C:\Users\Admin\AppData\Local\Temp\e2b6b4ba492e29d1f371cd7ee6009481_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\e2b6b4ba492e29d1f371cd7ee6009481_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\DEF4.2F7

Filesize
1KB

MD5
ca03956ac09d4a5663ba9996cd38d133

SHA1
ac744cd92f44250d351817adc896d24bbff02f33

SHA256
a798fa286353a107f0bb04b1c4c4424e1794583c09d70f6517523ff525eec24f

SHA512
317266b488a81f505f58d542419f253af1c8ce83be031a956a2c5c5aab6e676bd3f39e118f9b88628330831bed9a1d068f83919c9d5d4beff5990c619c89f29c

Download Submit
C:\Users\Admin\AppData\Roaming\DEF4.2F7

Filesize
600B

MD5
4485dc8bc3d5b0e7a10218523fff4142

SHA1
aefb254f611240d9f5b1b80b195357fc850618e1

SHA256
01c8cfd89f9659f86c6aa5c85448c0ce9ce86529b71774be86fda9dd448654da

SHA512
d6fa216cfcfc47ec634bebba812dcb5fcf23b79e0205520a385d8035e82cd6d33739e2a4a4d10a08e1087092cd1e351b8a0be95240c4f4a046a6c52c02b53fde

Download Submit
C:\Users\Admin\AppData\Roaming\DEF4.2F7

Filesize
996B

MD5
6321cab05a0b23cc86feae42bdb70ce2

SHA1
9824f7c545869500d001499493e5396abc0f6135

SHA256
4d91c4cdb8f4b2b1e10882ccd1950ec5a4fdca22a27ddd21419c966982f0109a

SHA512
b087d4f1b2ec96e088dba9bb25d69b08b10f11eedbe3519b9f0323119c075552686f81f5fe8424f0071fb4ad3b413834355e9543e4d682f9b191ca5b0336a60e

Download Submit
memory/2224-6-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2224-5-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2356-81-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3060-1-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3060-2-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3060-14-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3060-184-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download

Analysis

Sharing