cycbot | 8ccce028916c95e6a57c78c86c010834653f4723401135afbf49c9a2f62bd1f7

General

Target

e315dcdf0c2d2ca9bc113a0f41b5631c_JaffaCakes118.exe
Size

210KB
MD5

e315dcdf0c2d2ca9bc113a0f41b5631c
SHA1

dac5ece3896c5363815d4ae5d67d0ea4057f6598
SHA256

8ccce028916c95e6a57c78c86c010834653f4723401135afbf49c9a2f62bd1f7
SHA512

443cee5cfaca54aca1975664252aa98bc778fb50bde1f6e0a198071fa1d60b4041848998dd9c17a34628757e3351e93bae1b347e7160c151b9822575650436bb
SSDEEP

3072:1jy+Jc2pW+ycmY9DKbzjvQtfbUgUCD8khVC2gx4ivWC76P5i07pZXGq6UR8Xbf7x:ZJJFmY9s5uHC2OVUnUqq68J

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2968-6-0x0000000000400000-0x000000000044F000-memory.dmp	family_cycbot
behavioral1/memory/2688-14-0x0000000000400000-0x000000000044F000-memory.dmp	family_cycbot
behavioral1/memory/2720-72-0x0000000000400000-0x000000000044F000-memory.dmp	family_cycbot
behavioral1/memory/2688-170-0x0000000000400000-0x000000000044F000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2688-1-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2968-5-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2968-6-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2688-14-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2720-71-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2720-72-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2688-170-0x0000000000400000-0x000000000044F000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e315dcdf0c2d2ca9bc113a0f41b5631c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e315dcdf0c2d2ca9bc113a0f41b5631c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e315dcdf0c2d2ca9bc113a0f41b5631c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 2968	2688	e315dcdf0c2d2ca9bc113a0f41b5631c_JaffaCakes118.exe	31
PID 2688 wrote to memory of 2968	2688	e315dcdf0c2d2ca9bc113a0f41b5631c_JaffaCakes118.exe	31
PID 2688 wrote to memory of 2968	2688	e315dcdf0c2d2ca9bc113a0f41b5631c_JaffaCakes118.exe	31
PID 2688 wrote to memory of 2968	2688	e315dcdf0c2d2ca9bc113a0f41b5631c_JaffaCakes118.exe	31
PID 2688 wrote to memory of 2720	2688	e315dcdf0c2d2ca9bc113a0f41b5631c_JaffaCakes118.exe	33
PID 2688 wrote to memory of 2720	2688	e315dcdf0c2d2ca9bc113a0f41b5631c_JaffaCakes118.exe	33
PID 2688 wrote to memory of 2720	2688	e315dcdf0c2d2ca9bc113a0f41b5631c_JaffaCakes118.exe	33
PID 2688 wrote to memory of 2720	2688	e315dcdf0c2d2ca9bc113a0f41b5631c_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\e315dcdf0c2d2ca9bc113a0f41b5631c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e315dcdf0c2d2ca9bc113a0f41b5631c_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Users\Admin\AppData\Local\Temp\e315dcdf0c2d2ca9bc113a0f41b5631c_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\e315dcdf0c2d2ca9bc113a0f41b5631c_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2968
- C:\Users\Admin\AppData\Local\Temp\e315dcdf0c2d2ca9bc113a0f41b5631c_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\e315dcdf0c2d2ca9bc113a0f41b5631c_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\1D71.D4F

Filesize
1KB

MD5
89e1ff2fc409e5070a99177356dfe0ee

SHA1
1d154691884540a66b998bc3b826d3e40581f1c5

SHA256
97f7d9a8b400a61e814129e164b2e018669d5f0a3839b3acf7fecdc3a9e9509f

SHA512
01e4ecab233117f779ccc3e63ffff4ba69b6693b7186505120458dbde494c03e6a9a44781e5c8a9245f6b27df6277da7c985c77fad60f7b99a8079373e2e61df

Download Submit
C:\Users\Admin\AppData\Roaming\1D71.D4F

Filesize
600B

MD5
a6b96a535f0e29137c6315b99e6fae3a

SHA1
f020f4951360147bfaa5154f96d7cb78fa1ca23b

SHA256
756f4f2283c17e9e573a7f1bbb749019080c34e0bead28f866f1f0e9a0658f91

SHA512
2745bacbe342b2a4130f2f6ba3da963fcb5df617fc354013dd3bba3717802ef2acac7a465ca110f6bd3401b6371cd5c5535f04f35c04f902383a2b17b5c7b405

Download Submit
C:\Users\Admin\AppData\Roaming\1D71.D4F

Filesize
996B

MD5
5e65a3198079a38f034781d9e939a376

SHA1
8c358b1f8b5cfbe00554b91e0c9070740e410167

SHA256
ecbead32bed2662ab2affda4af3bd53b7da2da3cf4c8dcc263968e882b173999

SHA512
8315cf3d1219648f2e2bfb23eec23de560258ba9537b9893d625e87a8a49bc7b8379f03e05f75bfd24cef8c6498c191559223201a8037d5ea16a38a6c18a7ef0

Download Submit
memory/2688-1-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2688-14-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2688-170-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2720-71-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2720-72-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2968-4-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2968-5-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2968-6-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download

Analysis

Sharing