cycbot | b2bee89ea5be46a0962f4903ac6e4fd0ca707a184dbdb8a6933727cf8fdf09b2

General

Target

e4a1c00327046576cd3c3c6168e3f503_JaffaCakes118.exe
Size

200KB
MD5

e4a1c00327046576cd3c3c6168e3f503
SHA1

501e789497a1a2267203ca294898c74f5863dbf8
SHA256

b2bee89ea5be46a0962f4903ac6e4fd0ca707a184dbdb8a6933727cf8fdf09b2
SHA512

f373b8df3518c30a51022140ed6fb418d9025aa6e32f126a079939a6602ebc82b92f56c632d040737b36e096a818bcbdbb867948ffb6d782740ccf048f3707f9
SSDEEP

3072:TGPLAxeBFvBllSvi0jpTTMVJ3REv8UDUSwbc3Wk2I1piCiNEI97atukXiXXoc:TGNBrSvi5Iv8nNo2IzSN3ZIc

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 8 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/1680-3-0x0000000000400000-0x000000000044D000-memory.dmp	family_cycbot
behavioral1/memory/2936-6-0x0000000000400000-0x000000000044D000-memory.dmp	family_cycbot
behavioral1/memory/2936-7-0x0000000000400000-0x000000000044D000-memory.dmp	family_cycbot
behavioral1/memory/1680-14-0x0000000000400000-0x000000000044D000-memory.dmp	family_cycbot
behavioral1/memory/2064-80-0x0000000000400000-0x000000000044D000-memory.dmp	family_cycbot
behavioral1/memory/2064-81-0x0000000000400000-0x000000000044D000-memory.dmp	family_cycbot
behavioral1/memory/1680-171-0x0000000000400000-0x000000000044D000-memory.dmp	family_cycbot
behavioral1/memory/1680-208-0x0000000000400000-0x000000000044D000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1680-3-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral1/memory/2936-6-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral1/memory/2936-5-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral1/memory/2936-7-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral1/memory/1680-14-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral1/memory/2064-80-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral1/memory/2064-81-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral1/memory/1680-171-0x0000000000400000-0x000000000044D000-memory.dmp	upx
behavioral1/memory/1680-208-0x0000000000400000-0x000000000044D000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e4a1c00327046576cd3c3c6168e3f503_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e4a1c00327046576cd3c3c6168e3f503_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e4a1c00327046576cd3c3c6168e3f503_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 2936	1680	e4a1c00327046576cd3c3c6168e3f503_JaffaCakes118.exe	30
PID 1680 wrote to memory of 2936	1680	e4a1c00327046576cd3c3c6168e3f503_JaffaCakes118.exe	30
PID 1680 wrote to memory of 2936	1680	e4a1c00327046576cd3c3c6168e3f503_JaffaCakes118.exe	30
PID 1680 wrote to memory of 2936	1680	e4a1c00327046576cd3c3c6168e3f503_JaffaCakes118.exe	30
PID 1680 wrote to memory of 2064	1680	e4a1c00327046576cd3c3c6168e3f503_JaffaCakes118.exe	32
PID 1680 wrote to memory of 2064	1680	e4a1c00327046576cd3c3c6168e3f503_JaffaCakes118.exe	32
PID 1680 wrote to memory of 2064	1680	e4a1c00327046576cd3c3c6168e3f503_JaffaCakes118.exe	32
PID 1680 wrote to memory of 2064	1680	e4a1c00327046576cd3c3c6168e3f503_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\e4a1c00327046576cd3c3c6168e3f503_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e4a1c00327046576cd3c3c6168e3f503_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Users\Admin\AppData\Local\Temp\e4a1c00327046576cd3c3c6168e3f503_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\e4a1c00327046576cd3c3c6168e3f503_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2936
- C:\Users\Admin\AppData\Local\Temp\e4a1c00327046576cd3c3c6168e3f503_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\e4a1c00327046576cd3c3c6168e3f503_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\925A.FF0

Filesize
1KB

MD5
116a1d246220b3b3ca6fd29aa36882b8

SHA1
fd48d63cd02d7c9fa706be2c593d4174514a0e34

SHA256
88f5b31b999539c304bf5ec665b1a464e526cec9c549598255b58c15b3e68c8a

SHA512
78705c3405c2f8f8434a2c9f139fd5e1804cbc927aba253d5eac8a2104d7f64c398cc209c96945e35f36c954108f4111d33cd79994ec9ac3656e25ff1f3018ce

Download Submit
C:\Users\Admin\AppData\Roaming\925A.FF0

Filesize
600B

MD5
25044cc7991161bda0f72cef8088e76d

SHA1
93354da169c971f21f74337d7934922b39b85a56

SHA256
92b2664f780427dcc1e9cf33e2ec96a2c8db31b15b8b8c8fef1ee114dc81c8ee

SHA512
a784b57589e3d3b896426ff5e20a779789b9086949d140c511d82c9bb7f3d20a8873b4cce09a4cd08496e8985e55dc1c5dd3be9f6629295af177838c7e1a9606

Download Submit
C:\Users\Admin\AppData\Roaming\925A.FF0

Filesize
996B

MD5
0b45e957265793d16d58f948eb410c88

SHA1
927dfbf5239f2fda2d5f2b3ef7ba6bafd1ef6474

SHA256
36a6e68efc0edd8700a9157aa16425cd3f036cd9037849d3e888f73f9b5d2ba6

SHA512
a4f774874155318aaba2950ac10091dd704c11d0fd876864c7755e985b846bc41fa8625b2c23a3117b59e701c3268bc7b9f64cfb1374394f06eabf53be9545fb

Download Submit
memory/1680-14-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1680-1-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1680-3-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1680-171-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1680-208-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2064-80-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2064-81-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2936-5-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2936-7-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2936-6-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download

Analysis

Sharing