cycbot | e507e9820b305b1e436d0c38b69aeea1eba957cc9ae3011d73c4e48f0a26f10c

General

Target

e5bcc725cebd594328e1049bcc1d6fe1_JaffaCakes118.exe
Size

179KB
MD5

e5bcc725cebd594328e1049bcc1d6fe1
SHA1

093da4911e69ca81744503bbba0092a0bc73ded1
SHA256

e507e9820b305b1e436d0c38b69aeea1eba957cc9ae3011d73c4e48f0a26f10c
SHA512

03d9e57b60d0a105ea92ea5095c0f6ca54e4bd630ffd7505286fcc70bd2451472db0bf81499192b6b2cf6658bf7c118a869075ecabbd4cc726e578299553d92e
SSDEEP

3072:TF4Ea2JArl3Vw5QUPYLqgoaWcPeaI0ckUTSJu31Hr7Yq:eEaaB5QjLqfaW+20ck2goHrMq

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2332-13-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/1624-14-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/2396-81-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot
behavioral1/memory/1624-196-0x0000000000400000-0x000000000046C000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1624-2-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2332-12-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2332-13-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1624-14-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2396-82-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/2396-81-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral1/memory/1624-196-0x0000000000400000-0x000000000046C000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e5bcc725cebd594328e1049bcc1d6fe1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e5bcc725cebd594328e1049bcc1d6fe1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e5bcc725cebd594328e1049bcc1d6fe1_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1624 wrote to memory of 2332	1624	e5bcc725cebd594328e1049bcc1d6fe1_JaffaCakes118.exe	31
PID 1624 wrote to memory of 2332	1624	e5bcc725cebd594328e1049bcc1d6fe1_JaffaCakes118.exe	31
PID 1624 wrote to memory of 2332	1624	e5bcc725cebd594328e1049bcc1d6fe1_JaffaCakes118.exe	31
PID 1624 wrote to memory of 2332	1624	e5bcc725cebd594328e1049bcc1d6fe1_JaffaCakes118.exe	31
PID 1624 wrote to memory of 2396	1624	e5bcc725cebd594328e1049bcc1d6fe1_JaffaCakes118.exe	33
PID 1624 wrote to memory of 2396	1624	e5bcc725cebd594328e1049bcc1d6fe1_JaffaCakes118.exe	33
PID 1624 wrote to memory of 2396	1624	e5bcc725cebd594328e1049bcc1d6fe1_JaffaCakes118.exe	33
PID 1624 wrote to memory of 2396	1624	e5bcc725cebd594328e1049bcc1d6fe1_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\e5bcc725cebd594328e1049bcc1d6fe1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e5bcc725cebd594328e1049bcc1d6fe1_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Users\Admin\AppData\Local\Temp\e5bcc725cebd594328e1049bcc1d6fe1_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\e5bcc725cebd594328e1049bcc1d6fe1_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2332
- C:\Users\Admin\AppData\Local\Temp\e5bcc725cebd594328e1049bcc1d6fe1_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\e5bcc725cebd594328e1049bcc1d6fe1_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\B8F3.C53

Filesize
996B

MD5
a35d7387e3de88baf48a5d70e7ae39b9

SHA1
0d82db0a975b426644208c0d36144a7f2ada4fcb

SHA256
e26a25e50fa69da917e6e5bc42e52c3d479bcbccb9d9c7527a1e7ced79ba4e92

SHA512
f737c1cf3ef4532e1b92679ac50419c63109094e3ef767598999a183344ec9611e18f14cc39f150acd3feeb1057d17365bbc00f15d93e39687f98f0e161a8bc6

Download Submit
C:\Users\Admin\AppData\Roaming\B8F3.C53

Filesize
1KB

MD5
c42de8cb126ad9f91b808906be64fed4

SHA1
2eee108571a26e44cca4fb3984d77345768b89b7

SHA256
705e1208be8aa7abc744d8d7bace5ca8d2606fd96a59f189548991fde2d741bd

SHA512
bab98d5d84bd955a77a4f29ee7055d8b7180204463c8c23527fbde99e2884bbba0bd545e7d033723bec27aab33f3a056b6cb9242694e8cc85de23534404ce08f

Download Submit
C:\Users\Admin\AppData\Roaming\B8F3.C53

Filesize
600B

MD5
b2a0e40801140d8054a1d88c37f7b448

SHA1
1b9c101f41e0b539dfee4a0d114c8187a26f9788

SHA256
3d8ec669427e676c00ccd95bce6e5b559584117a1348f06dd5fd48421b7ad767

SHA512
dfaa905184e4190c03b37eda956611456f64d1639f6645fa0df40348fa7075e9947da42c4aa3f48977888104520853a8f4e69196651a096504088bceb40bc12b

Download Submit
memory/1624-1-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1624-2-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1624-14-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1624-196-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2332-12-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2332-13-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2396-82-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2396-81-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download

Analysis

Sharing