cycbot | b0a61d568f7635678cad356aef511442ecf9d731b2c4e8459f1f0b7f100b4c18

General

Target

ed2fcb0bc3b65d6f840ba611e2be55b4_JaffaCakes118.exe
Size

192KB
MD5

ed2fcb0bc3b65d6f840ba611e2be55b4
SHA1

92e5abd7e2471e0be1c7ebad94e3807e1fd41af1
SHA256

b0a61d568f7635678cad356aef511442ecf9d731b2c4e8459f1f0b7f100b4c18
SHA512

e2f0cbbe46409a9db3975aa140f51f9b44f1bd9dea2b05827e7bb3f97432706955531d08c491fe79bd2845e8ab3970b90dc411b595bc5f58ef6984e984ee94e7
SSDEEP

3072:/38tXegDkbOV3qtWoyjjcYX1/E/eWfiUd6Q6QOO2j/DW6kNXHQi3JM0xJiR2mpc7:/WO5SV30/YlSeWaALPOO2ji6ajJM0A2l

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2664-6-0x0000000000400000-0x0000000000469000-memory.dmp	family_cycbot
behavioral1/memory/2664-7-0x0000000000400000-0x0000000000469000-memory.dmp	family_cycbot
behavioral1/memory/2308-16-0x0000000000400000-0x0000000000469000-memory.dmp	family_cycbot
behavioral1/memory/1428-80-0x0000000000400000-0x0000000000469000-memory.dmp	family_cycbot
behavioral1/memory/2308-185-0x0000000000400000-0x0000000000469000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2308-1-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2664-4-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2664-6-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2664-7-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2308-16-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/1428-80-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/1428-78-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2308-185-0x0000000000400000-0x0000000000469000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed2fcb0bc3b65d6f840ba611e2be55b4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed2fcb0bc3b65d6f840ba611e2be55b4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed2fcb0bc3b65d6f840ba611e2be55b4_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 2664	2308	ed2fcb0bc3b65d6f840ba611e2be55b4_JaffaCakes118.exe	31
PID 2308 wrote to memory of 2664	2308	ed2fcb0bc3b65d6f840ba611e2be55b4_JaffaCakes118.exe	31
PID 2308 wrote to memory of 2664	2308	ed2fcb0bc3b65d6f840ba611e2be55b4_JaffaCakes118.exe	31
PID 2308 wrote to memory of 2664	2308	ed2fcb0bc3b65d6f840ba611e2be55b4_JaffaCakes118.exe	31
PID 2308 wrote to memory of 1428	2308	ed2fcb0bc3b65d6f840ba611e2be55b4_JaffaCakes118.exe	33
PID 2308 wrote to memory of 1428	2308	ed2fcb0bc3b65d6f840ba611e2be55b4_JaffaCakes118.exe	33
PID 2308 wrote to memory of 1428	2308	ed2fcb0bc3b65d6f840ba611e2be55b4_JaffaCakes118.exe	33
PID 2308 wrote to memory of 1428	2308	ed2fcb0bc3b65d6f840ba611e2be55b4_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\ed2fcb0bc3b65d6f840ba611e2be55b4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ed2fcb0bc3b65d6f840ba611e2be55b4_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Users\Admin\AppData\Local\Temp\ed2fcb0bc3b65d6f840ba611e2be55b4_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\ed2fcb0bc3b65d6f840ba611e2be55b4_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2664
- C:\Users\Admin\AppData\Local\Temp\ed2fcb0bc3b65d6f840ba611e2be55b4_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\ed2fcb0bc3b65d6f840ba611e2be55b4_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\6563.092

Filesize
1KB

MD5
2f219f3035d43354095e8e34d3a84dc8

SHA1
5cab5f006a864d90574e95cff94005ac379b7754

SHA256
62d55dcb74ca71514559989f7774792c9ce3fa6c833dd6a77ed5ca2b0912409b

SHA512
659147fe336ed88616d2554ec0384b0488936d0c7cff6065802060e434b77630551b306e4c26030bff5930829960c245a801c29ec8e8a6d6070eeb9d7d229130

Download Submit
C:\Users\Admin\AppData\Roaming\6563.092

Filesize
600B

MD5
4c942c9ca1e05cc9bc49206239362de5

SHA1
a152a86309b1f334ac2ec84a261fdf337c8aaadc

SHA256
6c851513883f560b6c818989576a5f9d0915f52880bc44e993e47ebccbbb55eb

SHA512
930aac059e66163d1db8cb7c5187314973f0b3a169aeb3f1c6c3ffcbed6c0eac0c6502bb4a70bc04ddf6cf3ce5c912fbb02feee2207a47669b13d95643058826

Download Submit
C:\Users\Admin\AppData\Roaming\6563.092

Filesize
996B

MD5
9a02ae6444bda64844ada61b65461a96

SHA1
fc0c4de9d306aac67d14e81102a3d9fc98c3218a

SHA256
35a51ee9958b4fea2d7ce05192fbc9db10151ce17a6124fdd6816fbd58841923

SHA512
1d8b34249e2a4f606d124adcc0b1fc992cac0744b55ecd34da76a9c85d5d89f0f21c6e116590157baa3d37b50d4a8d12bbd8552e6486656a3bd38ccbdd464b31

Download Submit
memory/1428-77-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1428-80-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1428-78-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2308-1-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2308-16-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2308-185-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2664-4-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2664-6-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2664-7-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download

Analysis

Sharing