cycbot | 15362254b74485feaea4f677c38a1bae3de253aea1f379863a1698b5066dc17b

General

Target

e932be6aa11209a76563ad07a5dc11c8_JaffaCakes118.exe
Size

189KB
MD5

e932be6aa11209a76563ad07a5dc11c8
SHA1

964f8d8c8006c77329e055fa6abcd3ac9b94204c
SHA256

15362254b74485feaea4f677c38a1bae3de253aea1f379863a1698b5066dc17b
SHA512

966f741c235d1ff0a08cc57f7f1911f364a193d825225b4d9b0dc46e6481e70be4536fafe9b46696389f847a139f2bd863382c9c2818fe90a84685f6107b9063
SSDEEP

3072:q3OHwM/fvyKUb5anu+LPl8qYRHIsia238vnDEUPGApzgdjM23a0LYBRGZRhiQ8tQ:COD/Hy79suCC7J238vnDb9u5e08oZRdr

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2052-8-0x0000000000400000-0x0000000000469000-memory.dmp	family_cycbot
behavioral1/memory/1964-17-0x0000000000400000-0x0000000000469000-memory.dmp	family_cycbot
behavioral1/memory/2300-79-0x0000000000400000-0x0000000000469000-memory.dmp	family_cycbot
behavioral1/memory/1964-178-0x0000000000400000-0x0000000000469000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1964-2-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2052-6-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2052-8-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/1964-17-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2300-78-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2300-79-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/1964-178-0x0000000000400000-0x0000000000469000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e932be6aa11209a76563ad07a5dc11c8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e932be6aa11209a76563ad07a5dc11c8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e932be6aa11209a76563ad07a5dc11c8_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 2052	1964	e932be6aa11209a76563ad07a5dc11c8_JaffaCakes118.exe	30
PID 1964 wrote to memory of 2052	1964	e932be6aa11209a76563ad07a5dc11c8_JaffaCakes118.exe	30
PID 1964 wrote to memory of 2052	1964	e932be6aa11209a76563ad07a5dc11c8_JaffaCakes118.exe	30
PID 1964 wrote to memory of 2052	1964	e932be6aa11209a76563ad07a5dc11c8_JaffaCakes118.exe	30
PID 1964 wrote to memory of 2300	1964	e932be6aa11209a76563ad07a5dc11c8_JaffaCakes118.exe	32
PID 1964 wrote to memory of 2300	1964	e932be6aa11209a76563ad07a5dc11c8_JaffaCakes118.exe	32
PID 1964 wrote to memory of 2300	1964	e932be6aa11209a76563ad07a5dc11c8_JaffaCakes118.exe	32
PID 1964 wrote to memory of 2300	1964	e932be6aa11209a76563ad07a5dc11c8_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\e932be6aa11209a76563ad07a5dc11c8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e932be6aa11209a76563ad07a5dc11c8_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Users\Admin\AppData\Local\Temp\e932be6aa11209a76563ad07a5dc11c8_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\e932be6aa11209a76563ad07a5dc11c8_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2052
- C:\Users\Admin\AppData\Local\Temp\e932be6aa11209a76563ad07a5dc11c8_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\e932be6aa11209a76563ad07a5dc11c8_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\C499.4CA

Filesize
1KB

MD5
a71c2d989b186eae2815b0be72b2ac54

SHA1
aca822f0d657b4d418670b23f8a9b60a65794bf5

SHA256
de37666e0e212439b772f6ef56a84bd1bd0a6910ea269292330194bb48a2cfdb

SHA512
516b1cb291166953c01a23f895a0ee4d23197f6650472008524120700144dd56d3bb3716890133bd2dbffa30b287b78a7705e751aee3189b6ae89c781a0d4809

Download Submit
C:\Users\Admin\AppData\Roaming\C499.4CA

Filesize
600B

MD5
d38f455125e6fbcaca7f60649f8b1c9d

SHA1
4ce692afa5a4f01f62824ba0f3202e1e3c4c53f4

SHA256
1107540a37e3d92eb82f8c5c979ee9a611a9bbf95a6abf4a0d86d6e0ef0d70f5

SHA512
596007a1a16dfb8a4517c72e5d21ee9f4b1a7fe6fef7ee65c96c46efe6d16c2dd9a8d65bc65b859637ef662eec4f4d124ff482e60d3107ea0904cdf1acc9bc56

Download Submit
C:\Users\Admin\AppData\Roaming\C499.4CA

Filesize
996B

MD5
baf97ef121464d8077c1d7df0017ed1f

SHA1
b1c2d5078a657c2ad95f8b26a2efb42ea2c376be

SHA256
1fd5711f4bba3f0c867a8bc10013b194f439221055b5458552c2ac376a6579d2

SHA512
47bce1079bb423e769a1a5f6f3db40dd9a14af7cd2baa8fdddfe18454e0c1a8180eb1b1a6727b08ff2a5d83cbcc7616e9b45b701c9632233a4c91ce8708c7fae

Download Submit
memory/1964-1-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1964-2-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1964-17-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1964-178-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2052-6-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2052-5-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2052-8-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2300-78-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2300-79-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download

Analysis

Sharing