cycbot | c00455d72cf3c2e56b0344d5067ea423b7966ed1c2eaa3e639c822c7497184a9

General

Target

eb7821ad495e14b6c9fce6fc11534fff_JaffaCakes118.exe
Size

211KB
MD5

eb7821ad495e14b6c9fce6fc11534fff
SHA1

f4c368f310af6f05e830ba0274503a012b78e7d3
SHA256

c00455d72cf3c2e56b0344d5067ea423b7966ed1c2eaa3e639c822c7497184a9
SHA512

794893662e0d4cd6233c0830a61aae3eaa5b1de69f463ab6112ac0279e99fd53b8d2cdb67e75292aa5911f2a7a82cda05d6f413f7652ca044fa3538b2f1912f6
SSDEEP

3072:AyTRWCQCOeXJYc4QlbR8dgkRKed/WTpt04thQhUyJHJtMRZKZDPN:FWCFOLSlbR8dXRKedOTptOh1JrM7c

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2580-15-0x0000000000400000-0x000000000044F000-memory.dmp	family_cycbot
behavioral1/memory/1740-16-0x0000000000400000-0x000000000044F000-memory.dmp	family_cycbot
behavioral1/memory/2724-80-0x0000000000400000-0x000000000044F000-memory.dmp	family_cycbot
behavioral1/memory/2724-79-0x0000000000400000-0x000000000044F000-memory.dmp	family_cycbot
behavioral1/memory/1740-182-0x0000000000400000-0x000000000044F000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1740-2-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2580-12-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2580-13-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2580-15-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/1740-16-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2724-80-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2724-79-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/1740-182-0x0000000000400000-0x000000000044F000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eb7821ad495e14b6c9fce6fc11534fff_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eb7821ad495e14b6c9fce6fc11534fff_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eb7821ad495e14b6c9fce6fc11534fff_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 2580	1740	eb7821ad495e14b6c9fce6fc11534fff_JaffaCakes118.exe	30
PID 1740 wrote to memory of 2580	1740	eb7821ad495e14b6c9fce6fc11534fff_JaffaCakes118.exe	30
PID 1740 wrote to memory of 2580	1740	eb7821ad495e14b6c9fce6fc11534fff_JaffaCakes118.exe	30
PID 1740 wrote to memory of 2580	1740	eb7821ad495e14b6c9fce6fc11534fff_JaffaCakes118.exe	30
PID 1740 wrote to memory of 2724	1740	eb7821ad495e14b6c9fce6fc11534fff_JaffaCakes118.exe	33
PID 1740 wrote to memory of 2724	1740	eb7821ad495e14b6c9fce6fc11534fff_JaffaCakes118.exe	33
PID 1740 wrote to memory of 2724	1740	eb7821ad495e14b6c9fce6fc11534fff_JaffaCakes118.exe	33
PID 1740 wrote to memory of 2724	1740	eb7821ad495e14b6c9fce6fc11534fff_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\eb7821ad495e14b6c9fce6fc11534fff_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eb7821ad495e14b6c9fce6fc11534fff_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Users\Admin\AppData\Local\Temp\eb7821ad495e14b6c9fce6fc11534fff_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\eb7821ad495e14b6c9fce6fc11534fff_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2580
- C:\Users\Admin\AppData\Local\Temp\eb7821ad495e14b6c9fce6fc11534fff_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\eb7821ad495e14b6c9fce6fc11534fff_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\B2F2.59A

Filesize
600B

MD5
cc5c44079bcc8bbb2028e7a5efcb80de

SHA1
85830a59b693589b142877ff74b57347ffb9c47e

SHA256
118accfd63a363c19b92f1254eeb0d6357537e767520ea39204281ced18e53ad

SHA512
028a2a6cbb70dfbb921a87ead067e0aafc0ca5ff49ffcba9feb4a768ad83a8ba810d81905bc9212ac6c74e2a2a840ebb489657eb5b6bb73fc66c8ea19a2dc9e4

Download Submit
C:\Users\Admin\AppData\Roaming\B2F2.59A

Filesize
996B

MD5
39b205c914165c1d74dc809141e16280

SHA1
70b6324191cb21eef9c3bff91faf185814a63223

SHA256
714058bfdafa4d13fd9fbd54aa23280645137e3a7e359c2bda167eee9c106f60

SHA512
5830dd733ef9316f277abbb71ce3d2c396f8560f08a9991945f89ab55dfa8307060f0a71087e8cb475689a9a39ee3a1d998247543a69b6fcab505608af106f3f

Download Submit
memory/1740-1-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1740-2-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1740-16-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1740-182-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2580-12-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2580-13-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2580-15-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2724-80-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2724-79-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download

Analysis

Sharing