cycbot | 2302fecc8833997d859dae05079448deda61931ad05bea43e3e8388a00a6b27f

General

Target

f1de960b6a31d7a4bd2377df2025a792_JaffaCakes118.exe
Size

194KB
MD5

f1de960b6a31d7a4bd2377df2025a792
SHA1

c50ce945db56a8a2fe1899a8cba5ee7c74295e2b
SHA256

2302fecc8833997d859dae05079448deda61931ad05bea43e3e8388a00a6b27f
SHA512

006592e5f2b8e297a48e1f2e7ef27023455569541ab9679361be62c79da30461daff42a6f63ed7c3bf40c65c7a4a8cf95bf0a74313b620939ab7cc7bff430fa9
SSDEEP

6144:+VtVcTYzfCfGz2UgK30RkP7LJ9OQo2Ru:+vVfOGKxU0RGJzfR

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2420-6-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/2420-8-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/1572-16-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/2680-83-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/1572-186-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1572-2-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2420-5-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2420-6-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2420-8-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1572-16-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2680-82-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2680-83-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1572-186-0x0000000000400000-0x000000000046A000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f1de960b6a31d7a4bd2377df2025a792_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f1de960b6a31d7a4bd2377df2025a792_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f1de960b6a31d7a4bd2377df2025a792_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1572 wrote to memory of 2420	1572	f1de960b6a31d7a4bd2377df2025a792_JaffaCakes118.exe	28
PID 1572 wrote to memory of 2420	1572	f1de960b6a31d7a4bd2377df2025a792_JaffaCakes118.exe	28
PID 1572 wrote to memory of 2420	1572	f1de960b6a31d7a4bd2377df2025a792_JaffaCakes118.exe	28
PID 1572 wrote to memory of 2420	1572	f1de960b6a31d7a4bd2377df2025a792_JaffaCakes118.exe	28
PID 1572 wrote to memory of 2680	1572	f1de960b6a31d7a4bd2377df2025a792_JaffaCakes118.exe	32
PID 1572 wrote to memory of 2680	1572	f1de960b6a31d7a4bd2377df2025a792_JaffaCakes118.exe	32
PID 1572 wrote to memory of 2680	1572	f1de960b6a31d7a4bd2377df2025a792_JaffaCakes118.exe	32
PID 1572 wrote to memory of 2680	1572	f1de960b6a31d7a4bd2377df2025a792_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\f1de960b6a31d7a4bd2377df2025a792_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f1de960b6a31d7a4bd2377df2025a792_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1572
- C:\Users\Admin\AppData\Local\Temp\f1de960b6a31d7a4bd2377df2025a792_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f1de960b6a31d7a4bd2377df2025a792_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2420
- C:\Users\Admin\AppData\Local\Temp\f1de960b6a31d7a4bd2377df2025a792_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f1de960b6a31d7a4bd2377df2025a792_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\F364.BDF

Filesize
1KB

MD5
fea30f46855e95263e7d15838a425a5c

SHA1
6b60711ac5e6d2c63e5230f3f1d8a8924b0461fe

SHA256
113b35967ae180eabb718001d6caad26ad1cf404bfad3ea692bc3e48d6979b74

SHA512
dd9b1566a4e916bc81194ed1a244013a51f4c46ceb2db436a86794932da617a5bfd141462c8d2f77eaefec063affbd32a078f4084807a4a5e15a9dd317c0ae78

Download Submit
C:\Users\Admin\AppData\Roaming\F364.BDF

Filesize
600B

MD5
3dbe4fe320e645c245ebad27aa9e3d5e

SHA1
3289186366d14b020e6ea69b750cb1c1c7a2c8ea

SHA256
be9af307bf58e5f8a3c9c62645c5031201f18de20b1f280bd85c9527510adb4d

SHA512
6dd0a0f983accae0a0d8532de24128fe89d867ab2d0defc2a958fe3a9df43c97cad8dcc8c32402c92999373540cb334733cf2a68bf43d8f5b25e95666cbf8dc4

Download Submit
C:\Users\Admin\AppData\Roaming\F364.BDF

Filesize
996B

MD5
67ed711703746f60f1265081647adf1d

SHA1
c84d29276926077371178ef9f103f8b9ee5eb179

SHA256
79434f90d730a5ed6b79ffba83a6b6c4da33a9e87b3233be6d62dbb8fe54e79a

SHA512
3876c2283108369cf17c349ecdced1d3a2ed381ba7c9a9bd3be9a6143cceddb2376fd51b1fd2ba88853585ce0e81d17ac736b833516770fa95e5c0d11c41be2d

Download Submit
memory/1572-1-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1572-2-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1572-16-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1572-186-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2420-5-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2420-6-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2420-8-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2680-82-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2680-83-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download

Analysis

Sharing