cycbot | bbf4a56cb1b76340c0d3c3e304ed7620f2a830f161dd589f59f65e4cb16f8a62

General

Target

f36d06253da95d2b508aad9ccfac3873_JaffaCakes118.exe
Size

179KB
MD5

f36d06253da95d2b508aad9ccfac3873
SHA1

d5bac4098ba1aa2cca0ed821f3a76c3707b850f6
SHA256

bbf4a56cb1b76340c0d3c3e304ed7620f2a830f161dd589f59f65e4cb16f8a62
SHA512

a8f870325e1b1b058746598e1a792172083a796549e33fff339dbf9c600eb36bbbe027bcf3c74c6169f2e7fa77e240b4cafc6ee826afa468ddb4108c4d92a532
SSDEEP

3072:tzAEpMDC6u6r4NMFQ0TJoUq4Ehk1CQs3+d1UDEjksCfyv0MSi56+X/B/Pd7ROdh:tJy3u6r4YTJdq5m1f1mEjksixMSmLNO

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2652-8-0x0000000000400000-0x0000000000469000-memory.dmp	family_cycbot
behavioral1/memory/3036-15-0x0000000000400000-0x0000000000469000-memory.dmp	family_cycbot
behavioral1/memory/2656-86-0x0000000000400000-0x0000000000469000-memory.dmp	family_cycbot
behavioral1/memory/3036-180-0x0000000000400000-0x0000000000469000-memory.dmp	family_cycbot
behavioral1/memory/3036-215-0x0000000000400000-0x0000000000469000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3036-2-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2652-6-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2652-8-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/3036-15-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2652-83-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2656-84-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/2656-86-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/3036-180-0x0000000000400000-0x0000000000469000-memory.dmp	upx
behavioral1/memory/3036-215-0x0000000000400000-0x0000000000469000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f36d06253da95d2b508aad9ccfac3873_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f36d06253da95d2b508aad9ccfac3873_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f36d06253da95d2b508aad9ccfac3873_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 2652	3036	f36d06253da95d2b508aad9ccfac3873_JaffaCakes118.exe	30
PID 3036 wrote to memory of 2652	3036	f36d06253da95d2b508aad9ccfac3873_JaffaCakes118.exe	30
PID 3036 wrote to memory of 2652	3036	f36d06253da95d2b508aad9ccfac3873_JaffaCakes118.exe	30
PID 3036 wrote to memory of 2652	3036	f36d06253da95d2b508aad9ccfac3873_JaffaCakes118.exe	30
PID 3036 wrote to memory of 2656	3036	f36d06253da95d2b508aad9ccfac3873_JaffaCakes118.exe	32
PID 3036 wrote to memory of 2656	3036	f36d06253da95d2b508aad9ccfac3873_JaffaCakes118.exe	32
PID 3036 wrote to memory of 2656	3036	f36d06253da95d2b508aad9ccfac3873_JaffaCakes118.exe	32
PID 3036 wrote to memory of 2656	3036	f36d06253da95d2b508aad9ccfac3873_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\f36d06253da95d2b508aad9ccfac3873_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f36d06253da95d2b508aad9ccfac3873_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Users\Admin\AppData\Local\Temp\f36d06253da95d2b508aad9ccfac3873_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f36d06253da95d2b508aad9ccfac3873_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2652
- C:\Users\Admin\AppData\Local\Temp\f36d06253da95d2b508aad9ccfac3873_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f36d06253da95d2b508aad9ccfac3873_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\1266.9DE

Filesize
1KB

MD5
8c6de7a83656a0c7e3334a0ed4dd1db7

SHA1
f5a61ac923886d70ef65cee30d2eca20616cfcf1

SHA256
82029f8ea4dc1861de6d9280aa9604572813e164db4236333c18e1169b62be0a

SHA512
2bdaf18c074b722716cc571064fd21ced8513a3ecb98b017e2d9cd054a6067186443d88c41f30cffa9bb44ebf2b005dc7bb6dc3ff1ffdfa716d4757ca7f6e1aa

Download Submit
C:\Users\Admin\AppData\Roaming\1266.9DE

Filesize
600B

MD5
d23e614456f6aaee918ea87fa7e51229

SHA1
3d4596be567a4c131ebe4e8124c3c12fccd3bced

SHA256
8b7578f8b90c588f89124f669ffeb88c96b751e0f8ddc491fd46c3ec4c8fde20

SHA512
8a3872ac9670f12c0e94c8a64c218fa4b92c1c5d435f337d03bfdca69a3c5c71757ffc2e9ea7e1c1f499ac479bd2806aa8966ce136286c9f60516370bbbee206

Download Submit
C:\Users\Admin\AppData\Roaming\1266.9DE

Filesize
996B

MD5
a178dda0488d000d13876592d82d2b41

SHA1
428f78397789023ae70b22c9450a988483dbd88e

SHA256
4cf11e68a26726870a56491b867ceb4795bf1b4eab0884654d5bb08ca1a4717c

SHA512
0c54a89e78063b38c1ab1c37fb35bbdc0fdfa8321308995624d0ca4bfcc4fe5e59150b6510c090548f62434f5c1113ddb5db31641d097a0b2d38a443ed5355eb

Download Submit
memory/2652-6-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2652-8-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2652-83-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2652-5-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2656-84-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2656-86-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/3036-15-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/3036-1-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/3036-2-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/3036-180-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/3036-215-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download

Analysis

Sharing