cycbot | b5fc97475f3332d7ea370998eb9ec98e00e99ba8d33c697e80c117eb26eb5f43

General

Target

f3e1b9b60ad4226faa80252a7f86794f_JaffaCakes118.exe
Size

188KB
MD5

f3e1b9b60ad4226faa80252a7f86794f
SHA1

f8a02cf8804bf98ef2d5c0c75e426770a7f5422a
SHA256

b5fc97475f3332d7ea370998eb9ec98e00e99ba8d33c697e80c117eb26eb5f43
SHA512

540f765e4c38f56a6cfa274e7165ecc9e59fd043a870711bbba7131bf4461b6a96b2bbe09d4f7fcb561fbc8e3d2093f120357b7cb9067489d6d993c08d194f59
SSDEEP

3072:Vhjf8BYJw9ZB8nSZgkZ6kZc9aMHK/cGC5A7D1zRtVoKiG62LGDMv:jf1w6nSZgkFkGbf1lzbLW6

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2212-7-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral1/memory/2212-8-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral1/memory/576-18-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral1/memory/1624-79-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral1/memory/1624-80-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral1/memory/576-172-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/576-2-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2212-7-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2212-6-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2212-8-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/576-18-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/1624-79-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/1624-80-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/576-172-0x0000000000400000-0x000000000044E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f3e1b9b60ad4226faa80252a7f86794f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f3e1b9b60ad4226faa80252a7f86794f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f3e1b9b60ad4226faa80252a7f86794f_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 576 wrote to memory of 2212	576	f3e1b9b60ad4226faa80252a7f86794f_JaffaCakes118.exe	30
PID 576 wrote to memory of 2212	576	f3e1b9b60ad4226faa80252a7f86794f_JaffaCakes118.exe	30
PID 576 wrote to memory of 2212	576	f3e1b9b60ad4226faa80252a7f86794f_JaffaCakes118.exe	30
PID 576 wrote to memory of 2212	576	f3e1b9b60ad4226faa80252a7f86794f_JaffaCakes118.exe	30
PID 576 wrote to memory of 1624	576	f3e1b9b60ad4226faa80252a7f86794f_JaffaCakes118.exe	32
PID 576 wrote to memory of 1624	576	f3e1b9b60ad4226faa80252a7f86794f_JaffaCakes118.exe	32
PID 576 wrote to memory of 1624	576	f3e1b9b60ad4226faa80252a7f86794f_JaffaCakes118.exe	32
PID 576 wrote to memory of 1624	576	f3e1b9b60ad4226faa80252a7f86794f_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\f3e1b9b60ad4226faa80252a7f86794f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f3e1b9b60ad4226faa80252a7f86794f_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:576
- C:\Users\Admin\AppData\Local\Temp\f3e1b9b60ad4226faa80252a7f86794f_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f3e1b9b60ad4226faa80252a7f86794f_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2212
- C:\Users\Admin\AppData\Local\Temp\f3e1b9b60ad4226faa80252a7f86794f_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f3e1b9b60ad4226faa80252a7f86794f_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\F89C.951

Filesize
597B

MD5
4b662efc4623e3ba333ec34800e401b0

SHA1
634df261d3623f4924949366e8af8088b0b90838

SHA256
55844fd28804a75d02c7075f845f3980d43e5e151d6aaad54ccd69ed69703048

SHA512
70145a540a1ef4fa7ce932fc38392e7f0cb7963359642611d26b3605065949dd40a8dbe125f029c6a2b3d76c399f6787b982b42b75c25a783b2468f14cc71d58

Download Submit
C:\Users\Admin\AppData\Roaming\F89C.951

Filesize
1KB

MD5
6b20e9353e31bed9b0566a6e913087a3

SHA1
f2855128b130973f389f845b22cd3718b0da5ea1

SHA256
8c19fd53995fb55e177976ec27e0a3a87c3b633d68b9e87e9c872f554d88e622

SHA512
9329f7c168c4f58145bd08bcb41053339badafda25e28c54e1e70ba56fa21c3256f3137bfbc110a8d83a1cc3587dfeee6ca3ed7ad3fad4b1704e44e6ec485778

Download Submit
C:\Users\Admin\AppData\Roaming\F89C.951

Filesize
897B

MD5
00513cde3839254f7e0b645e2fbeb15b

SHA1
beed4883577efdb6c88415c902b8ff197eaea9f8

SHA256
10fa5021c7a4e2c3355b2b5647bb2ef42d23536a12f7225918e91e0f3a2bde4f

SHA512
e644fb29f3dbbee0b1076bb58679dc649e7ef6faa4b8f31af05c3895fe328430112f07c2dc1bfb03a295f2463edfc9ffcdd45da845437db71e023d2d73336cb3

Download Submit
C:\Users\Admin\AppData\Roaming\F89C.951

Filesize
1KB

MD5
033c396293b23800bfc6b5c91be6b34d

SHA1
55d9251ab4acf75c5fba65dbbe953dd68a49814d

SHA256
20f87ac9fe560d171deb3ba175ea7cdff0de15ff215c361aa049132d44c81edd

SHA512
bb703a78a7a2865d64bd2d2fcf4724d25371cd60bcda1a34b93c4dbcf74956332e56612777ad6fff342ae07c266b6e307f662e700f07c59e11d90fd257610ce0

Download Submit
memory/576-1-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/576-2-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/576-172-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/576-18-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1624-78-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1624-79-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1624-80-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2212-8-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2212-6-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2212-7-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing