cycbot | 1cee52bca04fbbc8c112b8a54cf8a437afc09663ca8d4708126924a013c5e66e

General

Target

f47808edf47a6accfb475111b5c5bddc_JaffaCakes118.exe
Size

216KB
MD5

f47808edf47a6accfb475111b5c5bddc
SHA1

8aefb988f40dd4b0bb64fd11f6a2e9ef0b1e409b
SHA256

1cee52bca04fbbc8c112b8a54cf8a437afc09663ca8d4708126924a013c5e66e
SHA512

68199c56bd0d3d50beddf4e454f2ff0cc6d079593553a545a10542d9aca5426143a1babc3b1b3c8747560d87f42ca5e600372c5b6f176a7886ad3d1e859efa0e
SSDEEP

6144:0qDweAKjIDGo1b2QjEBDX31uqKkLoRfzRRMO:0qDwxKj+zhIL31uqFMRHM

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2704-9-0x0000000000400000-0x000000000044F000-memory.dmp	family_cycbot
behavioral1/memory/2704-8-0x0000000000400000-0x000000000044F000-memory.dmp	family_cycbot
behavioral1/memory/2216-15-0x0000000000400000-0x000000000044F000-memory.dmp	family_cycbot
behavioral1/memory/2400-87-0x0000000000400000-0x000000000044F000-memory.dmp	family_cycbot
behavioral1/memory/2216-195-0x0000000000400000-0x000000000044F000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2216-2-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2704-9-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2704-8-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2216-15-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2400-87-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2216-195-0x0000000000400000-0x000000000044F000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f47808edf47a6accfb475111b5c5bddc_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f47808edf47a6accfb475111b5c5bddc_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f47808edf47a6accfb475111b5c5bddc_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 2704	2216	f47808edf47a6accfb475111b5c5bddc_JaffaCakes118.exe	30
PID 2216 wrote to memory of 2704	2216	f47808edf47a6accfb475111b5c5bddc_JaffaCakes118.exe	30
PID 2216 wrote to memory of 2704	2216	f47808edf47a6accfb475111b5c5bddc_JaffaCakes118.exe	30
PID 2216 wrote to memory of 2704	2216	f47808edf47a6accfb475111b5c5bddc_JaffaCakes118.exe	30
PID 2216 wrote to memory of 2400	2216	f47808edf47a6accfb475111b5c5bddc_JaffaCakes118.exe	32
PID 2216 wrote to memory of 2400	2216	f47808edf47a6accfb475111b5c5bddc_JaffaCakes118.exe	32
PID 2216 wrote to memory of 2400	2216	f47808edf47a6accfb475111b5c5bddc_JaffaCakes118.exe	32
PID 2216 wrote to memory of 2400	2216	f47808edf47a6accfb475111b5c5bddc_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\f47808edf47a6accfb475111b5c5bddc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f47808edf47a6accfb475111b5c5bddc_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Users\Admin\AppData\Local\Temp\f47808edf47a6accfb475111b5c5bddc_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f47808edf47a6accfb475111b5c5bddc_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2704
- C:\Users\Admin\AppData\Local\Temp\f47808edf47a6accfb475111b5c5bddc_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f47808edf47a6accfb475111b5c5bddc_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\E46F.2BE

Filesize
600B

MD5
21d28549634e62a5240016c53eed4e0e

SHA1
e57ec164753fd55bb50ab0ee8452040495129eec

SHA256
606c7312aab68ec967db78db6d7118982dd939ea79aecb04203f91a299c9b7e3

SHA512
d51338eba471d739642821034214cc222b9397cfc4d82c81c92f7e6e9c81156b455607d886a06f36371fc71decf9a50fe1550e3d1aea0c5c09bfc119dce0df2e

Download Submit
C:\Users\Admin\AppData\Roaming\E46F.2BE

Filesize
996B

MD5
cf3ce2e605fc8be98e398ed6c0b3ac07

SHA1
ea2e996016c150eb427cefa007d7e145a4b3ba48

SHA256
ff99c56a582d38f3013d6dd574bbc5372b64ed65533f8e3da481742c6f66e787

SHA512
cee9ca88468818a58c9dfb6586522c3c710ae344bf7d64d9eebf09414a2bd57df312afcc817040a8acb053ceeb7d63a4de594417917e67b683ba947019474c47

Download Submit
memory/2216-1-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2216-2-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2216-15-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2216-195-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2400-87-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2704-9-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2704-8-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download

Analysis

Sharing