cycbot | ce660a97d153a446018a997dcc8ccb2b69a12d2d65f47315ad3ca489402fb0da

General

Target

f5c36f0891a6317732aac5f91f6fc5b3_JaffaCakes118.exe
Size

183KB
MD5

f5c36f0891a6317732aac5f91f6fc5b3
SHA1

b0e5444d865c0cc3c8d582f5c3ceb830115d9718
SHA256

ce660a97d153a446018a997dcc8ccb2b69a12d2d65f47315ad3ca489402fb0da
SHA512

27fa64479ba5079cd54525d765ae0feaf215e8be35dc8ed07a7cef320e2e8d0944e22dbaa010ee3fafb5d53538bed7209bc7a5a9b6732c427ddb7e5fe7ed9a08
SSDEEP

3072:2SABN3qhIHfCqww/XWChNNawTG5gcOB/YkLNLRL9yBT7eMaqnW/AwhM5i:2SAL3qOTj/GoLamxtpRL2WGnWY9i

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2804-15-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral1/memory/1456-16-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral1/memory/1624-76-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral1/memory/1456-175-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1456-2-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2804-13-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2804-15-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2804-12-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/1456-16-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/1624-75-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/1624-76-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/1456-175-0x0000000000400000-0x000000000044E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5c36f0891a6317732aac5f91f6fc5b3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5c36f0891a6317732aac5f91f6fc5b3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5c36f0891a6317732aac5f91f6fc5b3_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1456 wrote to memory of 2804	1456	f5c36f0891a6317732aac5f91f6fc5b3_JaffaCakes118.exe	29
PID 1456 wrote to memory of 2804	1456	f5c36f0891a6317732aac5f91f6fc5b3_JaffaCakes118.exe	29
PID 1456 wrote to memory of 2804	1456	f5c36f0891a6317732aac5f91f6fc5b3_JaffaCakes118.exe	29
PID 1456 wrote to memory of 2804	1456	f5c36f0891a6317732aac5f91f6fc5b3_JaffaCakes118.exe	29
PID 1456 wrote to memory of 1624	1456	f5c36f0891a6317732aac5f91f6fc5b3_JaffaCakes118.exe	31
PID 1456 wrote to memory of 1624	1456	f5c36f0891a6317732aac5f91f6fc5b3_JaffaCakes118.exe	31
PID 1456 wrote to memory of 1624	1456	f5c36f0891a6317732aac5f91f6fc5b3_JaffaCakes118.exe	31
PID 1456 wrote to memory of 1624	1456	f5c36f0891a6317732aac5f91f6fc5b3_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\f5c36f0891a6317732aac5f91f6fc5b3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f5c36f0891a6317732aac5f91f6fc5b3_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1456
- C:\Users\Admin\AppData\Local\Temp\f5c36f0891a6317732aac5f91f6fc5b3_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f5c36f0891a6317732aac5f91f6fc5b3_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2804
- C:\Users\Admin\AppData\Local\Temp\f5c36f0891a6317732aac5f91f6fc5b3_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f5c36f0891a6317732aac5f91f6fc5b3_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\EF1E.70A

Filesize
1KB

MD5
5f8db78c2846b0ad6a862da43845e880

SHA1
2db060c24c743dbcd2d96b1de140d60c6a46afa7

SHA256
7d42b8721d46e38071931b68d0ffdc5b68f72fd90fbf2a4d1c1e12cb9d25e453

SHA512
9592e91bbebe9906891fcc07c3e49ae1750937535a1534e10f110d31ba023d4b34a7e4e3cf0ef096cf4a599ef56bf2b5fca37a439974720d644f8ec96a51439d

Download Submit
C:\Users\Admin\AppData\Roaming\EF1E.70A

Filesize
600B

MD5
686b358e65016060adbe5913ab57da3f

SHA1
35635013fce61ee7902134a51ef6e16c21e55e9a

SHA256
2568e938ab48ada5ee66bdc0ef1f5c040d57f159e98a44ff30e1e026f29bf098

SHA512
79ed8422c7fb7467ba82264a20280087331779cb9e7e8d9d7d6480de413c82f58653d39c5ce47c3a7d270090b769115ce9c18ccab8873fd9af647720edb252ba

Download Submit
C:\Users\Admin\AppData\Roaming\EF1E.70A

Filesize
996B

MD5
b390bec83fe8a7e3dff5b9a7d33e7b80

SHA1
22016581389619b1d5e663ef512a6b75220f4f85

SHA256
ae3ec01e7ecbbdcc83b89ee566d76632fcf4093686c4af4da0d48a83858ecdeb

SHA512
b478767480c45ef58bbb498b1b206542b065d996e3b7a0761f928860d7f9ed61889faa3b050d76797cc119d18bd09423a4671348782cca6e5bdb6202b1a5ebb8

Download Submit
memory/1456-1-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1456-2-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1456-16-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1456-175-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1624-75-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1624-76-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2804-13-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2804-15-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2804-12-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing