cycbot | 393291e3acdeeb91b0d00327a55785e7a549ba4e25451033ee1197ee0beee0f6

General

Target

f667a1efbd3a8139526eb7775affa2eb_JaffaCakes118.exe
Size

175KB
MD5

f667a1efbd3a8139526eb7775affa2eb
SHA1

c2c652f93b57f71bb2c529be4a2a79afdaa68582
SHA256

393291e3acdeeb91b0d00327a55785e7a549ba4e25451033ee1197ee0beee0f6
SHA512

285f83c910d12aa7f67b3615bb38c5e0edda613ff9f15d6dcdd7a25d85c309ed0ea7ab1c4175a784da9a97411e4ac7b7a97bdc0064f2c3fb34b3a101006faaa2
SSDEEP

3072:a5BtyHlQRB1lvEljPyVQ3fNcTRh+wyq9oVofL5+aualo8W:a8HlI1leLyS3fN3qQUDua6j

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2800-12-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot
behavioral1/memory/2800-14-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot
behavioral1/memory/3068-15-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot
behavioral1/memory/376-87-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot
behavioral1/memory/3068-156-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3068-2-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2800-12-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2800-14-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/3068-15-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/376-85-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/376-87-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/3068-156-0x0000000000400000-0x000000000046B000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f667a1efbd3a8139526eb7775affa2eb_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f667a1efbd3a8139526eb7775affa2eb_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f667a1efbd3a8139526eb7775affa2eb_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 2800	3068	f667a1efbd3a8139526eb7775affa2eb_JaffaCakes118.exe	30
PID 3068 wrote to memory of 2800	3068	f667a1efbd3a8139526eb7775affa2eb_JaffaCakes118.exe	30
PID 3068 wrote to memory of 2800	3068	f667a1efbd3a8139526eb7775affa2eb_JaffaCakes118.exe	30
PID 3068 wrote to memory of 2800	3068	f667a1efbd3a8139526eb7775affa2eb_JaffaCakes118.exe	30
PID 3068 wrote to memory of 376	3068	f667a1efbd3a8139526eb7775affa2eb_JaffaCakes118.exe	32
PID 3068 wrote to memory of 376	3068	f667a1efbd3a8139526eb7775affa2eb_JaffaCakes118.exe	32
PID 3068 wrote to memory of 376	3068	f667a1efbd3a8139526eb7775affa2eb_JaffaCakes118.exe	32
PID 3068 wrote to memory of 376	3068	f667a1efbd3a8139526eb7775affa2eb_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\f667a1efbd3a8139526eb7775affa2eb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f667a1efbd3a8139526eb7775affa2eb_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Users\Admin\AppData\Local\Temp\f667a1efbd3a8139526eb7775affa2eb_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f667a1efbd3a8139526eb7775affa2eb_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2800
- C:\Users\Admin\AppData\Local\Temp\f667a1efbd3a8139526eb7775affa2eb_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f667a1efbd3a8139526eb7775affa2eb_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\A885.B71

Filesize
1KB

MD5
6aebfcdef49ea0787c2580e7a1871eec

SHA1
ae92eb5ee21fefb747483cd7cef6f828a5507675

SHA256
54801f7942d48d704f224460623c05e3ff5b2fac9b359f4d9c0514084aa3b3a6

SHA512
147c2fca47ee02bb948aa1056f7694f789c79d7c408d581d2619723cc1c748d0c4f1afdb10cff31c2bc6bf028fb09ceb0068a8e8a6141527a3190e522ec18b18

Download Submit
C:\Users\Admin\AppData\Roaming\A885.B71

Filesize
600B

MD5
1f6b34b5bc8e69ee8719e5b7f9199ab8

SHA1
1e3a3942202018d5a13a4c830dd65a8200590b60

SHA256
bed4b317dfcf6d1c9816974e02db4147c240d27572429b87ffc6bd7990f8e5f8

SHA512
277f07ff974d480e1386381574e6ad20a9dd32d5f2102ebc79aa19bee99f919bc7e8cb24fefe0f8ebdb828ae8e5479d2e300f6a1902be590ab2c062bf9c78603

Download Submit
C:\Users\Admin\AppData\Roaming\A885.B71

Filesize
996B

MD5
983c4064699ed6ec4f2cbd20e009c272

SHA1
dd33ddcced56ca3e2ab579ac51da38ff70d05cca

SHA256
03510f3de23e7309c62a536aa6111027becbd763a3b01bcb6658bff631da3862

SHA512
94822f5cc3971d8515dece14665f34c7ad988baa98ad02b59d141b287ff011fd0f3e19e54b8ea97ed23fe73a82235ce71b514eff434e2518000841fe485b8e91

Download Submit
memory/376-85-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/376-87-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2800-12-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2800-14-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3068-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3068-2-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3068-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3068-156-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing