cycbot | 42d45a4238f81bf28496a1ad88fe3bf6df387f04be0319d226a6829d030f5a9b

General

Target

f6a9c197ba3de4dfa1e694da8cbf1f3a_JaffaCakes118.exe
Size

162KB
MD5

f6a9c197ba3de4dfa1e694da8cbf1f3a
SHA1

0497f4a4bffeca0cdf51170ec1a8ff9cb1ee6f97
SHA256

42d45a4238f81bf28496a1ad88fe3bf6df387f04be0319d226a6829d030f5a9b
SHA512

63726290a182348f988d347b819f271878b55cca2b05aae5e2425ba312c84e80a7ac2eaa788168b73595da717c1211759c5e53d0857cdfba4007d7c3bddafaff
SSDEEP

3072:/7VtabFxJiVIgLHEp+fJxww7ht4qNtZh3CQsHGf5cwBCKDKzfQtTnDtB:jVQReNLHxDh2+r34HlwvezfAnx

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/1272-7-0x0000000000400000-0x0000000000468000-memory.dmp	family_cycbot
behavioral1/memory/1968-15-0x0000000000400000-0x0000000000468000-memory.dmp	family_cycbot
behavioral1/memory/2468-87-0x0000000000400000-0x0000000000468000-memory.dmp	family_cycbot
behavioral1/memory/2468-88-0x0000000000400000-0x0000000000468000-memory.dmp	family_cycbot
behavioral1/memory/1968-197-0x0000000000400000-0x0000000000468000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1968-2-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/1272-5-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/1272-6-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/1272-7-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/1968-15-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2468-87-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/2468-88-0x0000000000400000-0x0000000000468000-memory.dmp	upx
behavioral1/memory/1968-197-0x0000000000400000-0x0000000000468000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f6a9c197ba3de4dfa1e694da8cbf1f3a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f6a9c197ba3de4dfa1e694da8cbf1f3a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f6a9c197ba3de4dfa1e694da8cbf1f3a_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 1272	1968	f6a9c197ba3de4dfa1e694da8cbf1f3a_JaffaCakes118.exe	30
PID 1968 wrote to memory of 1272	1968	f6a9c197ba3de4dfa1e694da8cbf1f3a_JaffaCakes118.exe	30
PID 1968 wrote to memory of 1272	1968	f6a9c197ba3de4dfa1e694da8cbf1f3a_JaffaCakes118.exe	30
PID 1968 wrote to memory of 1272	1968	f6a9c197ba3de4dfa1e694da8cbf1f3a_JaffaCakes118.exe	30
PID 1968 wrote to memory of 2468	1968	f6a9c197ba3de4dfa1e694da8cbf1f3a_JaffaCakes118.exe	32
PID 1968 wrote to memory of 2468	1968	f6a9c197ba3de4dfa1e694da8cbf1f3a_JaffaCakes118.exe	32
PID 1968 wrote to memory of 2468	1968	f6a9c197ba3de4dfa1e694da8cbf1f3a_JaffaCakes118.exe	32
PID 1968 wrote to memory of 2468	1968	f6a9c197ba3de4dfa1e694da8cbf1f3a_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\f6a9c197ba3de4dfa1e694da8cbf1f3a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f6a9c197ba3de4dfa1e694da8cbf1f3a_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Users\Admin\AppData\Local\Temp\f6a9c197ba3de4dfa1e694da8cbf1f3a_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f6a9c197ba3de4dfa1e694da8cbf1f3a_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1272
- C:\Users\Admin\AppData\Local\Temp\f6a9c197ba3de4dfa1e694da8cbf1f3a_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f6a9c197ba3de4dfa1e694da8cbf1f3a_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\0B3A.FB4

Filesize
600B

MD5
8d2a38419239eaade20eebf4325eb12b

SHA1
2f96aba51a5a218d6a5ea787d896c63cc5cf60f0

SHA256
6547aaf8c4e8f40873d54a700d6a0401dbec7577546b6cac10362b6ada7c29f8

SHA512
fa70c0c37a0d61637f85e963060d3e1275149650f82fd69d80c1af5640dd3a5239916bbd808dbe7df0ab238c2ed164a886ec94dfdb016fff67574183e276d98e

Download Submit
C:\Users\Admin\AppData\Roaming\0B3A.FB4

Filesize
1KB

MD5
7d975039d42302e445dbbfcf8875272e

SHA1
91dfa03adc3f16d38bd3c9270512ed176086591d

SHA256
0f703a06193925459835c30941f6fcf394fcab213e091b7317b7edd7c5da848c

SHA512
9a57e6120543eba4c6528cb7ca10399e857c973d87a59e8dea33eb5d5b154bdc721191f01f4fab8a1f832ba288a85e0e26a1da648b58ee8590ffe7ca7ccdf18e

Download Submit
C:\Users\Admin\AppData\Roaming\0B3A.FB4

Filesize
996B

MD5
cdb70baea3b95c6ac87637e774f2c3a0

SHA1
4210b57bf14aa7e030260db200213d3d3a9c24d2

SHA256
945df856b6d2c3e4eb3cfa4832142a69387d22c0c490aace86ca2f1901ae8395

SHA512
25a2f11d985d48edd6d29c06ee9fb1cee58aefb8efe4cfdc446439313414483165f32bd5e06b062780308621ab6a088b36d35f6ae47654c47e6af0b36a4f1295

Download Submit
memory/1272-5-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1272-6-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1272-7-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1968-15-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1968-1-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1968-2-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/1968-197-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2468-86-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2468-87-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2468-88-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download

Analysis

Sharing