cycbot | 4227bf45d323f23bd70c68285d659212b64e16e82ac96abb9e4272074ae97218

General

Target

f7ec5b73084c9eeba09617232a038545_JaffaCakes118.exe
Size

198KB
MD5

f7ec5b73084c9eeba09617232a038545
SHA1

24528b8ada8984d6bb83aa0e2ae6ab4b3d2ef086
SHA256

4227bf45d323f23bd70c68285d659212b64e16e82ac96abb9e4272074ae97218
SHA512

a6508bead6c3e678464fbeecdef143f9af94fd208dd94d46c41778fbba365c9ca6469c77f94c6f8a9860a91d6d4e29d3de6475302f2391531f20855ba4bb2766
SSDEEP

6144:JBAa+BClfws7YPDejInJs5HunW2k51fqJhThn:JBL+Yai5qWx51f+h

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2664-7-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/2076-15-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/1384-75-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/1384-76-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot
behavioral1/memory/2076-144-0x0000000000400000-0x000000000046A000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2076-2-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2664-6-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2664-7-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2076-15-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1384-75-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/1384-76-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral1/memory/2076-144-0x0000000000400000-0x000000000046A000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f7ec5b73084c9eeba09617232a038545_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f7ec5b73084c9eeba09617232a038545_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f7ec5b73084c9eeba09617232a038545_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 2664	2076	f7ec5b73084c9eeba09617232a038545_JaffaCakes118.exe	28
PID 2076 wrote to memory of 2664	2076	f7ec5b73084c9eeba09617232a038545_JaffaCakes118.exe	28
PID 2076 wrote to memory of 2664	2076	f7ec5b73084c9eeba09617232a038545_JaffaCakes118.exe	28
PID 2076 wrote to memory of 2664	2076	f7ec5b73084c9eeba09617232a038545_JaffaCakes118.exe	28
PID 2076 wrote to memory of 1384	2076	f7ec5b73084c9eeba09617232a038545_JaffaCakes118.exe	30
PID 2076 wrote to memory of 1384	2076	f7ec5b73084c9eeba09617232a038545_JaffaCakes118.exe	30
PID 2076 wrote to memory of 1384	2076	f7ec5b73084c9eeba09617232a038545_JaffaCakes118.exe	30
PID 2076 wrote to memory of 1384	2076	f7ec5b73084c9eeba09617232a038545_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\f7ec5b73084c9eeba09617232a038545_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f7ec5b73084c9eeba09617232a038545_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Users\Admin\AppData\Local\Temp\f7ec5b73084c9eeba09617232a038545_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f7ec5b73084c9eeba09617232a038545_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2664
- C:\Users\Admin\AppData\Local\Temp\f7ec5b73084c9eeba09617232a038545_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f7ec5b73084c9eeba09617232a038545_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AF42.A01

Filesize
1KB

MD5
d38096b8c983d4e4c5c1f0d3c21a2fca

SHA1
3a803f7545a821ce652167168b9bbcf7f8b37c4c

SHA256
babd20a3ba099a5605ce4356a34635baecc5cc55adb90d4e340f168d3a9d809a

SHA512
a1ed641d7db30e7f14f652b64bab567ef1aae901c8903244822ada44a31d1ce5aa40308544f10e5c41d74f0a7eb270eefe2e8f00a9a6bc47e19934ee35012266

Download Submit
C:\Users\Admin\AppData\Roaming\AF42.A01

Filesize
600B

MD5
0d2ba7fcdbfb421771eb8b7e73f15fca

SHA1
958e5118fa21e3b31c2edbdf7a6f98fba3fe6ef2

SHA256
0beae24025ba318e9f9e387e9128b6980237edb9a60b1db4b25500f46ab60d42

SHA512
f2344c59017f86aaf3aa1de11c93341e9c138773afdb92fd9e9c96a3048deea97f3346d35ed1838a119613dc1403356631c9036dc9f0c78d15219715a1861de8

Download Submit
C:\Users\Admin\AppData\Roaming\AF42.A01

Filesize
996B

MD5
68d5a4e8eea00828979578ef1305f2f2

SHA1
ebc711c8fc00cb690fae724a8512f5a57b9c5428

SHA256
1554dbfc7facd400008e2e3bf44033d174084736dd96eaab1e9f6dd6d9419cfa

SHA512
cb67155e72d8358c94800eee250baf549f8cbe4ad52fc9b28bab622ccb3b9a35e313e3fe24bced4a37ad55c322ca489f7e58a992ec99e23ae7ba581926668a4b

Download Submit
memory/1384-75-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1384-76-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2076-1-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2076-2-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2076-15-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2076-144-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2664-6-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2664-7-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download

Analysis

Sharing