cycbot | e5ec9e31eff8ef289be0cbfcfa1236b8171e3af0b499aa7dccfaafeba495081e

General

Target

f9005a7c8f6b23a0a71db6c04ac802ba_JaffaCakes118.exe
Size

183KB
MD5

f9005a7c8f6b23a0a71db6c04ac802ba
SHA1

69ac29589fca268667cd7fe04911940b64cbdc09
SHA256

e5ec9e31eff8ef289be0cbfcfa1236b8171e3af0b499aa7dccfaafeba495081e
SHA512

b22b4f8ae0562982fbd4e1ec174b6b4b69286e3674be60dcc42e0864d567c000250ebc7eda9ff7099b8167fafef74cd5daf26cb1116d69e31d8f19437a40cfc7
SSDEEP

3072:hU3gSdw4uxaBUzRra5OYcD/hXmdpcW2NoOJXEmTQsIBrh8CVZpKn:hU/dw4uxOUNaxcDZXmfcWeoiXxQ7yCV6

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/3044-13-0x0000000000400000-0x000000000044F000-memory.dmp	family_cycbot
behavioral1/memory/2272-14-0x0000000000400000-0x000000000044F000-memory.dmp	family_cycbot
behavioral1/memory/556-79-0x0000000000400000-0x000000000044F000-memory.dmp	family_cycbot
behavioral1/memory/2272-186-0x0000000000400000-0x000000000044F000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2272-2-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/3044-12-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/3044-13-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2272-14-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/556-79-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/556-78-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/2272-186-0x0000000000400000-0x000000000044F000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f9005a7c8f6b23a0a71db6c04ac802ba_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f9005a7c8f6b23a0a71db6c04ac802ba_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f9005a7c8f6b23a0a71db6c04ac802ba_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 3044	2272	f9005a7c8f6b23a0a71db6c04ac802ba_JaffaCakes118.exe	28
PID 2272 wrote to memory of 3044	2272	f9005a7c8f6b23a0a71db6c04ac802ba_JaffaCakes118.exe	28
PID 2272 wrote to memory of 3044	2272	f9005a7c8f6b23a0a71db6c04ac802ba_JaffaCakes118.exe	28
PID 2272 wrote to memory of 3044	2272	f9005a7c8f6b23a0a71db6c04ac802ba_JaffaCakes118.exe	28
PID 2272 wrote to memory of 556	2272	f9005a7c8f6b23a0a71db6c04ac802ba_JaffaCakes118.exe	30
PID 2272 wrote to memory of 556	2272	f9005a7c8f6b23a0a71db6c04ac802ba_JaffaCakes118.exe	30
PID 2272 wrote to memory of 556	2272	f9005a7c8f6b23a0a71db6c04ac802ba_JaffaCakes118.exe	30
PID 2272 wrote to memory of 556	2272	f9005a7c8f6b23a0a71db6c04ac802ba_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\f9005a7c8f6b23a0a71db6c04ac802ba_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f9005a7c8f6b23a0a71db6c04ac802ba_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Users\Admin\AppData\Local\Temp\f9005a7c8f6b23a0a71db6c04ac802ba_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f9005a7c8f6b23a0a71db6c04ac802ba_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3044
- C:\Users\Admin\AppData\Local\Temp\f9005a7c8f6b23a0a71db6c04ac802ba_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\f9005a7c8f6b23a0a71db6c04ac802ba_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\8FBD.291

Filesize
1KB

MD5
8ba2e0457e3a611dd42cf5b815a41235

SHA1
e6990bffb71d5828d9730dacb9db7981e117c66c

SHA256
5b08f77a1b90f49c6de2580d4bed67023a216faba73433711d0d18ef5d2cd8e8

SHA512
4b9af99be76b193d120ffd0f3378d06c85f1a8a1924c0f46e49bd4cf219039e2d2dda3851a4aee1b44b5779de44d4f0aae817293d4a4e9d8bcffe01b09ce3dc5

Download Submit
C:\Users\Admin\AppData\Roaming\8FBD.291

Filesize
600B

MD5
9d8c56250ffe828502eae3175e60584d

SHA1
67e74c21db0d8ca6a54b35cee6db6e62d8cf1bd6

SHA256
3a3b2a52f390f74cdcd8d20339eb3b9297537c8d9fa72064468061517b738c0a

SHA512
8cb697b8fad431e9dde5e8a29da9e3ffd61f983caf3fed3b222a368b875bd881172be1c2a5b686441d700f0eefd66e83fb09dbeec80995acc64901e81d6eb3e3

Download Submit
memory/556-79-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/556-78-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2272-1-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2272-2-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2272-14-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2272-186-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3044-12-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3044-13-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download

Analysis

Sharing