cycbot | 554b6d86320bcde0116a2295ea88d08204a8954bde3a309292c1899ac089be89

General

Target

fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe
Size

186KB
MD5

fd67bacae904767f1a03549b40df8c2b
SHA1

19f9aee4123950ce0479248eebfb664dee965880
SHA256

554b6d86320bcde0116a2295ea88d08204a8954bde3a309292c1899ac089be89
SHA512

02bbb8b80023cb1442896e76121741419035d5c8ddecf8268dc8d1edf5271c0e9f3b22a4cb5dfdf5aae670e74018c948b62255faa37e766ee01a55f15dc7d35a
SSDEEP

3072:AHoD8YbYxBB7n+mD1//Csd/xcVzwllyVE2PdkPEPiLrz3NOJ99fNF9nC4Oien8pm:2Dxj6Y1nCkysRIuPEUOf9ZnUqICS

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2616-13-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral1/memory/2756-14-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral1/memory/2160-79-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral1/memory/2756-151-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral1/memory/2756-188-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2756-2-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2616-12-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2616-13-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2756-14-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2160-79-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2160-77-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2756-151-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2756-188-0x0000000000400000-0x000000000044E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 2616	2756	fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe	30
PID 2756 wrote to memory of 2616	2756	fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe	30
PID 2756 wrote to memory of 2616	2756	fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe	30
PID 2756 wrote to memory of 2616	2756	fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe	30
PID 2756 wrote to memory of 2160	2756	fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe	32
PID 2756 wrote to memory of 2160	2756	fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe	32
PID 2756 wrote to memory of 2160	2756	fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe	32
PID 2756 wrote to memory of 2160	2756	fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Users\Admin\AppData\Local\Temp\fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2616
- C:\Users\Admin\AppData\Local\Temp\fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\fd67bacae904767f1a03549b40df8c2b_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\A1D5.902

Filesize
1KB

MD5
1724eac0f357d168b3d4a0c9f009a6b2

SHA1
b360af81343395995671a9613b38e01c9e7530bb

SHA256
101de1f701d49131a60a2f6abaf4285bd90a283ca6951025ae7c97867288ee21

SHA512
a46862e51200a36f0caec516e388f95640c50143e9f24364444ef4a38b02da581d655c75807d75efd4a47e190a700a6252fe1907024905e943a6b626e2cae5c6

Download Submit
C:\Users\Admin\AppData\Roaming\A1D5.902

Filesize
600B

MD5
a94444cc9a5f0167775c357de3ca901c

SHA1
60c6ce8718c63ec95bd36715bc045191723877ae

SHA256
93dd15748168be9c2a28a8af26bf15a7bd16a87342c5f97e94cbc063f075d2f7

SHA512
44cf44925e533d265bebd7b1a7b996cf6155d0a58ea943a1771b918801b03c6fe74946df6c7a5ee696b7650d768e65651043c5b12bc7996158059e451a40408b

Download Submit
C:\Users\Admin\AppData\Roaming\A1D5.902

Filesize
996B

MD5
2397d777eab64ffbf8454f2aa887d60c

SHA1
7b1887dc8b1383487fc661562f209c082e2124ca

SHA256
f66997d75fe9804c5ff33159025169c27de1f33a2c4091ff45947c21e11969c0

SHA512
0aa8af5f7a34561cec9689c33a53778bda1742cb2224d868950a10f655407943fd06e946e9a2d8fb1a71e5d794d95cfe910699d1482bd8bcf95a91f56e34d30c

Download Submit
memory/2160-79-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2160-77-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2616-12-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2616-13-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2756-1-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2756-2-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2756-14-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2756-151-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2756-188-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing