cycbot | b018df0d0bee77ecb61b919b4c3d4509f38834c83ee019eb5032f2b08398f46e

General

Target

fd73f3f8e30c505587d64695a63dab4e_JaffaCakes118.exe
Size

209KB
MD5

fd73f3f8e30c505587d64695a63dab4e
SHA1

7bcdade370e613aba1c932003f989d191f65d04a
SHA256

b018df0d0bee77ecb61b919b4c3d4509f38834c83ee019eb5032f2b08398f46e
SHA512

785ab609a4416ca4eaa386ccfd161561ecf8f1864a30130b6757f7560cf74708dc235019a434aabeaf33092bf977dbe1683acaab6f52c1c154e5dd0dfac8e5ed
SSDEEP

3072:wf1uE1rB5hoRWVuqQYabE0TMCI2QPnDw4GzvwDmfCkipFmL+BsIWmnqiSTNlSVyY:ww+lvAvoE5IZnE4cuJCGtnai2XwF7

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/1192-7-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral1/memory/316-15-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral1/memory/1844-82-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral1/memory/316-192-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/316-2-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/1192-5-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/1192-7-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/316-15-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/1844-80-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/1844-82-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/316-192-0x0000000000400000-0x000000000044E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fd73f3f8e30c505587d64695a63dab4e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fd73f3f8e30c505587d64695a63dab4e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fd73f3f8e30c505587d64695a63dab4e_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 316 wrote to memory of 1192	316	fd73f3f8e30c505587d64695a63dab4e_JaffaCakes118.exe	30
PID 316 wrote to memory of 1192	316	fd73f3f8e30c505587d64695a63dab4e_JaffaCakes118.exe	30
PID 316 wrote to memory of 1192	316	fd73f3f8e30c505587d64695a63dab4e_JaffaCakes118.exe	30
PID 316 wrote to memory of 1192	316	fd73f3f8e30c505587d64695a63dab4e_JaffaCakes118.exe	30
PID 316 wrote to memory of 1844	316	fd73f3f8e30c505587d64695a63dab4e_JaffaCakes118.exe	32
PID 316 wrote to memory of 1844	316	fd73f3f8e30c505587d64695a63dab4e_JaffaCakes118.exe	32
PID 316 wrote to memory of 1844	316	fd73f3f8e30c505587d64695a63dab4e_JaffaCakes118.exe	32
PID 316 wrote to memory of 1844	316	fd73f3f8e30c505587d64695a63dab4e_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\fd73f3f8e30c505587d64695a63dab4e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fd73f3f8e30c505587d64695a63dab4e_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:316
- C:\Users\Admin\AppData\Local\Temp\fd73f3f8e30c505587d64695a63dab4e_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\fd73f3f8e30c505587d64695a63dab4e_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1192
- C:\Users\Admin\AppData\Local\Temp\fd73f3f8e30c505587d64695a63dab4e_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\fd73f3f8e30c505587d64695a63dab4e_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\3821.FD4

Filesize
1KB

MD5
56d3da6af35e1df2bd982ed42770239b

SHA1
0b42d1b6d552edddd387e6cc5603e75a7048ebac

SHA256
49c774c136d5d9aaf76b1c03e568c3bc3fb37505cac07d1587867b6dbb621887

SHA512
c43898b3036ad087e1267a86ed1f5d57bdc486d7b18aa48b2b26cca7aeb70881f708f579d5901355f2806527eb6cee8c968aeae3e4d887bf85c368f86ce089d9

Download Submit
C:\Users\Admin\AppData\Roaming\3821.FD4

Filesize
600B

MD5
ec86a38a2848576b875c8d2bab8f4a4f

SHA1
0483f84903a500291feac2a576fa06e97523423d

SHA256
08c6f0d72ff1b3d456ab94f22866a5fecc41fae11218214def4224aa3ba30003

SHA512
64dec0d144989fcfec07ad9f28297ba6a6dfa228c8ad834f9e1098b643480e85fd874db6960809d51b70256f128434ca3fba6f49bba19deddc88ca86e569647d

Download Submit
C:\Users\Admin\AppData\Roaming\3821.FD4

Filesize
996B

MD5
f9099f1aaeac3f98fd39a6f8b4068436

SHA1
635e8e85d7dae182ffb03c9e623cf2584f40ae5a

SHA256
07cde6926fed744f05cdf6bfa803c66fcecc361be03d7d7c847c953661c77a08

SHA512
5d47c3b0883ed4558d81ef09e389414b68a956c009d06bf93c98348861e61a0a610ddd6e3a2e9d3c1ff0ac980f18af2e3e217902d0d0ee2ab5fc41c166d25dd9

Download Submit
memory/316-1-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/316-2-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/316-15-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/316-192-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1192-5-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1192-7-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1844-80-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1844-82-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing