cycbot | 6be102ea5e555ee5ca772def01180a8d52648c8a73f0b4389cdcd88974a5e756

General

Target

faa674f85eb7b8fa5f4817e573bb2a37_JaffaCakes118.exe
Size

180KB
MD5

faa674f85eb7b8fa5f4817e573bb2a37
SHA1

450c95f84b88f89c01efad5ca3ed9a8706eecd6d
SHA256

6be102ea5e555ee5ca772def01180a8d52648c8a73f0b4389cdcd88974a5e756
SHA512

7312e4fc833b4013aa5c2b0e19d0f185d2b35f5d3c7b7b318d9a5a77e38b8175c59536af93c783674587ba30cbc526f64e8aa0d1f310dcf99e41ee88c792e984
SSDEEP

3072:9KlVa/TUW+W/kn7JiCHJ/IAiTq6k6h/Q3xAV2Do2lILEICeXUewhsS7aS2:ewTwiMJ/IAiZUx22mCEPysS7af

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2740-10-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral1/memory/2372-15-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral1/memory/2096-86-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot
behavioral1/memory/2372-194-0x0000000000400000-0x000000000044E000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2372-2-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2740-10-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2740-9-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2372-15-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2096-84-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2096-86-0x0000000000400000-0x000000000044E000-memory.dmp	upx
behavioral1/memory/2372-194-0x0000000000400000-0x000000000044E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	faa674f85eb7b8fa5f4817e573bb2a37_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	faa674f85eb7b8fa5f4817e573bb2a37_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	faa674f85eb7b8fa5f4817e573bb2a37_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2740	2372	faa674f85eb7b8fa5f4817e573bb2a37_JaffaCakes118.exe	30
PID 2372 wrote to memory of 2740	2372	faa674f85eb7b8fa5f4817e573bb2a37_JaffaCakes118.exe	30
PID 2372 wrote to memory of 2740	2372	faa674f85eb7b8fa5f4817e573bb2a37_JaffaCakes118.exe	30
PID 2372 wrote to memory of 2740	2372	faa674f85eb7b8fa5f4817e573bb2a37_JaffaCakes118.exe	30
PID 2372 wrote to memory of 2096	2372	faa674f85eb7b8fa5f4817e573bb2a37_JaffaCakes118.exe	32
PID 2372 wrote to memory of 2096	2372	faa674f85eb7b8fa5f4817e573bb2a37_JaffaCakes118.exe	32
PID 2372 wrote to memory of 2096	2372	faa674f85eb7b8fa5f4817e573bb2a37_JaffaCakes118.exe	32
PID 2372 wrote to memory of 2096	2372	faa674f85eb7b8fa5f4817e573bb2a37_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\faa674f85eb7b8fa5f4817e573bb2a37_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\faa674f85eb7b8fa5f4817e573bb2a37_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Users\Admin\AppData\Local\Temp\faa674f85eb7b8fa5f4817e573bb2a37_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\faa674f85eb7b8fa5f4817e573bb2a37_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2740
- C:\Users\Admin\AppData\Local\Temp\faa674f85eb7b8fa5f4817e573bb2a37_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\faa674f85eb7b8fa5f4817e573bb2a37_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\B6D3.2DE

Filesize
1KB

MD5
785b57f0877a889eb38513736f044744

SHA1
edaa8e45e4c4207833b60dfc3fae3765f370f0c6

SHA256
714a4459ba59cdd36204107e535edaa0aabf5ce193d41c8e6d83f6c9a0a1778a

SHA512
5d292c64fd9638f2eb60509f19db3ac6ce3febcad772a4b0d7920f3e5a777cb652439396383d6ca9d21cfc4c8c77aaec895830bdd39cf6cbe3e6b3dbaefbf318

Download Submit
C:\Users\Admin\AppData\Roaming\B6D3.2DE

Filesize
600B

MD5
3aa01d475cc08975287ae5dc93493489

SHA1
80408951741f6fb84fff3c53dca35428d18f6cb7

SHA256
db75c4c8e98c007dfed635a0590fee4f2741b416880dd0c5217ef845cf38fb79

SHA512
f1c6037c5a5b3e02009404451e89b5f50fb531dfa90c32e5de027b14322eeee36c4ced97216193e845c468d49d0b4536cba83125cc6cc07e52871de52c1b2f5c

Download Submit
C:\Users\Admin\AppData\Roaming\B6D3.2DE

Filesize
996B

MD5
a4851ede10382a74fc94153bfee072b6

SHA1
99f36b4697d9edbfe4e44dc6ab601492d169fe44

SHA256
b3215c8c0181cc17dde16c81a3eb2f8dbc5cccb8c42f18d4e93cbbe302051f18

SHA512
75f83c3ef744e52f59bd028acc1b636444df8477824721fd88462af8bf59075658bf7f54a6efb734e0b2fd8a4aea7f791a4012f3a0e0ca38c5d9d7b1c72f1d10

Download Submit
memory/2096-84-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2096-86-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2372-1-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2372-2-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2372-15-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2372-194-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2740-10-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2740-9-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2740-8-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing