cycbot | b21d50173ba7168e8d034c92dd318fcef281b9780b7f4413077166a8e68098d2

General

Target

fb5796499b1c723e3caead8b24b70cbd_JaffaCakes118.exe
Size

182KB
MD5

fb5796499b1c723e3caead8b24b70cbd
SHA1

09ac2ad13de31671ca76919cf77381081e1c6adb
SHA256

b21d50173ba7168e8d034c92dd318fcef281b9780b7f4413077166a8e68098d2
SHA512

0c91a8f707aaac735773a606569b0b5ab590c21b3404826d6c92aff47679b877a44019da73e23abf1de7be47bbe6e923e1440172d941a532d78e930626836382
SSDEEP

3072:/ZPv0fuWnVXboLY01H/UEznTnezl3UGdOdoAewWBASCTUPG9sF5csMEOvJJ:/9VCkY0J0ladxSqA2sMEI

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2396-14-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot
behavioral1/memory/1304-19-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot
behavioral1/memory/2844-97-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot
behavioral1/memory/1304-195-0x0000000000400000-0x000000000046B000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1304-2-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2396-14-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/1304-19-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2844-98-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2844-97-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/1304-195-0x0000000000400000-0x000000000046B000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fb5796499b1c723e3caead8b24b70cbd_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fb5796499b1c723e3caead8b24b70cbd_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fb5796499b1c723e3caead8b24b70cbd_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1304 wrote to memory of 2396	1304	fb5796499b1c723e3caead8b24b70cbd_JaffaCakes118.exe	30
PID 1304 wrote to memory of 2396	1304	fb5796499b1c723e3caead8b24b70cbd_JaffaCakes118.exe	30
PID 1304 wrote to memory of 2396	1304	fb5796499b1c723e3caead8b24b70cbd_JaffaCakes118.exe	30
PID 1304 wrote to memory of 2396	1304	fb5796499b1c723e3caead8b24b70cbd_JaffaCakes118.exe	30
PID 1304 wrote to memory of 2844	1304	fb5796499b1c723e3caead8b24b70cbd_JaffaCakes118.exe	32
PID 1304 wrote to memory of 2844	1304	fb5796499b1c723e3caead8b24b70cbd_JaffaCakes118.exe	32
PID 1304 wrote to memory of 2844	1304	fb5796499b1c723e3caead8b24b70cbd_JaffaCakes118.exe	32
PID 1304 wrote to memory of 2844	1304	fb5796499b1c723e3caead8b24b70cbd_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\fb5796499b1c723e3caead8b24b70cbd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fb5796499b1c723e3caead8b24b70cbd_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Users\Admin\AppData\Local\Temp\fb5796499b1c723e3caead8b24b70cbd_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\fb5796499b1c723e3caead8b24b70cbd_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2396
- C:\Users\Admin\AppData\Local\Temp\fb5796499b1c723e3caead8b24b70cbd_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\fb5796499b1c723e3caead8b24b70cbd_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\2377.C1C

Filesize
597B

MD5
c38beb7b4b1aaefc5f3e053e478d8598

SHA1
62475f5985402615260413a70db609b050108d98

SHA256
b2219680882a713a9e2a42f0b44ea247a92d0b7a4f2330e8eaa32f6bb7fd3dc9

SHA512
01763bbd4d466701392287e26a57f4d9986d2208810f022884796f44751920b3ef917ff03410a7b34f2604680472580aa02161a79a1ac227fbaf8441bdaae455

Download Submit
C:\Users\Admin\AppData\Roaming\2377.C1C

Filesize
1KB

MD5
909dd7178491cdf528cc2598dc76311f

SHA1
ca73a737f1f4dcd883efae653367327d85d93cde

SHA256
0460738567da699f112eb9a82a23d6c1c5648353d6fcc6565146ad807ce5361e

SHA512
1c986bd70a75401317ef03208baeb6b75380a99ae4c9ab2e324193e9a6543838cfc2d2c5f8742bf2c8d372b3f1d1a336538569cabfc952ac067515d6315e1d74

Download Submit
C:\Users\Admin\AppData\Roaming\2377.C1C

Filesize
897B

MD5
b4bb26f523ffebc8d1cd21124b78f4c7

SHA1
b7dd20b26db014d4748ee95746948ddebad9d2c4

SHA256
158491ba1443904f04353edd70ebeb2f1e63b2f158665369ea211d51387e3de8

SHA512
3c2616f8eea9b0bdff4d8e18473502c14c4dfe63f1246afb7d42065cc02f8ab063d1cd147faf85e7115d0abbd8393b2c53e84f527fe01e2695fce8227e3c9e9c

Download Submit
C:\Users\Admin\AppData\Roaming\2377.C1C

Filesize
1KB

MD5
37aa4c494b64a73359cc27df9c7a8345

SHA1
d13ac932914ad1a9dec35c9484b11f415ca9baba

SHA256
29ce7afd7b070d31baef317afadcc40764cd59ef877ed02367d477397c347a06

SHA512
a7dca8f429dd1db3432bd87bf3792e5412134b1c0d0f111f091856d6e24374f0f9f29e490c58192b8916ea6aaec63a54f825837498ba3ca4e71691f3d03431a9

Download Submit
memory/1304-1-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1304-2-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1304-19-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1304-195-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2396-14-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2844-98-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2844-97-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2844-96-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing