cycbot | b52a1df437c8536c3b7c0d78a5555c8311427693b8a1d3347aabdf50bb936810

General

Target

fe48f107cdaecb514a86ad6badde2007_JaffaCakes118.exe
Size

177KB
MD5

fe48f107cdaecb514a86ad6badde2007
SHA1

102a27278a8e20fd50d41870661bfca406f97e69
SHA256

b52a1df437c8536c3b7c0d78a5555c8311427693b8a1d3347aabdf50bb936810
SHA512

06b8df7cce0fc0edf10c6077575100ad18ced6640de9a2e4e14104c1583c67611ae2040bbebea46d9f9b8e4689acb51231ecab8bb4211d944152e47962bf9dcf
SSDEEP

3072:ZxL0ksG5gARjRaVo2Xm6IXIJAONZJPt6EL9nKqXuJr5ZeMgeGAKNxPm7l:xs0RYVo2QXIbJPtbgJVZeMgeGAK7m7l

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2296-8-0x0000000000400000-0x0000000000463000-memory.dmp	family_cycbot
behavioral1/memory/2052-15-0x0000000000400000-0x0000000000463000-memory.dmp	family_cycbot
behavioral1/memory/2244-81-0x0000000000400000-0x0000000000463000-memory.dmp	family_cycbot
behavioral1/memory/2052-167-0x0000000000400000-0x0000000000463000-memory.dmp	family_cycbot
behavioral1/memory/2052-208-0x0000000000400000-0x0000000000463000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2052-2-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2296-6-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2296-8-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2052-15-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2244-79-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2244-81-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2052-167-0x0000000000400000-0x0000000000463000-memory.dmp	upx
behavioral1/memory/2052-208-0x0000000000400000-0x0000000000463000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fe48f107cdaecb514a86ad6badde2007_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fe48f107cdaecb514a86ad6badde2007_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fe48f107cdaecb514a86ad6badde2007_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2052 wrote to memory of 2296	2052	fe48f107cdaecb514a86ad6badde2007_JaffaCakes118.exe	28
PID 2052 wrote to memory of 2296	2052	fe48f107cdaecb514a86ad6badde2007_JaffaCakes118.exe	28
PID 2052 wrote to memory of 2296	2052	fe48f107cdaecb514a86ad6badde2007_JaffaCakes118.exe	28
PID 2052 wrote to memory of 2296	2052	fe48f107cdaecb514a86ad6badde2007_JaffaCakes118.exe	28
PID 2052 wrote to memory of 2244	2052	fe48f107cdaecb514a86ad6badde2007_JaffaCakes118.exe	30
PID 2052 wrote to memory of 2244	2052	fe48f107cdaecb514a86ad6badde2007_JaffaCakes118.exe	30
PID 2052 wrote to memory of 2244	2052	fe48f107cdaecb514a86ad6badde2007_JaffaCakes118.exe	30
PID 2052 wrote to memory of 2244	2052	fe48f107cdaecb514a86ad6badde2007_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\fe48f107cdaecb514a86ad6badde2007_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fe48f107cdaecb514a86ad6badde2007_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Users\Admin\AppData\Local\Temp\fe48f107cdaecb514a86ad6badde2007_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\fe48f107cdaecb514a86ad6badde2007_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\Microsoft\conhost.exe%C:\Users\Admin\AppData\Roaming\Microsoft
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2296
- C:\Users\Admin\AppData\Local\Temp\fe48f107cdaecb514a86ad6badde2007_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\fe48f107cdaecb514a86ad6badde2007_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\BD9D.2CF

Filesize
1KB

MD5
77f17d38f37606966e23d77cdfdece9b

SHA1
76384fb0acbc76209282f4646e00812ba04c43f5

SHA256
989329c858487af707b7cc1f7da36a63e4cd5cb6156cad45595cc17c13830da6

SHA512
3e88982b2364594abc3381bae763aa7ffa0ab509fe527e919080d609451de560a0ec2d5c45b31d15089ae6c2dd0295f50aaee467c4cf4b124165391a336aa96d

Download Submit
C:\Users\Admin\AppData\Roaming\BD9D.2CF

Filesize
600B

MD5
f0948ac22d1300ed7e785da119c57e10

SHA1
3b67329e32a185ada691d38dc0567936b898e573

SHA256
f161052e725be7d4590618f2b362a6479d3000e58973af8d98911c6fe4feeae3

SHA512
e7456d1a927ca71658a1e8f41e4060eb2cf95c0a33d9be06ff88dcc5fb7e3dd088112419d5ab245d3cc6565c0cf14986ca39ed8fbdff371ac055b0399df8c8b7

Download Submit
C:\Users\Admin\AppData\Roaming\BD9D.2CF

Filesize
996B

MD5
e1f3096050877cb7167b82f27dc389b4

SHA1
1e36acd164e8e22a2301d74de1308b0163cae346

SHA256
20f3bfeabbfb4d1ecd352d72cec62cf01ba0030e6ec2a5784e68fb1126fc96da

SHA512
70b3623341b779c57379f5a9755f079ec83cb9a04c57600aa60f6bb02ec034784475b38f90347add5173aa2406359514c66791f15a8171890f13895d72907e78

Download Submit
memory/2052-15-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2052-1-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2052-2-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2052-167-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2052-208-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2244-79-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2244-81-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2296-6-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2296-8-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2296-5-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download

Analysis

Sharing