cycbot | 83c4ca883e96da4963e62ffa6a5d8a139f43999772c024dd6a42c059c668ad45

General

Target

93dc02754068a3e580cee8d058a5dbaf_JaffaCakes118.exe
Size

181KB
MD5

93dc02754068a3e580cee8d058a5dbaf
SHA1

8cfe4d654e8c80bc5662785ef26ddc5db67253c7
SHA256

83c4ca883e96da4963e62ffa6a5d8a139f43999772c024dd6a42c059c668ad45
SHA512

d98a86ebafaf7cc703c874d553367562cb1335b5521655643333b722fda21cccf7949e4b1bb682d7c3d41248db7b5fe7f17d3550715ee82facf1851afbe9914d
SSDEEP

3072:6za/stqsLtNsNMSg5q6Wv7M/5zYQogkzV5KoNzSTqi4UfhYpeYWVnS8y9vn83vwU:9/kTIX/NwR7oRV5XNz0D4khNhG9vuw

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

Processes:

resource	yara_rule
behavioral1/memory/2304-13-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/2232-14-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/2232-15-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral1/memory/2564-78-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/2232-175-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2232-2-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2304-12-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2304-13-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2232-14-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2232-15-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/2564-76-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2564-78-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2232-175-0x0000000000400000-0x0000000000455000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

93dc02754068a3e580cee8d058a5dbaf_JaffaCakes118.exe93dc02754068a3e580cee8d058a5dbaf_JaffaCakes118.exe93dc02754068a3e580cee8d058a5dbaf_JaffaCakes118.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	93dc02754068a3e580cee8d058a5dbaf_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	93dc02754068a3e580cee8d058a5dbaf_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	93dc02754068a3e580cee8d058a5dbaf_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

93dc02754068a3e580cee8d058a5dbaf_JaffaCakes118.exe

description	pid	Process	procid_target
PID 2232 wrote to memory of 2304	2232	93dc02754068a3e580cee8d058a5dbaf_JaffaCakes118.exe	31
PID 2232 wrote to memory of 2304	2232	93dc02754068a3e580cee8d058a5dbaf_JaffaCakes118.exe	31
PID 2232 wrote to memory of 2304	2232	93dc02754068a3e580cee8d058a5dbaf_JaffaCakes118.exe	31
PID 2232 wrote to memory of 2304	2232	93dc02754068a3e580cee8d058a5dbaf_JaffaCakes118.exe	31
PID 2232 wrote to memory of 2564	2232	93dc02754068a3e580cee8d058a5dbaf_JaffaCakes118.exe	33
PID 2232 wrote to memory of 2564	2232	93dc02754068a3e580cee8d058a5dbaf_JaffaCakes118.exe	33
PID 2232 wrote to memory of 2564	2232	93dc02754068a3e580cee8d058a5dbaf_JaffaCakes118.exe	33
PID 2232 wrote to memory of 2564	2232	93dc02754068a3e580cee8d058a5dbaf_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\93dc02754068a3e580cee8d058a5dbaf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\93dc02754068a3e580cee8d058a5dbaf_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Users\Admin\AppData\Local\Temp\93dc02754068a3e580cee8d058a5dbaf_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\93dc02754068a3e580cee8d058a5dbaf_JaffaCakes118.exe startC:\Program Files (x86)\LP\231A\933.exe%C:\Program Files (x86)\LP\231A
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2304
- C:\Users\Admin\AppData\Local\Temp\93dc02754068a3e580cee8d058a5dbaf_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\93dc02754068a3e580cee8d058a5dbaf_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\A3FCF\E4023.exe%C:\Users\Admin\AppData\Roaming\A3FCF
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\A3FCF\F376.3FC

Filesize
1KB

MD5
cae05513190ef3348cec2965655e5368

SHA1
4c9dc4a79f495bf4dc270a17b5d918264509c27f

SHA256
d11f2c506864d2fdd6a43c204c31f1b01d5dbdb13934f54b70eeda82cc74b363

SHA512
e679f2094540bafe38f0081212bf134ada54696330db52200d0612e480bb3914a6490f7e3dc545101e5cb08488207883b47ef63674ab6ff38c0daf77dfd93503

Download Submit
C:\Users\Admin\AppData\Roaming\A3FCF\F376.3FC

Filesize
600B

MD5
5ed3cd691116a27cb51890be06af2028

SHA1
5dc1f3a1cf8c721a3d69a4fef1ab586efc70ce97

SHA256
a788e1a75a5946da09291097b5eaf2352b06262c92ce092e5b76a7a34d3d3a98

SHA512
90e3725caab0606bf65308d54568fdedee92db4df35ae6ab29f84877cf0d30bb1f757ff42f218a952046c2ffc1fe32dfba1cf5229b045fe637820275f4eafde2

Download Submit
C:\Users\Admin\AppData\Roaming\A3FCF\F376.3FC

Filesize
996B

MD5
fc8e6ff62a2b96488760bbac528aec4f

SHA1
d81fca67ab0e885e4cabac84f6f1d55dd09884f8

SHA256
fac91b59c8b9360833cea8828a90222df57a576a2d5568363a505c1876fab025

SHA512
0b2bdb9bbc88c8405a8b316301d61e04ff58b430e57600a3033752db7947d681469034ee915293a91ab2f6e94ddb5777973ca0d8f40ba9213c026d9794aa6770

Download Submit
memory/2232-2-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2232-175-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2232-1-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2232-14-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2232-15-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2304-12-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2304-13-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2304-11-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2564-78-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2564-76-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads