cycbot | 7f82e7f2f03ee985f9068c54e391c4f062457ff057a85ed82a116e53930a2677

General

Target

d40e8015ce119841eb6489130eaacfdd_JaffaCakes118.exe
Size

179KB
MD5

d40e8015ce119841eb6489130eaacfdd
SHA1

2a5bcc889280df3249bf22200fc969b199e54d52
SHA256

7f82e7f2f03ee985f9068c54e391c4f062457ff057a85ed82a116e53930a2677
SHA512

5b37fabd4e810173b734f3b8d16f63b9e5300bf594e90dba864e3dcaa35b7557aa66862f96111f6e085c0a40e505b7d1d534a8592451c3f52ec427343d3b477c
SSDEEP

3072:oPUgmwFVcEjO+A+Z/y+xVXeLOvUx/NmWNQ4bqhsaobN1FrlwtcPHdIDYzEEyh9tm:Oy8jO+A+VxVXeSvU6WW4ehsLRHrlDS0r

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2168-14-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/2128-15-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/2128-16-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral1/memory/2684-102-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/2128-273-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2128-3-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2168-13-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2168-14-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2128-15-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2128-16-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/2684-102-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2128-273-0x0000000000400000-0x0000000000455000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d40e8015ce119841eb6489130eaacfdd_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d40e8015ce119841eb6489130eaacfdd_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d40e8015ce119841eb6489130eaacfdd_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2168	2128	d40e8015ce119841eb6489130eaacfdd_JaffaCakes118.exe	30
PID 2128 wrote to memory of 2168	2128	d40e8015ce119841eb6489130eaacfdd_JaffaCakes118.exe	30
PID 2128 wrote to memory of 2168	2128	d40e8015ce119841eb6489130eaacfdd_JaffaCakes118.exe	30
PID 2128 wrote to memory of 2168	2128	d40e8015ce119841eb6489130eaacfdd_JaffaCakes118.exe	30
PID 2128 wrote to memory of 2684	2128	d40e8015ce119841eb6489130eaacfdd_JaffaCakes118.exe	33
PID 2128 wrote to memory of 2684	2128	d40e8015ce119841eb6489130eaacfdd_JaffaCakes118.exe	33
PID 2128 wrote to memory of 2684	2128	d40e8015ce119841eb6489130eaacfdd_JaffaCakes118.exe	33
PID 2128 wrote to memory of 2684	2128	d40e8015ce119841eb6489130eaacfdd_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\d40e8015ce119841eb6489130eaacfdd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d40e8015ce119841eb6489130eaacfdd_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Users\Admin\AppData\Local\Temp\d40e8015ce119841eb6489130eaacfdd_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d40e8015ce119841eb6489130eaacfdd_JaffaCakes118.exe startC:\Program Files (x86)\LP\2C0B\619.exe%C:\Program Files (x86)\LP\2C0B
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2168
- C:\Users\Admin\AppData\Local\Temp\d40e8015ce119841eb6489130eaacfdd_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d40e8015ce119841eb6489130eaacfdd_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\B12B9\6AC2C.exe%C:\Users\Admin\AppData\Roaming\B12B9
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\B12B9\9B34.12B

Filesize
996B

MD5
87ca3caf613b6fe11c5213014e3a2236

SHA1
816545e85acf5f9a7d071696e2fff960445dd067

SHA256
d74f13da46a91fbff13f15dc5c0593f0bff7335499a91a2244409809270c536a

SHA512
b8823b22d074f54c275ca5acd377488e4b18cb3b8120d690677c5bc0fc00cba3d4f5e5cb5d74af582384a0f0340d87469c542fbe09fcfabdb9bb8336f9636e84

Download Submit
C:\Users\Admin\AppData\Roaming\B12B9\9B34.12B

Filesize
600B

MD5
8ec551c4651afbd10adeed2e1ead19d0

SHA1
00262648f03dac20750e0072c5bd9d8741ac6bd9

SHA256
2d137779d9468ca9cfb64d5d3b5fd408babdda75baf8dad2e6506548ffbadeff

SHA512
1839f87b2487e1637f6d04ada371780b77789d71d1a7f7b90a36a07dbcd43cd65d7e2c313115428dd86ecc5c42f5713feb656d29c053acf0b8ed186286d71671

Download Submit
C:\Users\Admin\AppData\Roaming\B12B9\9B34.12B

Filesize
1KB

MD5
bf029466558eaa571f97dc14d0d91cee

SHA1
ecaf1efe8cc8f7541d47fe3839cdb55a971260ab

SHA256
735c73108181eacb457bba223b1cf2b0159eb345ac9416041a6fffdbe802f8b0

SHA512
da4ee73e8a8b868363b4f249793eb04a5261dade0aa26c500de8dad0a9ff1e86c3f8c084723c84511bb395e4edb7d21ac9b5c088518dafe58c86125651040ddc

Download Submit
memory/2128-0-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2128-2-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2128-3-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2128-15-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2128-16-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2128-273-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2168-13-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2168-14-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2684-102-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing