cycbot | 899d4bd59decc342a84f91db4333a8e171792b6e6ef09dc03952187d965c76aa

General

Target

d642c4afd66e73bd3301b521e1868320_JaffaCakes118.exe
Size

185KB
MD5

d642c4afd66e73bd3301b521e1868320
SHA1

49db0f732abd4d60dea25d373d0dc5c1db7cd39d
SHA256

899d4bd59decc342a84f91db4333a8e171792b6e6ef09dc03952187d965c76aa
SHA512

0f18a92bc18f8266ff500a9e9cf76b4b4a504ca01ad036cb5ba7681d9d6fab749c695c007acb90a7fcc384b11193e8ebd623c22164170cc449c3ae6faf490e78
SSDEEP

3072:Q3y9TNgua+mBuaH7l5nmOD6st4S5xAOoujmDX8JXAOeHcdOUO9Xtq0tw4c:moN0+m8OllD6JqxeujU8JXGcwt1tXwb

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2100-14-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/2536-15-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/2536-16-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral1/memory/1184-133-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/2536-312-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2536-2-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2100-12-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2100-14-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2536-15-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2536-16-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/1184-133-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2536-312-0x0000000000400000-0x0000000000455000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d642c4afd66e73bd3301b521e1868320_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d642c4afd66e73bd3301b521e1868320_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d642c4afd66e73bd3301b521e1868320_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 2100	2536	d642c4afd66e73bd3301b521e1868320_JaffaCakes118.exe	31
PID 2536 wrote to memory of 2100	2536	d642c4afd66e73bd3301b521e1868320_JaffaCakes118.exe	31
PID 2536 wrote to memory of 2100	2536	d642c4afd66e73bd3301b521e1868320_JaffaCakes118.exe	31
PID 2536 wrote to memory of 2100	2536	d642c4afd66e73bd3301b521e1868320_JaffaCakes118.exe	31
PID 2536 wrote to memory of 1184	2536	d642c4afd66e73bd3301b521e1868320_JaffaCakes118.exe	33
PID 2536 wrote to memory of 1184	2536	d642c4afd66e73bd3301b521e1868320_JaffaCakes118.exe	33
PID 2536 wrote to memory of 1184	2536	d642c4afd66e73bd3301b521e1868320_JaffaCakes118.exe	33
PID 2536 wrote to memory of 1184	2536	d642c4afd66e73bd3301b521e1868320_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\d642c4afd66e73bd3301b521e1868320_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d642c4afd66e73bd3301b521e1868320_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Users\Admin\AppData\Local\Temp\d642c4afd66e73bd3301b521e1868320_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d642c4afd66e73bd3301b521e1868320_JaffaCakes118.exe startC:\Program Files (x86)\LP\6F90\72F.exe%C:\Program Files (x86)\LP\6F90
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2100
- C:\Users\Admin\AppData\Local\Temp\d642c4afd66e73bd3301b521e1868320_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d642c4afd66e73bd3301b521e1868320_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\0E00D\C766F.exe%C:\Users\Admin\AppData\Roaming\0E00D
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\0E00D\D199.E00

Filesize
996B

MD5
119732e82bfe4ef73467488305f66a2f

SHA1
4ac202e67cd4e70872342243c9df04d87276c952

SHA256
b8bebc9ded3112dffc6b3b318d05b5c67c5abb96286c12b689d0c2d1d880d126

SHA512
2e5bc597cef8dc80c3d83ff2560b88f01c8b5b39724018a6dc9ca482ba5eb215d48993ee8952269fd7cbe0931c03477a17907c37161980687676c9b3e54b2d78

Download Submit
C:\Users\Admin\AppData\Roaming\0E00D\D199.E00

Filesize
600B

MD5
4d35d3827e44ee8881021917cccaf9eb

SHA1
24fbddeb3f256daf7c6343770ef2bb04cf209c89

SHA256
9414e6637b39b3746c7a62c431365b2da91bae4c961bc46a030f7beff0acd6ac

SHA512
4ce8f4096d703054512289589c09dc29285b9e0ca51136fb8c7b1b4ba0e8d1d717e4ecddec724595610d5fb5a125091c875269a2fc75fd32af5a0156d332745a

Download Submit
C:\Users\Admin\AppData\Roaming\0E00D\D199.E00

Filesize
1KB

MD5
81fc67a59006312cd7f1ed56eaa71b3a

SHA1
7ec4b35f6bb0616616c0783f6f6deaa8017533cc

SHA256
8b0dd0509dbf6ca14603be494d77e7dd14e618f0aa0f1aa2f4a0b21f80eec312

SHA512
f6707c717b31b3178d29d0db7ba52c074747ad56aaf699f3b7fa0e18992e89a07ba7abdf4effedf5a235ca6de1c4c696de457414128ebf71182ab3fc8330d48a

Download Submit
memory/1184-133-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2100-12-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2100-11-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2100-14-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2536-1-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2536-2-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2536-15-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2536-16-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2536-312-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing