cycbot | 081b1d2bf111ffb73c006898c0d780ebf94fd0f588b6682141a2e8d008eb2436

General

Target

d745c96c93f748979cbb107c83b14b47_JaffaCakes118.exe
Size

188KB
MD5

d745c96c93f748979cbb107c83b14b47
SHA1

43600e493360d35ca36a37f25aaaa0300b800e39
SHA256

081b1d2bf111ffb73c006898c0d780ebf94fd0f588b6682141a2e8d008eb2436
SHA512

7044785b3c8331c9a5fa2d6ae80a8dec765b56d9bbb54c32103c135f779935d73b20ecd57d62a1f98ec257144cdecf551de9c0735a11f15989653b24fe406ac6
SSDEEP

3072:NCDtmPfvI6ZSnltQiOWChJE5megaGuTKhFKsbiQjoiDedMd/0AwX6Jgb1IP8M6L9:NPPI6ZSlwWE1zaNTK6sbiQjoXUMAwKJM

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2908-12-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/2124-13-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/2124-14-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral1/memory/2016-129-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/2124-280-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2124-2-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2908-12-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2124-13-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2124-14-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/2016-127-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2016-129-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2124-280-0x0000000000400000-0x0000000000455000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d745c96c93f748979cbb107c83b14b47_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d745c96c93f748979cbb107c83b14b47_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d745c96c93f748979cbb107c83b14b47_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 2908	2124	d745c96c93f748979cbb107c83b14b47_JaffaCakes118.exe	30
PID 2124 wrote to memory of 2908	2124	d745c96c93f748979cbb107c83b14b47_JaffaCakes118.exe	30
PID 2124 wrote to memory of 2908	2124	d745c96c93f748979cbb107c83b14b47_JaffaCakes118.exe	30
PID 2124 wrote to memory of 2908	2124	d745c96c93f748979cbb107c83b14b47_JaffaCakes118.exe	30
PID 2124 wrote to memory of 2016	2124	d745c96c93f748979cbb107c83b14b47_JaffaCakes118.exe	32
PID 2124 wrote to memory of 2016	2124	d745c96c93f748979cbb107c83b14b47_JaffaCakes118.exe	32
PID 2124 wrote to memory of 2016	2124	d745c96c93f748979cbb107c83b14b47_JaffaCakes118.exe	32
PID 2124 wrote to memory of 2016	2124	d745c96c93f748979cbb107c83b14b47_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\d745c96c93f748979cbb107c83b14b47_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d745c96c93f748979cbb107c83b14b47_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Users\Admin\AppData\Local\Temp\d745c96c93f748979cbb107c83b14b47_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d745c96c93f748979cbb107c83b14b47_JaffaCakes118.exe startC:\Program Files (x86)\LP\3B18\013.exe%C:\Program Files (x86)\LP\3B18
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2908
- C:\Users\Admin\AppData\Local\Temp\d745c96c93f748979cbb107c83b14b47_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d745c96c93f748979cbb107c83b14b47_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\8C06B\F8E3B.exe%C:\Users\Admin\AppData\Roaming\8C06B
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\8C06B\B466.C06

Filesize
996B

MD5
bb181b503840fa28a9f7f0a324c6ed10

SHA1
a2faef42426c61c9f6a7d34bdd4a287909699cac

SHA256
78395c367bcc836c44982ca1d1aa9dd2270abc4066d5e360ec94ead624e0874f

SHA512
a156117dac9a0e012dbd4dc875aea5c9177ac96c2a48410a82e58195a45e48b234b4dcde679cc87200286e42568c1510051e25f887476275aa87b0021926335a

Download Submit
C:\Users\Admin\AppData\Roaming\8C06B\B466.C06

Filesize
600B

MD5
c58701397fbb7f43ac1bb87b715bb0bb

SHA1
c8b1ae3395e8cf8a1abf03a8a88786dc6fc0f151

SHA256
bf6aabbf2eb1ebee79006b8de6bab884a01101010e68f655d1cefb1480805a70

SHA512
ae83f65b084bbc3fda1a4022449d11fb28e9d8e3a2955581403501bc1981a9c68a46119397ae09fae175372517465bfa637a031ef50de86be6ad69f0fd2499e1

Download Submit
C:\Users\Admin\AppData\Roaming\8C06B\B466.C06

Filesize
1KB

MD5
889bee5a6ecce041a3bddccc02c98c78

SHA1
60e4c05833230b9a658c625884b809e619935c42

SHA256
e2243f22e9635c0f77c5fe4edf5fc953bd8a354a671ff30c4364493b381fc6b7

SHA512
4185ead73166d1e2d14e7fc7d455c7b87da7b6dd455bdf3b2fd6f5811f343344e5ddc03ff11643b559b8297a2044c162b5f0933499a1cd63031b60ce17e9b22e

Download Submit
memory/2016-127-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2016-129-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2124-1-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2124-2-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2124-13-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2124-14-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2124-280-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2908-11-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2908-12-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing