cycbot | 8bf262dfef65d1d917608969c942062fbb0bcfa65c28c773c2dcdee479c33a82

General

Target

fd0f495e2591d50d33149ef4521cf42c_JaffaCakes118.exe
Size

183KB
MD5

fd0f495e2591d50d33149ef4521cf42c
SHA1

4c48efc91268be9226b42be113e3870e603f59a7
SHA256

8bf262dfef65d1d917608969c942062fbb0bcfa65c28c773c2dcdee479c33a82
SHA512

735b5449640451a0c8ee0a2dac914c43b4fc4c7bc72a9033f75a9e0d39b5f445b102a8569d59b15b9fae58429e0e173d4cb8dd2255c54901c35ff8f9b71c1d35
SSDEEP

3072:BzIIfglntYsALBO6tBONx+LMG/kh8rhg1rUyaYVk8r68i/kRylgEe2O0:uIUHAM+BsrKFwrVLOf/NQ

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2560-13-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/2228-14-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/2228-15-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral1/memory/2300-76-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/2228-177-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2228-2-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2560-12-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2560-13-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2228-14-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2228-15-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/2300-76-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2228-177-0x0000000000400000-0x0000000000455000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fd0f495e2591d50d33149ef4521cf42c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fd0f495e2591d50d33149ef4521cf42c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fd0f495e2591d50d33149ef4521cf42c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 2560	2228	fd0f495e2591d50d33149ef4521cf42c_JaffaCakes118.exe	29
PID 2228 wrote to memory of 2560	2228	fd0f495e2591d50d33149ef4521cf42c_JaffaCakes118.exe	29
PID 2228 wrote to memory of 2560	2228	fd0f495e2591d50d33149ef4521cf42c_JaffaCakes118.exe	29
PID 2228 wrote to memory of 2560	2228	fd0f495e2591d50d33149ef4521cf42c_JaffaCakes118.exe	29
PID 2228 wrote to memory of 2300	2228	fd0f495e2591d50d33149ef4521cf42c_JaffaCakes118.exe	31
PID 2228 wrote to memory of 2300	2228	fd0f495e2591d50d33149ef4521cf42c_JaffaCakes118.exe	31
PID 2228 wrote to memory of 2300	2228	fd0f495e2591d50d33149ef4521cf42c_JaffaCakes118.exe	31
PID 2228 wrote to memory of 2300	2228	fd0f495e2591d50d33149ef4521cf42c_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\fd0f495e2591d50d33149ef4521cf42c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fd0f495e2591d50d33149ef4521cf42c_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Users\Admin\AppData\Local\Temp\fd0f495e2591d50d33149ef4521cf42c_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\fd0f495e2591d50d33149ef4521cf42c_JaffaCakes118.exe startC:\Program Files (x86)\LP\24F9\9F7.exe%C:\Program Files (x86)\LP\24F9
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2560
- C:\Users\Admin\AppData\Local\Temp\fd0f495e2591d50d33149ef4521cf42c_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\fd0f495e2591d50d33149ef4521cf42c_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\9EE44\93024.exe%C:\Users\Admin\AppData\Roaming\9EE44
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\9EE44\4176.EE4

Filesize
1KB

MD5
7cf5324a4dace3d8331b3e726066a1d2

SHA1
8d4de4dbd61934a6b535c619913b43bf1431fe35

SHA256
ad6fba6eac0aef48a178fc1848ddaf04e48e1313c37d15208f8411a178430157

SHA512
033c533786c7d646d1b7ae60d0f4317e187590f968af1378ceae2d84fddf38298c85eed5ff4bcfda71888431a1c76bea4c63321520bfa7ee45e0c4c94ca4c6c3

Download Submit
C:\Users\Admin\AppData\Roaming\9EE44\4176.EE4

Filesize
600B

MD5
d4e598edf390815df33c598dbe9999e0

SHA1
91b546a21977f24a55898a2edb88286f5ecf5d13

SHA256
90c3121d60bde3b6c246c5e9cc24f59f442b93e546e77f1b8b23ddcd961d0890

SHA512
a4a3037b2fe172636c8c8114f90996117546ad61d359fd73df0684d5f259428677406beb59035804939800df71879a78ec51b3f4981a3f18c212a12a9002f700

Download Submit
C:\Users\Admin\AppData\Roaming\9EE44\4176.EE4

Filesize
996B

MD5
bfad30a5bd15e69019fc365aee133942

SHA1
3be44072e0d7dfac743ccde4538fc64434338e39

SHA256
f23b5f034befe92595696aa97b16fd8d49fde5f2d27eccac653e1608d17fe889

SHA512
bd99fa44013cf622163ad298c863b109ff6246568d8416e7530fedf09949c0a62ce4e9ca33a141e3060caf1eec9d658403927fc6c00a85dd9a6aeb1c99c92652

Download Submit
memory/2228-1-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2228-2-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2228-14-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2228-15-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2228-177-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2300-76-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2560-12-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2560-11-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2560-13-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing