cycbot | 4d742321425e275185847a05e052e7a163615d2b2d25eaf5e418133a6c4fe715

General

Target

fe394925e5b4175238a536bc3a4ba7c1_JaffaCakes118.exe
Size

184KB
MD5

fe394925e5b4175238a536bc3a4ba7c1
SHA1

e3fb230fc1e5ba65ac4b2fc7b238b2dd7af17929
SHA256

4d742321425e275185847a05e052e7a163615d2b2d25eaf5e418133a6c4fe715
SHA512

8cd5f4fcadd85a1ee7e0d56a57cc321f6290302a508319f20afd1351b445eceb52db2a5118827640c9a9f7ca3fb7718d26e966140ec608688b201de919684bd9
SSDEEP

3072:RgNUlyQrT2GI2o0tUvJKj4QajGarN6ggjZ5LAqRWBxz0W3IYsxFs:2sCGNzmvk4nHrNngjZ5Re3IvxFs

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2780-13-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/2188-14-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/2188-15-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral1/memory/620-76-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/2188-169-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2188-2-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2780-12-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2780-13-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2188-14-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2188-15-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/620-76-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2188-169-0x0000000000400000-0x0000000000455000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fe394925e5b4175238a536bc3a4ba7c1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fe394925e5b4175238a536bc3a4ba7c1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fe394925e5b4175238a536bc3a4ba7c1_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2780	2188	fe394925e5b4175238a536bc3a4ba7c1_JaffaCakes118.exe	30
PID 2188 wrote to memory of 2780	2188	fe394925e5b4175238a536bc3a4ba7c1_JaffaCakes118.exe	30
PID 2188 wrote to memory of 2780	2188	fe394925e5b4175238a536bc3a4ba7c1_JaffaCakes118.exe	30
PID 2188 wrote to memory of 2780	2188	fe394925e5b4175238a536bc3a4ba7c1_JaffaCakes118.exe	30
PID 2188 wrote to memory of 620	2188	fe394925e5b4175238a536bc3a4ba7c1_JaffaCakes118.exe	32
PID 2188 wrote to memory of 620	2188	fe394925e5b4175238a536bc3a4ba7c1_JaffaCakes118.exe	32
PID 2188 wrote to memory of 620	2188	fe394925e5b4175238a536bc3a4ba7c1_JaffaCakes118.exe	32
PID 2188 wrote to memory of 620	2188	fe394925e5b4175238a536bc3a4ba7c1_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\fe394925e5b4175238a536bc3a4ba7c1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fe394925e5b4175238a536bc3a4ba7c1_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Users\Admin\AppData\Local\Temp\fe394925e5b4175238a536bc3a4ba7c1_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\fe394925e5b4175238a536bc3a4ba7c1_JaffaCakes118.exe startC:\Program Files (x86)\LP\4678\9FB.exe%C:\Program Files (x86)\LP\4678
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2780
- C:\Users\Admin\AppData\Local\Temp\fe394925e5b4175238a536bc3a4ba7c1_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\fe394925e5b4175238a536bc3a4ba7c1_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\88154\4FA46.exe%C:\Users\Admin\AppData\Roaming\88154
  2⤵
  - System Location Discovery: System Language Discovery
  PID:620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\88154\41C5.815

Filesize
1KB

MD5
a4ea5666517f1e2dbe86f5a1d5239c7d

SHA1
7cc2ea0cd6c8b3de517120605e7ef16d545699b4

SHA256
f58010d4cc21bf4746ed2fa1a79bc9d76628d68d82a0bc93eb68eb68348fbb73

SHA512
de6a772dd1db53c7d2adcb46662fb17cceda58289ae72e10eca49d12aa516fe58b10037935c280eee22ae4f1f5ef7ef030f79e654153d03024fa1d1dedaea8e4

Download Submit
C:\Users\Admin\AppData\Roaming\88154\41C5.815

Filesize
600B

MD5
0f6208a9a4ded63e0a1009936218dc47

SHA1
d3eb5e41525474d62f2dbcb5aae5dc081acb9b1b

SHA256
3d1cee1532e4f5003e0e483b404a985269e874b89c113345b5762afe7c2deddd

SHA512
fe11c81f61180038ad3f1c484793acc9015e5f0fabfbdd9afdde51d29e64b338cddad5b9adc220a2340ceb69ebf7ae96d502b660d96cdda5b0911d0e4be142fd

Download Submit
C:\Users\Admin\AppData\Roaming\88154\41C5.815

Filesize
996B

MD5
fe8e9e31749e0ca270858478a011aec1

SHA1
3b08e1b658c3c6e56cdee6b2505cb31dc5bdc89f

SHA256
280ac1af88aa84811d547f9191622b422c8bbc597f8b014196466b8a4306be90

SHA512
a9faf8c2ec8cc37b6eeecb3846cf6ad289ade2235c329f884fbabd60d1958fb8c5ebc9eee678bdeda22cd94857c1a3107819f864a295f26bb61981f68d673484

Download Submit
memory/620-76-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2188-1-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2188-2-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2188-14-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2188-15-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2188-169-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2780-11-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2780-12-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2780-13-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Resubmissions

Analysis

Sharing