cycbot | c662ecf0275787570795de5e741538c660a0af5bb5d13879efeb653f515d6506

General

Target

JaffaCakes118_622592b5f7166013ac8a63f08c1a3d80.exe
Size

180KB
MD5

622592b5f7166013ac8a63f08c1a3d80
SHA1

41b14f90de662652c373a2516346d487e61a37c9
SHA256

c662ecf0275787570795de5e741538c660a0af5bb5d13879efeb653f515d6506
SHA512

42ef02e77183b448992f34fa7f1bed604166bb659cc85c54ba41b92db34fab45ef2e69197b86ed6ec478e65b65364cf9ef03f341424aebb4ae4d7d8cb83814df
SSDEEP

3072:oAuBp9xL+nU5XgZLFrDaRC9vLwg0+ONtjUGPpnsSeRHdBiw2FAUwJA834dJmY/k2:o79xLjRC6R2vEg05jLRvuDGANAddJm8V

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2160-15-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/2780-16-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral1/memory/2780-17-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/600-131-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/2780-306-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2780-3-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2160-14-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2160-13-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2160-15-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2780-16-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/2780-17-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/600-131-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2780-306-0x0000000000400000-0x0000000000455000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_622592b5f7166013ac8a63f08c1a3d80.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_622592b5f7166013ac8a63f08c1a3d80.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_622592b5f7166013ac8a63f08c1a3d80.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 2160	2780	JaffaCakes118_622592b5f7166013ac8a63f08c1a3d80.exe	30
PID 2780 wrote to memory of 2160	2780	JaffaCakes118_622592b5f7166013ac8a63f08c1a3d80.exe	30
PID 2780 wrote to memory of 2160	2780	JaffaCakes118_622592b5f7166013ac8a63f08c1a3d80.exe	30
PID 2780 wrote to memory of 2160	2780	JaffaCakes118_622592b5f7166013ac8a63f08c1a3d80.exe	30
PID 2780 wrote to memory of 600	2780	JaffaCakes118_622592b5f7166013ac8a63f08c1a3d80.exe	32
PID 2780 wrote to memory of 600	2780	JaffaCakes118_622592b5f7166013ac8a63f08c1a3d80.exe	32
PID 2780 wrote to memory of 600	2780	JaffaCakes118_622592b5f7166013ac8a63f08c1a3d80.exe	32
PID 2780 wrote to memory of 600	2780	JaffaCakes118_622592b5f7166013ac8a63f08c1a3d80.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_622592b5f7166013ac8a63f08c1a3d80.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_622592b5f7166013ac8a63f08c1a3d80.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_622592b5f7166013ac8a63f08c1a3d80.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_622592b5f7166013ac8a63f08c1a3d80.exe startC:\Program Files (x86)\LP\CD4E\153.exe%C:\Program Files (x86)\LP\CD4E
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2160
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_622592b5f7166013ac8a63f08c1a3d80.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_622592b5f7166013ac8a63f08c1a3d80.exe startC:\Users\Admin\AppData\Roaming\E9213\EDECD.exe%C:\Users\Admin\AppData\Roaming\E9213
  2⤵
  - System Location Discovery: System Language Discovery
  PID:600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\E9213\376C.921

Filesize
600B

MD5
e91ced87c8766e19f27c7f221c4fc64f

SHA1
3ddf1d354b8a049cd532ffbe824e7203269f6358

SHA256
3eea6c6847430e06590c52ed119cabc0d190ffed61ce54e52077eab744db3051

SHA512
1a1af7b3a8f93ac8dd040f228562e61b3596f95a4a155e2ba6ea7446e1f18b22d33ee95da04601913feb9d18b378f4818eae6c1ee686c1ec6a02b917e2664536

Download Submit
C:\Users\Admin\AppData\Roaming\E9213\376C.921

Filesize
996B

MD5
a7795d2b32440cc78ee19a9d1a589031

SHA1
ac7104138e28ae03062740eac159b434804f18ef

SHA256
9d1d0304cb2ee3a793466723082008d4b83e9b148168a2d406b57dc6346c5e6c

SHA512
d7e03a9b6102aa7b2ed730d967da74581ee0f72328d52ba40ce71f4cf6250e21ebeb332b519f9f9091d30af1b5cb9504d5325c1c7e31a919c34b05ac503a2a8e

Download Submit
C:\Users\Admin\AppData\Roaming\E9213\376C.921

Filesize
1KB

MD5
1e897b1f7b0a3aacc8feb72466cb9c40

SHA1
fbd4ae3bfdae3ea2e7e7bf740b08af5f8aed77c0

SHA256
66473efc44bf781fd2b55b37fe8fcaaefae80b7e6dab9829a8f83c667dc5d66c

SHA512
b7b587b5026257abdf0b103e5d0a2ed559f563251d2feeacff0609aae1bd637e777be7098cbc94aa186543d38d11cd26054a40810955690c01c7e3aad83b67c6

Download Submit
memory/600-131-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2160-14-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2160-13-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2160-15-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2780-16-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2780-17-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2780-0-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2780-3-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2780-2-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2780-306-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing