cycbot | 88d5a35bf116571216f3c7bf3ca800b004ceaffefe228f5c9b654b3fe47f46c9

General

Target

JaffaCakes118_644c8286004e07849b7e5585b09eb9b0.exe
Size

199KB
MD5

644c8286004e07849b7e5585b09eb9b0
SHA1

17a2aae20d784d4f7595dbc96fd0aa2c8305e267
SHA256

88d5a35bf116571216f3c7bf3ca800b004ceaffefe228f5c9b654b3fe47f46c9
SHA512

08781d75f045853b3645110cc9167407215fce5e36f86e052248e547582a6add9f21f01452533dd11b5a3aace42ee625078ea774fe8f180a8e9aa6e375fc8d31
SSDEEP

6144:ViSRcu5Hl4dZIgO4M5TIjrPyrwqTbJkZOKQYiMM:7cuZudmh4M5Tur6sq5P1H

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/1704-14-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/1512-15-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral1/memory/1512-16-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/1084-112-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/1512-299-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1512-3-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1704-13-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1704-14-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1512-15-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/1512-16-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1084-110-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1084-112-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1512-299-0x0000000000400000-0x0000000000455000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_644c8286004e07849b7e5585b09eb9b0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_644c8286004e07849b7e5585b09eb9b0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_644c8286004e07849b7e5585b09eb9b0.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 1704	1512	JaffaCakes118_644c8286004e07849b7e5585b09eb9b0.exe	30
PID 1512 wrote to memory of 1704	1512	JaffaCakes118_644c8286004e07849b7e5585b09eb9b0.exe	30
PID 1512 wrote to memory of 1704	1512	JaffaCakes118_644c8286004e07849b7e5585b09eb9b0.exe	30
PID 1512 wrote to memory of 1704	1512	JaffaCakes118_644c8286004e07849b7e5585b09eb9b0.exe	30
PID 1512 wrote to memory of 1084	1512	JaffaCakes118_644c8286004e07849b7e5585b09eb9b0.exe	33
PID 1512 wrote to memory of 1084	1512	JaffaCakes118_644c8286004e07849b7e5585b09eb9b0.exe	33
PID 1512 wrote to memory of 1084	1512	JaffaCakes118_644c8286004e07849b7e5585b09eb9b0.exe	33
PID 1512 wrote to memory of 1084	1512	JaffaCakes118_644c8286004e07849b7e5585b09eb9b0.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_644c8286004e07849b7e5585b09eb9b0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_644c8286004e07849b7e5585b09eb9b0.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_644c8286004e07849b7e5585b09eb9b0.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_644c8286004e07849b7e5585b09eb9b0.exe startC:\Program Files (x86)\LP\8D63\054.exe%C:\Program Files (x86)\LP\8D63
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1704
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_644c8286004e07849b7e5585b09eb9b0.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_644c8286004e07849b7e5585b09eb9b0.exe startC:\Users\Admin\AppData\Roaming\3FC37\1FC8D.exe%C:\Users\Admin\AppData\Roaming\3FC37
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\3FC37\78AA.FC3

Filesize
996B

MD5
a81e523f1257cd2293b4d37a2227db1e

SHA1
07d4230cfd9b4ef4f5af8359c841487c86669f1e

SHA256
ab4184a9f660e003fe4ba286a47246e9c54d73319984e626846a878064b89c8e

SHA512
068fb4fb22b408d10b9a4174ce15b8504756a3221e54b1be5098603dc0b990a6582b7021706d844914b881034b5a0bc5ad4e2437519c2a89f2aeda2ed6c036d1

Download Submit
C:\Users\Admin\AppData\Roaming\3FC37\78AA.FC3

Filesize
600B

MD5
92045093ca04ee8554bcff927e583246

SHA1
f6bc52a443a1853d9f1f09a2f53367e73f9edb00

SHA256
72a945c50611f8c160991857543531557f68a1c041056838afe570119c6f03e8

SHA512
5d844f82fb7ea862004fdcc2b6ab027952ac52dc51a3ba0e8a0dfca43572096a9020f41e75f2775d2db0d3dd84fbe51a77e9db8b88e2edff1a99a09ad7d4772f

Download Submit
C:\Users\Admin\AppData\Roaming\3FC37\78AA.FC3

Filesize
1KB

MD5
4cc236d4d0a333a0621e78ee1363810d

SHA1
b81c853d683a849d6768a87785a44736e1d597e1

SHA256
0b4308929124b2d003f81505250472d0e32558a64b2fcdf237ddaa8712ae8431

SHA512
e79c7ba58e4e98aa1825c01a134f394c92ed247d835b96a0ff65c272a4904d1447d382ff2743841270d84331e5717248912c9ddffdf71ff80933e751e8c4ccc6

Download Submit
memory/1084-112-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1084-110-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1512-16-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1512-0-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1512-15-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1512-3-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1512-2-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1512-299-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1704-14-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1704-13-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing