cycbot | 28a38218bffc67455d0b132d26ef751b7d239be9093ccf1f527fa5e8a3d2a01f

General

Target

JaffaCakes118_02253b4f65f49dcf9cece0f2ce858ff8.exe
Size

180KB
MD5

02253b4f65f49dcf9cece0f2ce858ff8
SHA1

f899e34d98fddeaa05b31dcf881a75a17c4cfe53
SHA256

28a38218bffc67455d0b132d26ef751b7d239be9093ccf1f527fa5e8a3d2a01f
SHA512

15b5a32fc0d2191ceb2e26813b2b1e06d44ab3554648c7afd138633998f375f17bdeb57331462a11b27e0fd0bc1d14dab179aedb5965270ca363203bb7a315cf
SSDEEP

3072:Z1oALN8ojjJZqEqw9Ia4OffcxCFk9Mmf4S98iygDZe6BxA9ZR9nU2iqPchllzF3E:ZdN8ojSEqwimkCFkS0198EVeqxAnULyN

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2668-15-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/2808-16-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/2808-17-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral1/memory/2496-131-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/2808-282-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2808-3-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2668-13-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2668-15-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2808-16-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2808-17-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/2496-131-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2808-282-0x0000000000400000-0x0000000000455000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_02253b4f65f49dcf9cece0f2ce858ff8.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 2668	2808	JaffaCakes118_02253b4f65f49dcf9cece0f2ce858ff8.exe	30
PID 2808 wrote to memory of 2668	2808	JaffaCakes118_02253b4f65f49dcf9cece0f2ce858ff8.exe	30
PID 2808 wrote to memory of 2668	2808	JaffaCakes118_02253b4f65f49dcf9cece0f2ce858ff8.exe	30
PID 2808 wrote to memory of 2668	2808	JaffaCakes118_02253b4f65f49dcf9cece0f2ce858ff8.exe	30
PID 2808 wrote to memory of 2496	2808	JaffaCakes118_02253b4f65f49dcf9cece0f2ce858ff8.exe	32
PID 2808 wrote to memory of 2496	2808	JaffaCakes118_02253b4f65f49dcf9cece0f2ce858ff8.exe	32
PID 2808 wrote to memory of 2496	2808	JaffaCakes118_02253b4f65f49dcf9cece0f2ce858ff8.exe	32
PID 2808 wrote to memory of 2496	2808	JaffaCakes118_02253b4f65f49dcf9cece0f2ce858ff8.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_02253b4f65f49dcf9cece0f2ce858ff8.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_02253b4f65f49dcf9cece0f2ce858ff8.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_02253b4f65f49dcf9cece0f2ce858ff8.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_02253b4f65f49dcf9cece0f2ce858ff8.exe startC:\Program Files (x86)\LP\2E80\6C6.exe%C:\Program Files (x86)\LP\2E80
  2⤵
  PID:2668
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_02253b4f65f49dcf9cece0f2ce858ff8.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_02253b4f65f49dcf9cece0f2ce858ff8.exe startC:\Users\Admin\AppData\Roaming\0B8B4\EC12E.exe%C:\Users\Admin\AppData\Roaming\0B8B4
  2⤵
  PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\0B8B4\47C0.B8B

Filesize
300B

MD5
813d82fa617e3bfba83841d336604c24

SHA1
5a40b58b934695fee772c581cbf1ee2251d3a3a3

SHA256
19d8aad0cb84c466d76f37c9e32e153666a0dd7c2d319c5aab7c29e96cdcf426

SHA512
226bd2751607a39322ef86b2723c772c03bbf83d07de14d14594c5618d540ed4b4cb5fcd984ba8ed2c00efd0af48f5c71d46f3e214a106e22c090ebb4125c590

Download Submit
C:\Users\Admin\AppData\Roaming\0B8B4\47C0.B8B

Filesize
996B

MD5
dcefe89efe8991f76c5fe37cb71082c0

SHA1
4c8ebd26610d5838918418f6cbfe4026dc492a54

SHA256
dcd6b98341ae5bd48baf3060a51847f583c28a97e5b9de7fb42a71729ffc9e42

SHA512
1e95f251c6c31d481d3824b7d4e2a01bad5089bd0bfdf605eb03698a9c08bf742bf88d0d7f365d53afee0eca134ad0b0f421e49648e4b128a7502d3df06b3e8e

Download Submit
C:\Users\Admin\AppData\Roaming\0B8B4\47C0.B8B

Filesize
600B

MD5
b1a29ab5c4bf080834d65bdb45037886

SHA1
6483cfdc98c3e3641bbab332debc626e51ff8502

SHA256
3dc6e370bf5665189ff01b65c59eeb0f92fea663776ac125aa49ba478a10b718

SHA512
606781f475ee4ac200d0447bdff575634057d2a99828a3bee3902553c67d8df5a76d887bda7e16cd750e2cdbbbba388bd5dc0cb2078ccc94f064b82d70adec27

Download Submit
C:\Users\Admin\AppData\Roaming\0B8B4\47C0.B8B

Filesize
1KB

MD5
b03a5234a5e02dba8a8b3a3324701ce8

SHA1
aa8240bdd015af37cb9ba6cd266b92d44ba3d814

SHA256
e179feceb62cb6e92348f15eeac088d5d10402ebbddc4e00ed11f90ad5a3234d

SHA512
44e13853641d302c910c9902ea04aabfc2cf1fd5bfe5684632b6b2a2d90ecb4e96170c772a49fcbd9f282a4364d00ee4ec98922fc415c3ac4f8b3def47bae9d7

Download Submit
memory/2496-131-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2668-15-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2668-13-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2808-16-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2808-17-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2808-0-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2808-3-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2808-2-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2808-282-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing