cycbot | 1c42278ff4e4f0c35e3f48dc156f675f8a7f72f070d0ec4127a44fe6c7403ecc

General

Target

JaffaCakes118_02b4dfb024e961e4a4c2d42d961e501f.exe
Size

180KB
MD5

02b4dfb024e961e4a4c2d42d961e501f
SHA1

d025ec474b16dcda1fd662096d04f5e22df7f21b
SHA256

1c42278ff4e4f0c35e3f48dc156f675f8a7f72f070d0ec4127a44fe6c7403ecc
SHA512

3f1529832929540f89afcacb7f1a78d06f5d9b9f5c2a8969a6b9923e3b806b74f6e3df0b41b35a75c0bff55cf33e221ebcbb7e2de5059f622451f14180ac6fe1
SSDEEP

3072:Su8wT71PDF6T29K9yyecj/s998YhepABvcFYMJKU28N///Hubod3pgp4CzzBop2a:y4rF6T2U7eRDY6RYY0Kv8VHHsoh+mCgB

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2968-15-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/2684-16-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/2684-17-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral1/memory/2812-125-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/2684-292-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2684-3-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2968-13-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2968-15-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2684-16-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2684-17-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/2812-123-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2812-125-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2684-292-0x0000000000400000-0x0000000000455000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_02b4dfb024e961e4a4c2d42d961e501f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_02b4dfb024e961e4a4c2d42d961e501f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_02b4dfb024e961e4a4c2d42d961e501f.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 2968	2684	JaffaCakes118_02b4dfb024e961e4a4c2d42d961e501f.exe	31
PID 2684 wrote to memory of 2968	2684	JaffaCakes118_02b4dfb024e961e4a4c2d42d961e501f.exe	31
PID 2684 wrote to memory of 2968	2684	JaffaCakes118_02b4dfb024e961e4a4c2d42d961e501f.exe	31
PID 2684 wrote to memory of 2968	2684	JaffaCakes118_02b4dfb024e961e4a4c2d42d961e501f.exe	31
PID 2684 wrote to memory of 2812	2684	JaffaCakes118_02b4dfb024e961e4a4c2d42d961e501f.exe	33
PID 2684 wrote to memory of 2812	2684	JaffaCakes118_02b4dfb024e961e4a4c2d42d961e501f.exe	33
PID 2684 wrote to memory of 2812	2684	JaffaCakes118_02b4dfb024e961e4a4c2d42d961e501f.exe	33
PID 2684 wrote to memory of 2812	2684	JaffaCakes118_02b4dfb024e961e4a4c2d42d961e501f.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_02b4dfb024e961e4a4c2d42d961e501f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_02b4dfb024e961e4a4c2d42d961e501f.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_02b4dfb024e961e4a4c2d42d961e501f.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_02b4dfb024e961e4a4c2d42d961e501f.exe startC:\Program Files (x86)\LP\B3EF\5C1.exe%C:\Program Files (x86)\LP\B3EF
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2968
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_02b4dfb024e961e4a4c2d42d961e501f.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_02b4dfb024e961e4a4c2d42d961e501f.exe startC:\Users\Admin\AppData\Roaming\FBDF3\85DB3.exe%C:\Users\Admin\AppData\Roaming\FBDF3
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\FBDF3\3019.BDF

Filesize
996B

MD5
dcc257e50a8c9eb856d8a28bf6878d31

SHA1
7f45e105b2017f652b652e05d5480d4de184de3c

SHA256
63b8ef3bce5eb66d2f9e9a0c2449c34ae5fb3b5e1d29ecb149b15cef3bfd8724

SHA512
d57f8113c2289b4c24c1817c736b3ce790f7803ab673cd7bb2040c6873fa8f212ab949cd2c9960d74757e0ccda3410ba5e4544e1bed9712c9242251f1f2f9113

Download Submit
C:\Users\Admin\AppData\Roaming\FBDF3\3019.BDF

Filesize
600B

MD5
ae7acbe1748fe87d402c1ba150c59a42

SHA1
1d52dcb73da6fec9a8d7d9b7608376cc82d8b76a

SHA256
fe078dac3a3de633f885e4b2932ce954deb0a68ed4a69bad3654ce4788c9f307

SHA512
3e3ef88069267973b0bc6d405c3fe9c2f2a9c726cae0aa32d254c4730094d6cd129931ca59a3bdf30b667eebebcb87d0ebd3236aeb25ddde8ee4e7e82a71c3bd

Download Submit
C:\Users\Admin\AppData\Roaming\FBDF3\3019.BDF

Filesize
1KB

MD5
b1e80cf5b99906230012547f489f9616

SHA1
b94f278730736f83781833815131ec922440fa5b

SHA256
4a2c39146cf2b66a7b6ec49ad846e6c436574849b7bba8e03818a215220e586b

SHA512
7b10831fdb1eb405deddd6c11ad8ea4892e09f277c9ca1baa1e8fc388bc48d62e74b54fd66842735a48e00de0de576d9b54a05de66e09f134bb87384cddacb4c

Download Submit
memory/2684-0-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2684-2-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2684-3-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2684-292-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2684-16-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2684-17-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2812-125-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2812-123-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2968-15-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2968-13-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing