cycbot | 23a764b9c69ce83aacf6ce92f8c878481f0acf02f324a5a01938cce172c994f5

General

Target

JaffaCakes118_14c30127e0acc9fa6ea8a45eec151781.exe
Size

188KB
MD5

14c30127e0acc9fa6ea8a45eec151781
SHA1

e45578c2f2337d81897550bd50d6952db6492dab
SHA256

23a764b9c69ce83aacf6ce92f8c878481f0acf02f324a5a01938cce172c994f5
SHA512

9ba77047c0a5b4d486f9d3cc34c3b7148c60412c59c2fb852dd231cd90149143df2f91b853054f8f90e26c16f37ef571bc94fcd40a5bc60710f162c813f5f25b
SSDEEP

3072:bjNiyF5DyhIFYd9rmM4n1XvudI1V+6rdj7xE3GSo3ln+xRf2RKoUY6u//Y7KoO:XNikFyCFYdUM3dIBr5i2Sa5KQAt

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2320-14-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/2084-15-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/2084-16-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral1/memory/2824-135-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/2084-302-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2084-2-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2320-12-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2320-14-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2084-15-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2084-16-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/2824-133-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2824-135-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2084-302-0x0000000000400000-0x0000000000455000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_14c30127e0acc9fa6ea8a45eec151781.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2320	2084	JaffaCakes118_14c30127e0acc9fa6ea8a45eec151781.exe	31
PID 2084 wrote to memory of 2320	2084	JaffaCakes118_14c30127e0acc9fa6ea8a45eec151781.exe	31
PID 2084 wrote to memory of 2320	2084	JaffaCakes118_14c30127e0acc9fa6ea8a45eec151781.exe	31
PID 2084 wrote to memory of 2320	2084	JaffaCakes118_14c30127e0acc9fa6ea8a45eec151781.exe	31
PID 2084 wrote to memory of 2824	2084	JaffaCakes118_14c30127e0acc9fa6ea8a45eec151781.exe	33
PID 2084 wrote to memory of 2824	2084	JaffaCakes118_14c30127e0acc9fa6ea8a45eec151781.exe	33
PID 2084 wrote to memory of 2824	2084	JaffaCakes118_14c30127e0acc9fa6ea8a45eec151781.exe	33
PID 2084 wrote to memory of 2824	2084	JaffaCakes118_14c30127e0acc9fa6ea8a45eec151781.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_14c30127e0acc9fa6ea8a45eec151781.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_14c30127e0acc9fa6ea8a45eec151781.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_14c30127e0acc9fa6ea8a45eec151781.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_14c30127e0acc9fa6ea8a45eec151781.exe startC:\Program Files (x86)\LP\DCBA\BDB.exe%C:\Program Files (x86)\LP\DCBA
  2⤵
  PID:2320
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_14c30127e0acc9fa6ea8a45eec151781.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_14c30127e0acc9fa6ea8a45eec151781.exe startC:\Users\Admin\AppData\Roaming\AAED7\1F0DC.exe%C:\Users\Admin\AppData\Roaming\AAED7
  2⤵
  PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AAED7\7FD0.AED

Filesize
996B

MD5
cadcfa0e36c341728b71d49257b8f438

SHA1
2592f42db11a8113a1b3f03cd8c1fd8942b1a0b2

SHA256
a2f914b2f4b4fa5ea027e31d5eadd72ebcca89c3c85d2a2007dbf1096ed12af4

SHA512
40c1bc8d928977067365a8667abda276a36b33d7880bbbac6436eb66b585b16b9b2abfb9027de302f41a630f270bab45d20b118712bb27f28ea8787c94e8fdf3

Download Submit
C:\Users\Admin\AppData\Roaming\AAED7\7FD0.AED

Filesize
600B

MD5
4b0e25967619578023363510bc071358

SHA1
682835617006dc2e963d5959cbe3f30b426ce2eb

SHA256
91641ba01a3e40df9b69efd5ffcab4f992f71eaf3d1546556cfe22c530866aa8

SHA512
a8e5730430884c7e7e84734d56c6750102d771d4e1f488aece163f7a475b72ac57ab753a272fbdeedf17c1e09b75545f84a66251b9684ad78d85c8402384d400

Download Submit
C:\Users\Admin\AppData\Roaming\AAED7\7FD0.AED

Filesize
1KB

MD5
7552257fa33ce642d4facabbca57d8b0

SHA1
f3b0b93b5c92d457236056bed748d1e0f13b70b7

SHA256
7d79883cc966281376bd7438c1d29b09d81ffa4596dfcd266d85221dbb814dcd

SHA512
739a1a4980958536dace564c25009cfffde498c35b324c203557689406b937f3d7c3c26955c1917c0a447babe87a35977afc32d23358358b75a43bd6e9d0929b

Download Submit
memory/2084-2-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2084-302-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2084-1-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2084-15-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2084-16-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2320-12-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2320-14-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2320-11-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2824-135-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2824-133-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing