cycbot | 4e6119e5932aac7d72e61bde7a4f2dd3f0b2ad1cb3a4f7de34a7adaa83f63787

General

Target

JaffaCakes118_289c05bfe6833f103e96cc733057fd34.exe
Size

187KB
MD5

289c05bfe6833f103e96cc733057fd34
SHA1

eda3d3c71cabfc946f5335e3cd48d9fb7ff5ff8e
SHA256

4e6119e5932aac7d72e61bde7a4f2dd3f0b2ad1cb3a4f7de34a7adaa83f63787
SHA512

d36ee68e53ff89c6ce2bdfba54cf962d7f47d872fe618036904ba38c615b2b81ae3c8a8e7ad59811584331a1cbf2fb82c40b2dab4941dc777e2da37afbe01b83
SSDEEP

3072:l2vjHdaoHP8+5uzYbHmpBnAE4rVktA8RPfBETe:SjRk4uz02BnA2NR3

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 4 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2332-13-0x0000000000400000-0x0000000000453000-memory.dmp	family_cycbot
behavioral1/memory/2076-14-0x0000000000400000-0x0000000000453000-memory.dmp	family_cycbot
behavioral1/memory/2612-72-0x0000000000400000-0x0000000000453000-memory.dmp	family_cycbot
behavioral1/memory/2076-175-0x0000000000400000-0x0000000000453000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2076-2-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2332-12-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2332-13-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2076-14-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2612-71-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2612-72-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2076-175-0x0000000000400000-0x0000000000453000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_289c05bfe6833f103e96cc733057fd34.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_289c05bfe6833f103e96cc733057fd34.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_289c05bfe6833f103e96cc733057fd34.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 2332	2076	JaffaCakes118_289c05bfe6833f103e96cc733057fd34.exe	30
PID 2076 wrote to memory of 2332	2076	JaffaCakes118_289c05bfe6833f103e96cc733057fd34.exe	30
PID 2076 wrote to memory of 2332	2076	JaffaCakes118_289c05bfe6833f103e96cc733057fd34.exe	30
PID 2076 wrote to memory of 2332	2076	JaffaCakes118_289c05bfe6833f103e96cc733057fd34.exe	30
PID 2076 wrote to memory of 2612	2076	JaffaCakes118_289c05bfe6833f103e96cc733057fd34.exe	32
PID 2076 wrote to memory of 2612	2076	JaffaCakes118_289c05bfe6833f103e96cc733057fd34.exe	32
PID 2076 wrote to memory of 2612	2076	JaffaCakes118_289c05bfe6833f103e96cc733057fd34.exe	32
PID 2076 wrote to memory of 2612	2076	JaffaCakes118_289c05bfe6833f103e96cc733057fd34.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_289c05bfe6833f103e96cc733057fd34.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_289c05bfe6833f103e96cc733057fd34.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_289c05bfe6833f103e96cc733057fd34.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_289c05bfe6833f103e96cc733057fd34.exe startC:\Program Files (x86)\Internet Explorer\D3A7\96C.exe%C:\Program Files (x86)\Internet Explorer\D3A7
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2332
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_289c05bfe6833f103e96cc733057fd34.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_289c05bfe6833f103e96cc733057fd34.exe startC:\Users\Admin\AppData\Roaming\7100C\34ED3.exe%C:\Users\Admin\AppData\Roaming\7100C
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\7100C\C586.100

Filesize
1KB

MD5
51dcad701b241c18d1d6e015ea532e4b

SHA1
7a0b7e69f85cf40c245fcb018c4be4959bede940

SHA256
35f386bebb9e1e14800b9f36b8df7258863e8f8c94df495f0445ddff71b55982

SHA512
9a5779a63d9489ba332b684ef408dec1cf2fbed1b10e2b1197d5b8fcfa57d6a63935606698e89cee6e1c8ccf443fa4c5cdf77ee573a84c64b64b850e5403b366

Download Submit
C:\Users\Admin\AppData\Roaming\7100C\C586.100

Filesize
600B

MD5
6cb763596022708e6f5bba50eb10724e

SHA1
0b649f5b2355ee0da7060907ace830cbb2ee58cc

SHA256
36a379663fa67035e919c57977c0ae9c2e03fc2657bd1ba1393d5450e3545938

SHA512
faa737ff1a5ce776aa6cd7734c6313ed22c1466dc083dcd103af0df0f19b701e37637de66c5591fb9ee99f019474010f08b51845e4c097072475ad5a83833e95

Download Submit
C:\Users\Admin\AppData\Roaming\7100C\C586.100

Filesize
996B

MD5
d8bdf134678813ed268ac33e92cc7c17

SHA1
5045afb5aa1dfd7150a2dfad7f97c45d70e6043e

SHA256
1dd632cfdb51a719be9fc42cdc6117a799eff03e3ae056c6049b6f4e711ae87b

SHA512
3ca67a1f3866bbe3a81f3e0ff48690b408dbee51c2ef0bec2467a31f58f77c3314279e75ab58ca79fab18f77728e012e2388d23708feb0aa2cee10c3f1148bb0

Download Submit
memory/2076-1-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2076-2-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2076-14-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2076-175-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2332-11-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2332-12-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2332-13-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2612-71-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2612-72-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing