cycbot | 1213557ca68812da445c3e1d7caeb68c1219bb7cfaa31db9e6e80c1380592fbe

General

Target

JaffaCakes118_3e3fdd5c9eba65c58d45acf822b16b87.exe
Size

179KB
MD5

3e3fdd5c9eba65c58d45acf822b16b87
SHA1

616a4735529406aa7e47c17799ec2b84ec6bc23c
SHA256

1213557ca68812da445c3e1d7caeb68c1219bb7cfaa31db9e6e80c1380592fbe
SHA512

4613abbf1865dbf71eeb4359d23cca0883e5c6dcfcabf6b97356d53753ded64b6abd71530ed156b7f4c8ca26f8b83ef0da2da3ff19b5ca6997a8723616166761
SSDEEP

3072:JFVYMk5EvtCgERIsquXZ1iy7LiJQ+gIod7q1SJJmfVDfmcqvXqRu8a3:U+VeWE7r+gIohqQJg4cqPWM

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2500-19-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/2260-20-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/2260-21-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral1/memory/352-123-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/2260-294-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2260-3-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2500-18-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2500-19-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2260-20-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2260-21-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/352-123-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2260-294-0x0000000000400000-0x0000000000455000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3e3fdd5c9eba65c58d45acf822b16b87.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 2500	2260	JaffaCakes118_3e3fdd5c9eba65c58d45acf822b16b87.exe	30
PID 2260 wrote to memory of 2500	2260	JaffaCakes118_3e3fdd5c9eba65c58d45acf822b16b87.exe	30
PID 2260 wrote to memory of 2500	2260	JaffaCakes118_3e3fdd5c9eba65c58d45acf822b16b87.exe	30
PID 2260 wrote to memory of 2500	2260	JaffaCakes118_3e3fdd5c9eba65c58d45acf822b16b87.exe	30
PID 2260 wrote to memory of 352	2260	JaffaCakes118_3e3fdd5c9eba65c58d45acf822b16b87.exe	33
PID 2260 wrote to memory of 352	2260	JaffaCakes118_3e3fdd5c9eba65c58d45acf822b16b87.exe	33
PID 2260 wrote to memory of 352	2260	JaffaCakes118_3e3fdd5c9eba65c58d45acf822b16b87.exe	33
PID 2260 wrote to memory of 352	2260	JaffaCakes118_3e3fdd5c9eba65c58d45acf822b16b87.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3e3fdd5c9eba65c58d45acf822b16b87.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3e3fdd5c9eba65c58d45acf822b16b87.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3e3fdd5c9eba65c58d45acf822b16b87.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3e3fdd5c9eba65c58d45acf822b16b87.exe startC:\Program Files (x86)\LP\3278\D5E.exe%C:\Program Files (x86)\LP\3278
  2⤵
  PID:2500
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3e3fdd5c9eba65c58d45acf822b16b87.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3e3fdd5c9eba65c58d45acf822b16b87.exe startC:\Users\Admin\AppData\Roaming\8441E\49232.exe%C:\Users\Admin\AppData\Roaming\8441E
  2⤵
  PID:352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\8441E\ED4F.441

Filesize
597B

MD5
374700dbda37bf385d24f31322d7358f

SHA1
224370372ae334fa684561e467a469c00c0e5e61

SHA256
f3bb16dcb9188b78208f02b24b9472a9664071d9b42c6a63dfe4c369a438307f

SHA512
7feb7f2c52840f615abbc7de153e2bce6b78329c41bbc2fb6fa92ae84f07d3c5fb3f9d15dd16d54adc083365eb9d9b0d4ff6a47a81a94992ed89e9d8703b7b57

Download Submit
C:\Users\Admin\AppData\Roaming\8441E\ED4F.441

Filesize
1KB

MD5
497c85a8b6f41b94ee7f7b16b782a493

SHA1
d73641eccac0949914cf8a158b2a9cff42cd1407

SHA256
1c7a24d6d349d510fef58a8d65797a4b31a14459d38d12543fb3e4c6d189d8a5

SHA512
d9abe3ce374a558fca5a7a58b8aa349b0c81642281987c3f39b43f76715cf7612f49c25841fe1a119193ecdc444569007c8d80140ddee26b4f1344d55e7f2963

Download Submit
C:\Users\Admin\AppData\Roaming\8441E\ED4F.441

Filesize
897B

MD5
537c7b46183ef6db99585bdd1c0b0cdf

SHA1
fe327b735a58841799521f5205c8ba00a4703d03

SHA256
280a50400009f952681063f2dc61204dfce6a9915b6ae43332e9e124d2370d10

SHA512
a02a6c1b6d2bf56bed3701ae2e4c0ab540b2fd7653da7c0e3bcdac9df9639404e8ff884bf493c7a52f7fe66967c7854deedc66e6dec605f8fbf8bf67e0cb04c0

Download Submit
C:\Users\Admin\AppData\Roaming\8441E\ED4F.441

Filesize
1KB

MD5
66bd2a20f7194f4c0071cc268e08404f

SHA1
922558417309fe5421b4ea05a3545748f3fa9715

SHA256
79f7b63aa25b175ff0377e628d2626648c75688bffdab1927837e6c58891ae35

SHA512
639bd8c1f41d516becdebbabb478a48c44fb2e54994c8b9913e0162982882a069c9c0a6b9181b6114c86d2f423599ed1b26a7e993ca72b6dcd22eddd073d6052

Download Submit
memory/352-123-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2260-20-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2260-21-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2260-0-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2260-3-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2260-2-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2260-294-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2500-19-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2500-18-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing