cycbot | 295db97f63e0989f1702f576242b601950c26fe0d40c21571102bd22b2cf9b3c

General

Target

JaffaCakes118_3f42737f1251688be21161e5c3257552.exe
Size

189KB
MD5

3f42737f1251688be21161e5c3257552
SHA1

4882cf826953c6aa1f3bf01119bb7a498ec662b9
SHA256

295db97f63e0989f1702f576242b601950c26fe0d40c21571102bd22b2cf9b3c
SHA512

cd453396acd576136b75d30cb027721abebf2d7721d23b92f043362490633792b4b6eb62b1082c94b388343c8f4f8c3a07f376e2c01543c2874b7c67db7cc8d2
SSDEEP

3072:ZdwTJAxGf89jWR+9j+ur6jIuSMx4GdXM+msPEErSiMjULpKFXeylX1/yKhJAKulh:gTJAxw81WAXuneGFM/sMEeH8pK5NVyKM

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/1588-14-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/2156-15-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/2156-16-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral1/memory/2968-85-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/2156-184-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2156-2-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1588-12-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1588-14-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2156-15-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2156-16-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/2968-85-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2156-184-0x0000000000400000-0x0000000000455000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3f42737f1251688be21161e5c3257552.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3f42737f1251688be21161e5c3257552.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3f42737f1251688be21161e5c3257552.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 1588	2156	JaffaCakes118_3f42737f1251688be21161e5c3257552.exe	30
PID 2156 wrote to memory of 1588	2156	JaffaCakes118_3f42737f1251688be21161e5c3257552.exe	30
PID 2156 wrote to memory of 1588	2156	JaffaCakes118_3f42737f1251688be21161e5c3257552.exe	30
PID 2156 wrote to memory of 1588	2156	JaffaCakes118_3f42737f1251688be21161e5c3257552.exe	30
PID 2156 wrote to memory of 2968	2156	JaffaCakes118_3f42737f1251688be21161e5c3257552.exe	32
PID 2156 wrote to memory of 2968	2156	JaffaCakes118_3f42737f1251688be21161e5c3257552.exe	32
PID 2156 wrote to memory of 2968	2156	JaffaCakes118_3f42737f1251688be21161e5c3257552.exe	32
PID 2156 wrote to memory of 2968	2156	JaffaCakes118_3f42737f1251688be21161e5c3257552.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3f42737f1251688be21161e5c3257552.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3f42737f1251688be21161e5c3257552.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3f42737f1251688be21161e5c3257552.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3f42737f1251688be21161e5c3257552.exe startC:\Program Files (x86)\LP\536C\A95.exe%C:\Program Files (x86)\LP\536C
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1588
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3f42737f1251688be21161e5c3257552.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3f42737f1251688be21161e5c3257552.exe startC:\Users\Admin\AppData\Roaming\CBF24\B0E53.exe%C:\Users\Admin\AppData\Roaming\CBF24
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\CBF24\48F9.BF2

Filesize
1KB

MD5
99e8044c8e258612ef02ab9ff72b9b45

SHA1
5d9e550b033d0ecd0efa9f9f3b251a33e6ca2542

SHA256
33c2f89646012f7665bd62a735d2087826c527efcbefff40dd360aeb0d21a183

SHA512
674ddc04c34c85e8403833836c9e52f48946a168e5604a00790d5cad5406b2752933e9c8d32872c7e965d0299b0e710e7730e461400119e0f82f44422178eb67

Download Submit
C:\Users\Admin\AppData\Roaming\CBF24\48F9.BF2

Filesize
600B

MD5
547324147a21667d3ee7c0e50dd10a0a

SHA1
e5010d6850807c4489f3f85c58ecfda9303d9c15

SHA256
180a54f7a14209ee7b88457c75585aeaf29bf5829dcb66165de0fe20eeff28b8

SHA512
c86363967e94cbc9ae31a25d9c8766dde5e159ac02ac41a70e82dace754af288a03707d095b1878e1b590db682fbc11f2c2de48dc20e4ded95813ded9120a4ec

Download Submit
C:\Users\Admin\AppData\Roaming\CBF24\48F9.BF2

Filesize
996B

MD5
16ddc511c9048a44d44b32ed6b94968f

SHA1
99973345084b5abe8eb7059f7501b1c26f4da608

SHA256
3f5247482b874d0104db099fb55ddb9c448d4310956df8caa87c6024dc6d5084

SHA512
285efa74afd7deae238074d1e8f5ac22bcadbca769a306284926b6875e2c8ad4aa7f0298cffb675aa0283a45864c362dafe9f8491e5661beaf6e4d70daefac5f

Download Submit
memory/1588-11-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1588-12-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1588-14-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2156-1-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2156-2-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2156-15-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2156-16-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2156-184-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2968-85-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing