cycbot | 1cac94b28c9f606fc435ef9cc5a03b9931711bbe26abb5e76a61a29f506606bb

General

Target

JaffaCakes118_70ab80e5a6464ffb9503e297e92505e1.exe
Size

178KB
MD5

70ab80e5a6464ffb9503e297e92505e1
SHA1

3a6bcdfdfecd3116170d7f0d94f0535268fcf982
SHA256

1cac94b28c9f606fc435ef9cc5a03b9931711bbe26abb5e76a61a29f506606bb
SHA512

f566caf74cd31c6ede6bbd660145311ba0db9e2283265b998579e0b6f80eff5ffdb9f0e06b3db4c66564bdab496003359c6fb31ea8789af02e6fe2bdb3ab935d
SSDEEP

3072:jl7Yqtak+8h/a3mY+2mufP/KzeN65azCFfDQhovWuRXomTsQLntHExnoCT9d4CV3:h7YqAk5h/a3mY+Z06aNzCVDQhoh7tBEj

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2536-16-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/316-17-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/316-18-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral1/memory/2896-120-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/316-299-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/316-3-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2536-14-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2536-16-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/316-17-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/316-18-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/2896-120-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/316-299-0x0000000000400000-0x0000000000455000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_70ab80e5a6464ffb9503e297e92505e1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_70ab80e5a6464ffb9503e297e92505e1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_70ab80e5a6464ffb9503e297e92505e1.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 316 wrote to memory of 2536	316	JaffaCakes118_70ab80e5a6464ffb9503e297e92505e1.exe	30
PID 316 wrote to memory of 2536	316	JaffaCakes118_70ab80e5a6464ffb9503e297e92505e1.exe	30
PID 316 wrote to memory of 2536	316	JaffaCakes118_70ab80e5a6464ffb9503e297e92505e1.exe	30
PID 316 wrote to memory of 2536	316	JaffaCakes118_70ab80e5a6464ffb9503e297e92505e1.exe	30
PID 316 wrote to memory of 2896	316	JaffaCakes118_70ab80e5a6464ffb9503e297e92505e1.exe	32
PID 316 wrote to memory of 2896	316	JaffaCakes118_70ab80e5a6464ffb9503e297e92505e1.exe	32
PID 316 wrote to memory of 2896	316	JaffaCakes118_70ab80e5a6464ffb9503e297e92505e1.exe	32
PID 316 wrote to memory of 2896	316	JaffaCakes118_70ab80e5a6464ffb9503e297e92505e1.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_70ab80e5a6464ffb9503e297e92505e1.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_70ab80e5a6464ffb9503e297e92505e1.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:316
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_70ab80e5a6464ffb9503e297e92505e1.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_70ab80e5a6464ffb9503e297e92505e1.exe startC:\Program Files (x86)\LP\26FF\C98.exe%C:\Program Files (x86)\LP\26FF
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2536
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_70ab80e5a6464ffb9503e297e92505e1.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_70ab80e5a6464ffb9503e297e92505e1.exe startC:\Users\Admin\AppData\Roaming\F57B4\DC526.exe%C:\Users\Admin\AppData\Roaming\F57B4
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\F57B4\4E08.57B

Filesize
996B

MD5
7026768b3542b551976574b4156f6c76

SHA1
8bf58b00f236173fd55f40ad702d7b50751bc0c3

SHA256
f3784bfb4c9f696a9a32a2edf05fae6ea4de65ec34365ad971fa12019e7d8ce8

SHA512
2b85b95ec65eea3481a4f94b999ac1c5e3d0af03b8667494fb198218da1946d970b1691a950896368b20803d2529fcef397c2e11ff1809e832583089d676dbd9

Download Submit
C:\Users\Admin\AppData\Roaming\F57B4\4E08.57B

Filesize
600B

MD5
3546d45024f17f51a9b13dbe096ca858

SHA1
20fb9dcba27856c884828637404ac2fc3fb3610a

SHA256
6178b81e4ad82c75bfda8b7af19757c6604944455135a6c0389d645149bebc8f

SHA512
1e855f3600d7916f6877a1381a9e2ff12ab5bd040cebf83cff9045496756148d353f3614d9594b6ff2b3251513a8a52728209d8219f2e3a3d8402f893b8c6a81

Download Submit
C:\Users\Admin\AppData\Roaming\F57B4\4E08.57B

Filesize
1KB

MD5
530bdfb860ed40ee1dbc39e4140705b5

SHA1
110c7d87200338c33c091eab261a95214333e4d9

SHA256
043aeb8e43477bdeaf01a1e1bc694d04db40152319b4c23f6a738913d5e2d7af

SHA512
86698985e1bf595a777c99cff9f05882439c071b2e57eb62f8f727ce0c7b302212efecb503fcb119989042f58479da41bb9dc295cec159b3064423113ff05566

Download Submit
memory/316-0-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/316-2-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/316-3-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/316-17-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/316-18-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/316-299-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2536-14-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2536-16-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2896-120-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing