cycbot | 19e2bae08d547849782f25e89992c03c39d8d0b0e2c310a5ea741b410c2a1120

General

Target

JaffaCakes118_73b5f3d1d62035df6a6ce6e019fde726.exe
Size

184KB
MD5

73b5f3d1d62035df6a6ce6e019fde726
SHA1

d6650d61877e51cb5e3fd080960a17e068c578e0
SHA256

19e2bae08d547849782f25e89992c03c39d8d0b0e2c310a5ea741b410c2a1120
SHA512

671839cbcf892b0aa19c6a2eab6576b2372ab0cc20650aba86ad857ff0f8054fceffa9891abdfbd0313a23f77cc7f00ce3a18f0a803981b4a0a1d5ab21c93c94
SSDEEP

3072:GdP0a1jUBuWgxNtvfKlUiUZtR7x0nWZnEHBGPNqKzdjkinashk/QQfRJ149G8rY4:YYNgBt16nWZn6uNqmdvk/JRJW9tY4

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2748-13-0x0000000000400000-0x0000000000454000-memory.dmp	family_cycbot
behavioral1/memory/2772-14-0x0000000000400000-0x0000000000451000-memory.dmp	family_cycbot
behavioral1/memory/2772-15-0x0000000000400000-0x0000000000454000-memory.dmp	family_cycbot
behavioral1/memory/2888-82-0x0000000000400000-0x0000000000454000-memory.dmp	family_cycbot
behavioral1/memory/2772-161-0x0000000000400000-0x0000000000454000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2772-2-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2748-11-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2748-13-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2772-14-0x0000000000400000-0x0000000000451000-memory.dmp	upx
behavioral1/memory/2772-15-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2888-82-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2772-161-0x0000000000400000-0x0000000000454000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_73b5f3d1d62035df6a6ce6e019fde726.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_73b5f3d1d62035df6a6ce6e019fde726.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_73b5f3d1d62035df6a6ce6e019fde726.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2772 wrote to memory of 2748	2772	JaffaCakes118_73b5f3d1d62035df6a6ce6e019fde726.exe	30
PID 2772 wrote to memory of 2748	2772	JaffaCakes118_73b5f3d1d62035df6a6ce6e019fde726.exe	30
PID 2772 wrote to memory of 2748	2772	JaffaCakes118_73b5f3d1d62035df6a6ce6e019fde726.exe	30
PID 2772 wrote to memory of 2748	2772	JaffaCakes118_73b5f3d1d62035df6a6ce6e019fde726.exe	30
PID 2772 wrote to memory of 2888	2772	JaffaCakes118_73b5f3d1d62035df6a6ce6e019fde726.exe	32
PID 2772 wrote to memory of 2888	2772	JaffaCakes118_73b5f3d1d62035df6a6ce6e019fde726.exe	32
PID 2772 wrote to memory of 2888	2772	JaffaCakes118_73b5f3d1d62035df6a6ce6e019fde726.exe	32
PID 2772 wrote to memory of 2888	2772	JaffaCakes118_73b5f3d1d62035df6a6ce6e019fde726.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_73b5f3d1d62035df6a6ce6e019fde726.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_73b5f3d1d62035df6a6ce6e019fde726.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_73b5f3d1d62035df6a6ce6e019fde726.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_73b5f3d1d62035df6a6ce6e019fde726.exe startC:\Program Files (x86)\LP\9FD9\CF5.exe%C:\Program Files (x86)\LP\9FD9
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2748
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_73b5f3d1d62035df6a6ce6e019fde726.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_73b5f3d1d62035df6a6ce6e019fde726.exe startC:\Users\Admin\AppData\Roaming\92DDA\2169F.exe%C:\Users\Admin\AppData\Roaming\92DDA
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\92DDA\A026.2DD

Filesize
1KB

MD5
189c05d737a81279b8010b167d0cdaef

SHA1
5cccb58fb6ee8b2e132932673d5d4b2bd4204122

SHA256
958ec314cab30446244193242522bf68fc0ffafceb01a74970d727f23c8f0edf

SHA512
e11a456ca7539d82004a7b3e2adebc201b3b6bcd062c4b67b7cb3b8dffec93124c0f926d877d37a757021fdad29ca00eade77b48bec03b22b24f4dbdc645b5e4

Download Submit
C:\Users\Admin\AppData\Roaming\92DDA\A026.2DD

Filesize
600B

MD5
3242e689718ea611b7ee447963d0ae6f

SHA1
3cc2e74dd706c70eae7e755357ee94adf2d8d3ef

SHA256
8c187c619dc49108a0222ba419aeab99f275712d9fe8ad1a9dd0e42892a067d1

SHA512
c887c1851ef913fdb06d5461debbd3afbf25d6a65e97cabec32e1642441c3eee966f67db8e2043e9faf81dec03d30b85afb8e9c9991df7971e3e769a462360c0

Download Submit
C:\Users\Admin\AppData\Roaming\92DDA\A026.2DD

Filesize
996B

MD5
9b320ef6a8a7c3e1fb3bee7fda750c30

SHA1
13c6d81c7d6f97dfb7c04a6d5a5ff7924f70058c

SHA256
3b360484dda81473a0e10cd89f7e37107a00717240566cb42f1f012d099df94a

SHA512
3ca7190112702bcf0ce0affc6667a650e75da910d3e59dda73f8b24d557472f759f2b5480d1457282ff19d17b9ba3e55cd24af0ed735e5200f29134945cad113

Download Submit
memory/2748-11-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2748-13-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2772-1-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2772-2-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2772-14-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2772-15-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2772-161-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2888-82-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2888-80-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing