cycbot | 4ce4836b18ee9955d77c1ffb5bf95b744a517888e9cdca9c8333611d68d51ce1

General

Target

JaffaCakes118_7911b3c2b5597bade8af33b64cbead69.exe
Size

186KB
MD5

7911b3c2b5597bade8af33b64cbead69
SHA1

ba3b3b48152c7387481d637d76535b1490f97185
SHA256

4ce4836b18ee9955d77c1ffb5bf95b744a517888e9cdca9c8333611d68d51ce1
SHA512

391e0216a05ab95fad3adf936accc8770a2238bfa5363f7f178ec0a55063aa93e5eb2460f5cab2399d8c11e98cd07d3397c79d5912846f2341052ec37468501a
SSDEEP

3072:Jz+yYdb/Rs7U5MKTK3jNpp83Jh31+sJcmPmGXxE6E2pfbS1oB0VZhW:pWts7/KTkjNpwJp1vmGXxg2hwoB0

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2508-8-0x0000000000400000-0x0000000000453000-memory.dmp	family_cycbot
behavioral1/memory/2508-9-0x0000000000400000-0x0000000000453000-memory.dmp	family_cycbot
behavioral1/memory/264-14-0x0000000000400000-0x0000000000453000-memory.dmp	family_cycbot
behavioral1/memory/2932-76-0x0000000000400000-0x0000000000453000-memory.dmp	family_cycbot
behavioral1/memory/264-175-0x0000000000400000-0x0000000000453000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/264-2-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2508-8-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2508-9-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/264-14-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2508-15-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2932-74-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/2932-76-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/264-175-0x0000000000400000-0x0000000000453000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7911b3c2b5597bade8af33b64cbead69.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7911b3c2b5597bade8af33b64cbead69.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7911b3c2b5597bade8af33b64cbead69.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 264 wrote to memory of 2508	264	JaffaCakes118_7911b3c2b5597bade8af33b64cbead69.exe	31
PID 264 wrote to memory of 2508	264	JaffaCakes118_7911b3c2b5597bade8af33b64cbead69.exe	31
PID 264 wrote to memory of 2508	264	JaffaCakes118_7911b3c2b5597bade8af33b64cbead69.exe	31
PID 264 wrote to memory of 2508	264	JaffaCakes118_7911b3c2b5597bade8af33b64cbead69.exe	31
PID 264 wrote to memory of 2932	264	JaffaCakes118_7911b3c2b5597bade8af33b64cbead69.exe	33
PID 264 wrote to memory of 2932	264	JaffaCakes118_7911b3c2b5597bade8af33b64cbead69.exe	33
PID 264 wrote to memory of 2932	264	JaffaCakes118_7911b3c2b5597bade8af33b64cbead69.exe	33
PID 264 wrote to memory of 2932	264	JaffaCakes118_7911b3c2b5597bade8af33b64cbead69.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7911b3c2b5597bade8af33b64cbead69.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7911b3c2b5597bade8af33b64cbead69.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:264
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7911b3c2b5597bade8af33b64cbead69.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7911b3c2b5597bade8af33b64cbead69.exe startC:\Program Files (x86)\Internet Explorer\D3A5\903.exe%C:\Program Files (x86)\Internet Explorer\D3A5
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2508
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7911b3c2b5597bade8af33b64cbead69.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7911b3c2b5597bade8af33b64cbead69.exe startC:\Users\Admin\AppData\Roaming\5E6F8\1BED3.exe%C:\Users\Admin\AppData\Roaming\5E6F8
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\5E6F8\85DD.E6F

Filesize
1KB

MD5
fb6cc8e76b236632a11a8ebbc167fd73

SHA1
373111c7f75fcc844466bde0433edcb2dcf2ca79

SHA256
5cc3a50e466cd3fd7d6265b8772931f75a520a81c96d66c19a9460fdefa9b99b

SHA512
afc481e80b13c8e34e758b76075eebed3fda240afa18de80e599870b4137f1e5737a536279ef42cfcf1ece90ba0876628ecdb69f48b4449968b684bffc0c2e11

Download Submit
C:\Users\Admin\AppData\Roaming\5E6F8\85DD.E6F

Filesize
1KB

MD5
a375dbb60657cd5aadbef3147aa98126

SHA1
6797b632f4b344f9d245468115a2fee8f73d4dda

SHA256
53e9544a1d5de94aaed70260fd2f64968c2b1b2f7204481fb4944aa6152471c6

SHA512
bca9cb9a65adf39b15a2676bb1119913fd70eb99b6fd0a8472b31363becd23425b0ba5811ed1b42a3769533ffcac3e7bd5c5f370f513c1e7edf8390d1415fd60

Download Submit
C:\Users\Admin\AppData\Roaming\5E6F8\85DD.E6F

Filesize
600B

MD5
6f967f08a6bd9b95596090d6db41deb9

SHA1
fd4db6b7a9912f61fad049441037ae5a096c5e15

SHA256
e18a23f58f208ce4c53e0279764a63791252dcff295f3ef8482c5f0de866ee79

SHA512
7e592ba19cdf419b2e82d55917c7d156327e41f7590fc87842f562fe241bf126b03c741c7212601a0085cd21c3b11f90582bdf8413c0aa4184274ed68f7a4de8

Download Submit
C:\Users\Admin\AppData\Roaming\5E6F8\85DD.E6F

Filesize
996B

MD5
c416ead4e3fb2a458f0d138e589054ab

SHA1
e8f845fa789123e06da290743c5d0e003954929d

SHA256
1853b24d4c8164b06ee180d107f272ca5cdb7688dcd95087b9e0d83b508fe41a

SHA512
da41da52d3c0a4cfbb3df50d51e2a4c0969519a01c944fdf61373a49e461a7dfa6f0d7e8c9f34e562a45644362f3925f98ac24094a66bfc7ca405d2e4acda5ae

Download Submit
memory/264-14-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/264-1-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/264-2-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/264-175-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2508-15-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2508-9-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2508-8-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2932-74-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2932-76-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download

Analysis

Sharing