cycbot | 18f114603640083121c1f148744e27c0d0c0af9cd25146a2b56c097df80a4998

General

Target

JaffaCakes118_8ac81173118d243b7fb270429545348c.exe
Size

189KB
MD5

8ac81173118d243b7fb270429545348c
SHA1

2a26665a81b271763ea9b23b8f04ab58d15df80b
SHA256

18f114603640083121c1f148744e27c0d0c0af9cd25146a2b56c097df80a4998
SHA512

fa1f445dac04fe349fe4fee72c99a05b7450a8e8e864f1811534ab9a40a48d8fb7a90542d8ea2cce394917ba76e8daf7fb88f543512ff1ecee2fd6b028ddd02f
SSDEEP

3072:+PuigBQ8TTwN0vQGzaKRK0hAgEgmcUSkYY2ywzO/ewgUb3pARVWP:+PVgTTTLvQuh8CzTLymOG6ybe

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2988-13-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/1800-14-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/1800-15-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral1/memory/844-122-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/1800-265-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1800-2-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2988-13-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1800-14-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1800-15-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/844-120-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/844-122-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1800-265-0x0000000000400000-0x0000000000455000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8ac81173118d243b7fb270429545348c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8ac81173118d243b7fb270429545348c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8ac81173118d243b7fb270429545348c.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 2988	1800	JaffaCakes118_8ac81173118d243b7fb270429545348c.exe	31
PID 1800 wrote to memory of 2988	1800	JaffaCakes118_8ac81173118d243b7fb270429545348c.exe	31
PID 1800 wrote to memory of 2988	1800	JaffaCakes118_8ac81173118d243b7fb270429545348c.exe	31
PID 1800 wrote to memory of 2988	1800	JaffaCakes118_8ac81173118d243b7fb270429545348c.exe	31
PID 1800 wrote to memory of 844	1800	JaffaCakes118_8ac81173118d243b7fb270429545348c.exe	33
PID 1800 wrote to memory of 844	1800	JaffaCakes118_8ac81173118d243b7fb270429545348c.exe	33
PID 1800 wrote to memory of 844	1800	JaffaCakes118_8ac81173118d243b7fb270429545348c.exe	33
PID 1800 wrote to memory of 844	1800	JaffaCakes118_8ac81173118d243b7fb270429545348c.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8ac81173118d243b7fb270429545348c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8ac81173118d243b7fb270429545348c.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8ac81173118d243b7fb270429545348c.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8ac81173118d243b7fb270429545348c.exe startC:\Program Files (x86)\LP\D05A\18D.exe%C:\Program Files (x86)\LP\D05A
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2988
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8ac81173118d243b7fb270429545348c.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8ac81173118d243b7fb270429545348c.exe startC:\Users\Admin\AppData\Roaming\A5633\D97D0.exe%C:\Users\Admin\AppData\Roaming\A5633
  2⤵
  - System Location Discovery: System Language Discovery
  PID:844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\A5633\3429.563

Filesize
996B

MD5
b594ba0d8b39f9ba56edba6fbe2979ad

SHA1
1a605178257c2e0bd5f1d2c0c39787276c3129c9

SHA256
53ca47e52c3e1972a2d1e81de3361856cc14b729607155bc9df13c3914c352bd

SHA512
bc4c322619825537a7d8953ba60e72d7e52ca8ad5e2e4884834fd0e3aac52ef7066548a140f0e92c1277231296f81638300291c30702c8b7eb416be9198c6a03

Download Submit
C:\Users\Admin\AppData\Roaming\A5633\3429.563

Filesize
600B

MD5
0630be512a1a5800adbf0bcb30ee5eb5

SHA1
f4696c94543b69dcde8555fdfa6853a6010c913e

SHA256
845270833d9dfedbd37ebecb5a6c38de8d9ac69fe26e176e1e5a04b1d68ba1ff

SHA512
d80fda65472d374030b53511f55d22d693ce46bb3c733dafbf3b99af7f2a20548aa937e85d5c66e7477c1df22968baa0a3284d9bc0c7249d898be3e2f73c69d9

Download Submit
C:\Users\Admin\AppData\Roaming\A5633\3429.563

Filesize
1KB

MD5
3ce6fb17348d18c5dfea7851b2295e6e

SHA1
867ff08caabb4d9729387603bffc05394321b1a5

SHA256
f04571c12e2a6a9b509d5f75e125d63f042b4ce29627795527108e655b430485

SHA512
f8a5588f2ef69a856477db81dbaf78fe6c34650fc47060f038de8964387f115c0bf016ba8bd7f5095c6896d1556c37f50007d79fbc2ed5c08750fe82487ef6c8

Download Submit
C:\Users\Admin\AppData\Roaming\A5633\3429.563

Filesize
300B

MD5
005dfd6b6c72eee0aa7a2964a44dab4c

SHA1
492522003d79f35f0877861fe7c9e1954e85c426

SHA256
6fb394db13c96594babba86f08e23b71f7b222304dd7e4c5ce5bfb14de64a3cf

SHA512
4132c3413df6a14c6f27947f34d984965f4c217f271f15c6ffa59f8f5fbacd555d85ff388df889888da4c1e22acea94267fb76cad207177357161bb9ba03c8aa

Download Submit
memory/844-122-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/844-120-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1800-15-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1800-1-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1800-14-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1800-2-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1800-265-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2988-13-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2988-12-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing