cycbot | 205d48d3c45a5d7ea5a0a4e475cdc0e2fe02717ce25bf5554367998425298fae

General

Target

JaffaCakes118_b79a6197f84d06dd3dc3a9fc3e1e2cf9.exe
Size

179KB
MD5

b79a6197f84d06dd3dc3a9fc3e1e2cf9
SHA1

f5d245cc75ebd5e517690016be0a5d6b65850df9
SHA256

205d48d3c45a5d7ea5a0a4e475cdc0e2fe02717ce25bf5554367998425298fae
SHA512

b7294e69402d63a0587f0e5c35a0eb89e93d20af915eb8ce8389d65ee236f6c5e652a65ba5c7e58a774d844c3a1ceaead37e2a310b6623fb2207dff70c7ced3b
SSDEEP

3072:G91jjjxUZ0m4uI814ZeNyghmD0Tf+NZw6Oh655cd9eO0e68ZaOpBwcSzvZdcXflN:G4J4uIu4Zebm4TG2h65a95lqcSNdB1Sd

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2360-15-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/2148-16-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/2148-17-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral1/memory/1720-131-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/2148-294-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2148-3-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2360-13-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2360-15-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2148-16-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2148-17-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/1720-131-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2148-294-0x0000000000400000-0x0000000000455000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b79a6197f84d06dd3dc3a9fc3e1e2cf9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b79a6197f84d06dd3dc3a9fc3e1e2cf9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b79a6197f84d06dd3dc3a9fc3e1e2cf9.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 2360	2148	JaffaCakes118_b79a6197f84d06dd3dc3a9fc3e1e2cf9.exe	30
PID 2148 wrote to memory of 2360	2148	JaffaCakes118_b79a6197f84d06dd3dc3a9fc3e1e2cf9.exe	30
PID 2148 wrote to memory of 2360	2148	JaffaCakes118_b79a6197f84d06dd3dc3a9fc3e1e2cf9.exe	30
PID 2148 wrote to memory of 2360	2148	JaffaCakes118_b79a6197f84d06dd3dc3a9fc3e1e2cf9.exe	30
PID 2148 wrote to memory of 1720	2148	JaffaCakes118_b79a6197f84d06dd3dc3a9fc3e1e2cf9.exe	33
PID 2148 wrote to memory of 1720	2148	JaffaCakes118_b79a6197f84d06dd3dc3a9fc3e1e2cf9.exe	33
PID 2148 wrote to memory of 1720	2148	JaffaCakes118_b79a6197f84d06dd3dc3a9fc3e1e2cf9.exe	33
PID 2148 wrote to memory of 1720	2148	JaffaCakes118_b79a6197f84d06dd3dc3a9fc3e1e2cf9.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b79a6197f84d06dd3dc3a9fc3e1e2cf9.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b79a6197f84d06dd3dc3a9fc3e1e2cf9.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b79a6197f84d06dd3dc3a9fc3e1e2cf9.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b79a6197f84d06dd3dc3a9fc3e1e2cf9.exe startC:\Program Files (x86)\LP\5366\A95.exe%C:\Program Files (x86)\LP\5366
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2360
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b79a6197f84d06dd3dc3a9fc3e1e2cf9.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b79a6197f84d06dd3dc3a9fc3e1e2cf9.exe startC:\Users\Admin\AppData\Roaming\66FBF\B0E53.exe%C:\Users\Admin\AppData\Roaming\66FBF
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\66FBF\F1E2.6FB

Filesize
996B

MD5
6aaff5c2152ebca0682ce82186da5e28

SHA1
2bcfe5b8ab1152aa4c12b55d64d8d2b387e54dfb

SHA256
3d72564267eb293d133c1e2ff8e8f00ded57a4a9a8d30925ccf76d0a7de69184

SHA512
c6566de233a33b6d957657fec59e9d83b2385250f101a896148a6af1869c54404a320d327467f6cbf2407ad07a2c7761fd17f5e5ebebe9891a58f5c9ec7cf6fd

Download Submit
C:\Users\Admin\AppData\Roaming\66FBF\F1E2.6FB

Filesize
600B

MD5
59b93df48ec565c1554a779ec24b0318

SHA1
0771c44fabda2301a3df86aa95f30968a2faf24c

SHA256
51babbd551039eba3425011bdb8522544519a4fbdad056ecc06a5494b3ec5459

SHA512
eed6954b1a4f2770a18066491e0fe41a3683023c8ad63b98c767adc75b765711f832f2048c72b55ee962a8484642a4ddad7a9db8451c74405a601dfe01f4ac5e

Download Submit
C:\Users\Admin\AppData\Roaming\66FBF\F1E2.6FB

Filesize
1KB

MD5
b0776532bbd608294d9227bb16a5a8fd

SHA1
44fec5925286d576b247638e3424144bc8515c15

SHA256
f9439b3b1a60e3ccfed86d5a8beabcb7fd8c5da668181a07c4308b39cda9f6c2

SHA512
2a2073b12a0a6592c5af00eb46c920c8d3678cada7a1935527ff6330beec276ed5fc07a911552d4054d8a46e33ec83fba929a9543647fbad5df5018f3456f07e

Download Submit
memory/1720-131-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2148-0-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2148-2-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2148-3-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2148-16-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2148-17-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2148-294-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2360-13-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2360-15-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing