cycbot | 292c20d20889ba64ce3cdbdbb5467786f9ae807e2606aa4a14ec0dbf4c741639

General

Target

JaffaCakes118_9ec6fc94432fa78a7585004d03eceabf.exe
Size

180KB
MD5

9ec6fc94432fa78a7585004d03eceabf
SHA1

d739dab40b405822b4b89ab2ca208731b354f30a
SHA256

292c20d20889ba64ce3cdbdbb5467786f9ae807e2606aa4a14ec0dbf4c741639
SHA512

80bef760aba69cf9b81910a2e10cc5deb44d36501877176d1dc23d43f854c89bdee0b19cac2a2c98197eb3306ec5fa5e4b406ea83bf9c1fbb200b89a89114ab6
SSDEEP

3072:dklnqbpEekz2+pU1LnJAKd5gG8WrjFP0GBLFO4DTgEhtSKJylxq:dInYpEeg2+q1LnJAufgEcKIf

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/1664-14-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/1664-16-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/1364-17-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/1364-18-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral1/memory/572-126-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/1364-305-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1364-3-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1664-13-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1664-14-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1664-16-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1364-17-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1364-18-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/572-126-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/572-125-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1364-305-0x0000000000400000-0x0000000000455000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_9ec6fc94432fa78a7585004d03eceabf.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 1664	1364	JaffaCakes118_9ec6fc94432fa78a7585004d03eceabf.exe	30
PID 1364 wrote to memory of 1664	1364	JaffaCakes118_9ec6fc94432fa78a7585004d03eceabf.exe	30
PID 1364 wrote to memory of 1664	1364	JaffaCakes118_9ec6fc94432fa78a7585004d03eceabf.exe	30
PID 1364 wrote to memory of 1664	1364	JaffaCakes118_9ec6fc94432fa78a7585004d03eceabf.exe	30
PID 1364 wrote to memory of 572	1364	JaffaCakes118_9ec6fc94432fa78a7585004d03eceabf.exe	33
PID 1364 wrote to memory of 572	1364	JaffaCakes118_9ec6fc94432fa78a7585004d03eceabf.exe	33
PID 1364 wrote to memory of 572	1364	JaffaCakes118_9ec6fc94432fa78a7585004d03eceabf.exe	33
PID 1364 wrote to memory of 572	1364	JaffaCakes118_9ec6fc94432fa78a7585004d03eceabf.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9ec6fc94432fa78a7585004d03eceabf.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9ec6fc94432fa78a7585004d03eceabf.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9ec6fc94432fa78a7585004d03eceabf.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9ec6fc94432fa78a7585004d03eceabf.exe startC:\Program Files (x86)\LP\AF0A\82B.exe%C:\Program Files (x86)\LP\AF0A
  2⤵
  PID:1664
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9ec6fc94432fa78a7585004d03eceabf.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9ec6fc94432fa78a7585004d03eceabf.exe startC:\Users\Admin\AppData\Roaming\A1C0F\EC9AF.exe%C:\Users\Admin\AppData\Roaming\A1C0F
  2⤵
  PID:572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\A1C0F\F371.1C0

Filesize
996B

MD5
96fd61604be8ec54315fe35b673a3461

SHA1
3559531f86c1a9f85dbd54a65a29c50d1c2d4649

SHA256
514ba003685ce46b054ce5ff16dd4faacf680c6c877bb23280abef4ab4b246b1

SHA512
2c1907479b240cdf79fa7c162caff43706fd8d786dcd6179af3f2fc819e1dc8b58288f32d5a02aa603cb912b34a0617f0f521d5ef0cfdfc1f0355261a81235e8

Download Submit
C:\Users\Admin\AppData\Roaming\A1C0F\F371.1C0

Filesize
600B

MD5
a47d310119fa5941ced132ad9606b06f

SHA1
291247c8e5c423121eb02051adb488e87227e045

SHA256
835d4006ef9dc5e076d20bc8d9b37891861f800939f7ec61dabaa3baa99e0cf9

SHA512
f62bbc72f023c59c03a8a8bbe420ddf04e8ed1c3ca2fe66cab947156ab931e479ff96f0b53da9fae3e6690abe9c54764f71afd92bfa1940218c6ef323c7c0c89

Download Submit
C:\Users\Admin\AppData\Roaming\A1C0F\F371.1C0

Filesize
1KB

MD5
5489119700d9f27ab9594ff8361f7972

SHA1
0d05ef1b79999b9895e5374713c6685a3dd8233b

SHA256
065a066ce77cf7e475ab8740520bf253a1c7f5c52b81702092e8f2e096562b82

SHA512
757965e1c89c1fc2b21af2ce2d48b6d740fdf1e9eef4c8531e78389eaa3fe98629320d5ec71da822ba20ce30bc3a66185a4773da6a7fea7748fe2fb1261f6233

Download Submit
memory/572-125-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/572-126-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1364-17-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1364-0-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1364-18-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1364-3-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1364-2-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1364-305-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1664-16-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1664-14-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1664-13-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing