cycbot | 1470e4f143dfbdc0c767131f337d42ff623ab460f8c92c27970310fb24d4f408

General

Target

JaffaCakes118_a0d0a811e95c1520ae41e3b783b56245.exe
Size

184KB
MD5

a0d0a811e95c1520ae41e3b783b56245
SHA1

c968c2f2e7bcf8e8b747860b5dd165d76c50c69d
SHA256

1470e4f143dfbdc0c767131f337d42ff623ab460f8c92c27970310fb24d4f408
SHA512

3a0b20e02fcd20fdc34eedbe2c9df701634ef04cffb56d2db4bbad0c895aedf01b40d6821fd7e23fcffed5573a36050bf5ef581eec9736601fe4964d38a6edbd
SSDEEP

3072:SLIsfb/xwle6EZN62KFGmKsssbNO3vKYm7gz3ClPiG9TEijYcK8fYVLKIitoaW/P:SLRdWeb7vqGPssENO/KY58iqnG8YLetU

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2900-14-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/3040-15-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/3040-16-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral1/memory/2772-127-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/3040-306-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3040-2-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2900-12-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2900-14-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/3040-15-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/3040-16-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/2772-125-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2772-127-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/3040-306-0x0000000000400000-0x0000000000455000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_a0d0a811e95c1520ae41e3b783b56245.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_a0d0a811e95c1520ae41e3b783b56245.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_a0d0a811e95c1520ae41e3b783b56245.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 2900	3040	JaffaCakes118_a0d0a811e95c1520ae41e3b783b56245.exe	30
PID 3040 wrote to memory of 2900	3040	JaffaCakes118_a0d0a811e95c1520ae41e3b783b56245.exe	30
PID 3040 wrote to memory of 2900	3040	JaffaCakes118_a0d0a811e95c1520ae41e3b783b56245.exe	30
PID 3040 wrote to memory of 2900	3040	JaffaCakes118_a0d0a811e95c1520ae41e3b783b56245.exe	30
PID 3040 wrote to memory of 2772	3040	JaffaCakes118_a0d0a811e95c1520ae41e3b783b56245.exe	32
PID 3040 wrote to memory of 2772	3040	JaffaCakes118_a0d0a811e95c1520ae41e3b783b56245.exe	32
PID 3040 wrote to memory of 2772	3040	JaffaCakes118_a0d0a811e95c1520ae41e3b783b56245.exe	32
PID 3040 wrote to memory of 2772	3040	JaffaCakes118_a0d0a811e95c1520ae41e3b783b56245.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a0d0a811e95c1520ae41e3b783b56245.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a0d0a811e95c1520ae41e3b783b56245.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a0d0a811e95c1520ae41e3b783b56245.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a0d0a811e95c1520ae41e3b783b56245.exe startC:\Program Files (x86)\LP\EC02\379.exe%C:\Program Files (x86)\LP\EC02
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2900
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a0d0a811e95c1520ae41e3b783b56245.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a0d0a811e95c1520ae41e3b783b56245.exe startC:\Users\Admin\AppData\Roaming\27846\6B1EC.exe%C:\Users\Admin\AppData\Roaming\27846
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\27846\6080.784

Filesize
996B

MD5
325339cc8b478bba706a3dc69b2e6bae

SHA1
784ed48e9964afead806f554d3c50281eb77f12e

SHA256
5f58d0c9fd4b39412cd99a56f64724f800ec2f9f219150e0f7b9e5a9fd027124

SHA512
e07c2908fb7a3dc33779d3ad5c0cc1d4d3b28befb9d812d0e642a358c3fd02935a1a222e26a509d7f4ffeac35d5e933f0c38c25927c3be7e964e6843df2049fb

Download Submit
C:\Users\Admin\AppData\Roaming\27846\6080.784

Filesize
600B

MD5
8bf84a8ac81b9c0dd4dccc66a59f44cf

SHA1
ab55a9be355d300f02fb4207b2683c036cbcc2e6

SHA256
a2278be349de33cc72db1af9656809db87ff72e05940d287ce35d533925739a5

SHA512
39c52f4771adc19dbe21f2fe7d57b04d3c26530e996dac89777288960ec7b3512069cd0d612b0ba5d88c892480dabbbff7d8bf5f583b63017d473bdc56ed5909

Download Submit
C:\Users\Admin\AppData\Roaming\27846\6080.784

Filesize
1KB

MD5
ca8fc67b91f2b6a1c9e7030680048e13

SHA1
6b1d2f321908a8fe8b723c6a1f5bbb99f033431c

SHA256
08832dc5fa4b38828508e0ecc1a1e6e8c13f5c0f2fab3572ffc71e1fcf350d99

SHA512
c5ec3dd4782771b85de519b399cc9f64ed4b2dcaca0d74ae5179ebb0288775a52f407ed22ad04e3bdc3d99324dd87628dad69f3378177a99b676322cbbfc485a

Download Submit
memory/2772-127-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2772-125-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2900-12-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2900-14-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2900-11-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3040-16-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3040-15-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3040-1-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3040-2-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3040-306-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing