cycbot | 1a9bfc6a675e53b2e1fdd150f10aa3d1546b9c63540d0a2dc52113cb434088b9

General

Target

JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0.exe
Size

181KB
MD5

c6a93c5b7fe7915de3b31f133c370ce0
SHA1

984e837a21a137bf6cb74692dcab458ca7507fa4
SHA256

1a9bfc6a675e53b2e1fdd150f10aa3d1546b9c63540d0a2dc52113cb434088b9
SHA512

ccc4732f3eb02c8bd447f0772958e68d43eec18dcf325e6f9139f2d37a0855ba8794afcb9ccf8a1cc937b8578f7ce07a01415a63d1bb25de5d513525f54b260c
SSDEEP

3072:fMyMzQw6ScvdO6gJKYpzKM/zB0E9IGOvNcbTt+vZu9MA4L9oMz:fM+SMgJppnzKIbTt+s9MAI9oA

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2796-15-0x0000000000400000-0x0000000000454000-memory.dmp	family_cycbot
behavioral1/memory/2732-16-0x0000000000400000-0x0000000000454000-memory.dmp	family_cycbot
behavioral1/memory/2732-17-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral1/memory/808-145-0x0000000000400000-0x0000000000454000-memory.dmp	family_cycbot
behavioral1/memory/2732-308-0x0000000000400000-0x0000000000454000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2732-3-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2796-14-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2796-13-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2796-15-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2732-16-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2732-17-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/808-144-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/808-145-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2732-308-0x0000000000400000-0x0000000000454000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 2796	2732	JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0.exe	30
PID 2732 wrote to memory of 2796	2732	JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0.exe	30
PID 2732 wrote to memory of 2796	2732	JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0.exe	30
PID 2732 wrote to memory of 2796	2732	JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0.exe	30
PID 2732 wrote to memory of 808	2732	JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0.exe	32
PID 2732 wrote to memory of 808	2732	JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0.exe	32
PID 2732 wrote to memory of 808	2732	JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0.exe	32
PID 2732 wrote to memory of 808	2732	JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0.exe startC:\Program Files (x86)\LP\BF8B\06D.exe%C:\Program Files (x86)\LP\BF8B
  2⤵
  PID:2796
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c6a93c5b7fe7915de3b31f133c370ce0.exe startC:\Users\Admin\AppData\Roaming\BF90C\3F5BF.exe%C:\Users\Admin\AppData\Roaming\BF90C
  2⤵
  PID:808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\BF90C\C593.F90

Filesize
300B

MD5
3dbc8a37853b780670f1a28fad576715

SHA1
7fb5c18237e69be0db457ccbc5bbc7829199dbaa

SHA256
a252efce606972b80cfcd4ae5347d07fc7cf06e06d425d17e4a3adadb112579c

SHA512
f7d85403fb882f4c6503b846911543fe5c9332088269c8698af7052648224d7234711072bba2f05dddabc5bc85cefc2dfa96cdd9a1004a74442b1b94c0a1085a

Download Submit
C:\Users\Admin\AppData\Roaming\BF90C\C593.F90

Filesize
996B

MD5
01d9dceaa960fd2855458e7bff054d41

SHA1
5c2edd9d359f1951c68f75a7f58259b9ac92b6f1

SHA256
ed640e41a75cdac6eabb17ab6c765f8444faec57f89e8dfe6391cefdecedbd08

SHA512
6957dda19f68190f6fefbf063045184b2d48e6e59218d249ace228b09fe7a53223c0a85dd29029129078b386d244551ac98fd50a93a35edb73e0254a799237a6

Download Submit
C:\Users\Admin\AppData\Roaming\BF90C\C593.F90

Filesize
600B

MD5
0926f23b929a037f37942b0827b1115f

SHA1
c1dcae0d8b98a6b0ccc4602131811d868aa5b018

SHA256
85066cd22d0891255654310b1407676e507dd528a61d9bbdaa5c2a6430a7b101

SHA512
2e5d3f4d2e37331348aceb6d06cf23d7b1009d0dd818c2c45f44fc69e214f9ab9962a3daa5a812be42267509dd9e4e4d502a044c6d3b9262673314f7334bc5df

Download Submit
C:\Users\Admin\AppData\Roaming\BF90C\C593.F90

Filesize
1KB

MD5
663e406c1eafb0e3fb8a81c246326d65

SHA1
ef006dbb3bd9e695db84e5a584b8d69c2bd34e3e

SHA256
ed40cfde09e9b8c182b6a475b842281199dcbf930ca52c89624654006396de84

SHA512
8cba418fa0f1da04f67a3a7ce4c9ecc4905ccc3702dbd541fd875eaa4a18edaf4c1b06fbb66e1a82fd18ede43911e65d26865e12936b5ca2264d11ccb188b3da

Download Submit
memory/808-144-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/808-145-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2732-3-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2732-16-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2732-17-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2732-0-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2732-2-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2732-308-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2796-14-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2796-13-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2796-15-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing