cycbot | 1985eedd9c2ea987f4fabed9c91886f1db7ab47007bdc3323382a83ea36b12b9

General

Target

JaffaCakes118_cc1e4f25332b5c25e6542bdb0c360623.exe
Size

177KB
MD5

cc1e4f25332b5c25e6542bdb0c360623
SHA1

3a21c7b92ab34efd3378121c34e36ca3a355d5af
SHA256

1985eedd9c2ea987f4fabed9c91886f1db7ab47007bdc3323382a83ea36b12b9
SHA512

348d57d920d6418c8506c0a8f1a877f13cf3300f42624f707580faca8ea73caef6225556ced2ea97d3ac5ed39341ebd943251c3374541d8e1d976d56ab0dd94b
SSDEEP

3072:pHNcIPMhL3lidh0FQzZdrhoslmqCt7Hzh8Ovr9pYPaQqn24f7OMcg:ptdPMZKhuQldh/BCxek92

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2480-13-0x0000000000400000-0x0000000000456000-memory.dmp	family_cycbot
behavioral1/memory/1800-14-0x0000000000400000-0x0000000000453000-memory.dmp	family_cycbot
behavioral1/memory/1800-15-0x0000000000400000-0x0000000000456000-memory.dmp	family_cycbot
behavioral1/memory/1468-86-0x0000000000400000-0x0000000000456000-memory.dmp	family_cycbot
behavioral1/memory/1800-181-0x0000000000400000-0x0000000000456000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1800-2-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2480-13-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2480-12-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/1800-14-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral1/memory/1800-15-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/1468-85-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/1468-86-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/1800-181-0x0000000000400000-0x0000000000456000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_cc1e4f25332b5c25e6542bdb0c360623.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_cc1e4f25332b5c25e6542bdb0c360623.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_cc1e4f25332b5c25e6542bdb0c360623.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 2480	1800	JaffaCakes118_cc1e4f25332b5c25e6542bdb0c360623.exe	31
PID 1800 wrote to memory of 2480	1800	JaffaCakes118_cc1e4f25332b5c25e6542bdb0c360623.exe	31
PID 1800 wrote to memory of 2480	1800	JaffaCakes118_cc1e4f25332b5c25e6542bdb0c360623.exe	31
PID 1800 wrote to memory of 2480	1800	JaffaCakes118_cc1e4f25332b5c25e6542bdb0c360623.exe	31
PID 1800 wrote to memory of 1468	1800	JaffaCakes118_cc1e4f25332b5c25e6542bdb0c360623.exe	33
PID 1800 wrote to memory of 1468	1800	JaffaCakes118_cc1e4f25332b5c25e6542bdb0c360623.exe	33
PID 1800 wrote to memory of 1468	1800	JaffaCakes118_cc1e4f25332b5c25e6542bdb0c360623.exe	33
PID 1800 wrote to memory of 1468	1800	JaffaCakes118_cc1e4f25332b5c25e6542bdb0c360623.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cc1e4f25332b5c25e6542bdb0c360623.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cc1e4f25332b5c25e6542bdb0c360623.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cc1e4f25332b5c25e6542bdb0c360623.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cc1e4f25332b5c25e6542bdb0c360623.exe startC:\Program Files (x86)\LP\D059\18D.exe%C:\Program Files (x86)\LP\D059
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2480
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cc1e4f25332b5c25e6542bdb0c360623.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cc1e4f25332b5c25e6542bdb0c360623.exe startC:\Users\Admin\AppData\Roaming\9363A\D97D0.exe%C:\Users\Admin\AppData\Roaming\9363A
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\9363A\A837.363

Filesize
1KB

MD5
34aaa847ab0b3ed3f1479274ddd65a23

SHA1
36af356b9ab921bee128ef74907226b3bdf6bf6e

SHA256
3b48875ed8fb3bc6f2de580eb9c2c06e53e7988752edeb6368781459ccca7f2e

SHA512
622228e17d9b7d384ca362a76af26181107a3cf93864ea011874002e1c64346d66724bd54f32204c8021cd247c7273bf4ad3eadf1f46d50118b8c04a9739ed92

Download Submit
C:\Users\Admin\AppData\Roaming\9363A\A837.363

Filesize
600B

MD5
1fd2b2033c4a315c9ec3bec7bf278ca4

SHA1
9ae80889e4f694358823b1f815060ded6f62de73

SHA256
f8be739b1664df1472f4e3706a61c33e5a03729a78e2b6bdda12823b98d20d81

SHA512
cdd9eaebc182a6c0ce35498b8b45331a9132ca5cfcfef81d67ec1ed259ff1a4445769ab62b9baac3f51886bc0406561c10a8f2ebcc31ed23a5ab4ea55c50db0a

Download Submit
C:\Users\Admin\AppData\Roaming\9363A\A837.363

Filesize
996B

MD5
8eae8db59a51ff71c73677f5c991e479

SHA1
329841dadc655cb3430c05c0e3654eed8eddbee4

SHA256
85553b804616bd16a6651c93f4476af9479d65aed54062188d8e952a850d8ac7

SHA512
3b0eb6cf899ea36c0ecbce465a353e5ff0a994d7946bb4b8cae24b132060264a5cce3827d2c8f61303fc419ac630f4f6a254704a54d34d0d3a880a104eeeb78b

Download Submit
memory/1468-86-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1468-85-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1800-15-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1800-1-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1800-14-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/1800-2-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1800-181-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2480-11-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2480-12-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2480-13-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download

Analysis

Sharing