cycbot | 7cc06ec8608bc2fe75ac8e28848c58f9bdebdea137b4ad9cf7d542a0b6cf6dd0

General

Target

JaffaCakes118_049c932164119d15d334e2e5971c1ddd.exe
Size

187KB
MD5

049c932164119d15d334e2e5971c1ddd
SHA1

95c44294dd9e23e9fa959bba7219fb48b30187dc
SHA256

7cc06ec8608bc2fe75ac8e28848c58f9bdebdea137b4ad9cf7d542a0b6cf6dd0
SHA512

44297324d073bea30b0d1ce85a1e6336f66e1e50b460089c7c5d9cc1353b1c0fdc13e7d041fa2ce3cad4006f31e109249d341795657417dca90286d360102545
SSDEEP

3072:nYDeKz7TwAIzu3g/BiXImLU293owd/deTDCKtVI2I1WiApyMXsHyrZ0MgnNwmX5W:nYDeKz7sySB2ImL/roDCKtmUiApZXsHy

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2408-12-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/1652-13-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/1652-14-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral1/memory/1056-111-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/1652-278-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1652-2-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2408-12-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1652-13-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1652-14-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/1056-111-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1652-278-0x0000000000400000-0x0000000000455000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_049c932164119d15d334e2e5971c1ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_049c932164119d15d334e2e5971c1ddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_049c932164119d15d334e2e5971c1ddd.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 2408	1652	JaffaCakes118_049c932164119d15d334e2e5971c1ddd.exe	30
PID 1652 wrote to memory of 2408	1652	JaffaCakes118_049c932164119d15d334e2e5971c1ddd.exe	30
PID 1652 wrote to memory of 2408	1652	JaffaCakes118_049c932164119d15d334e2e5971c1ddd.exe	30
PID 1652 wrote to memory of 2408	1652	JaffaCakes118_049c932164119d15d334e2e5971c1ddd.exe	30
PID 1652 wrote to memory of 1056	1652	JaffaCakes118_049c932164119d15d334e2e5971c1ddd.exe	33
PID 1652 wrote to memory of 1056	1652	JaffaCakes118_049c932164119d15d334e2e5971c1ddd.exe	33
PID 1652 wrote to memory of 1056	1652	JaffaCakes118_049c932164119d15d334e2e5971c1ddd.exe	33
PID 1652 wrote to memory of 1056	1652	JaffaCakes118_049c932164119d15d334e2e5971c1ddd.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_049c932164119d15d334e2e5971c1ddd.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_049c932164119d15d334e2e5971c1ddd.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_049c932164119d15d334e2e5971c1ddd.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_049c932164119d15d334e2e5971c1ddd.exe startC:\Program Files (x86)\LP\3274\D5E.exe%C:\Program Files (x86)\LP\3274
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2408
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_049c932164119d15d334e2e5971c1ddd.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_049c932164119d15d334e2e5971c1ddd.exe startC:\Users\Admin\AppData\Roaming\4311E\49232.exe%C:\Users\Admin\AppData\Roaming\4311E
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\4311E\E781.311

Filesize
996B

MD5
5596ba5ef14c5cfcc54aa09cd992657f

SHA1
55089612385b47dbc615d5cb267e2e7f7b0dd542

SHA256
2f1489877114dd52148181c1fdd22f15223ec515ec7229b0b972178f9e9d32cc

SHA512
7256a8f370aff0fb4699abe4d5e4da66dc4255f0cb0f9e03bd8dd540850e153e074ed6effd2d4212f3d673f76f2fee7f89ebf31fc22b6e45c19f2f0b91c22e26

Download Submit
C:\Users\Admin\AppData\Roaming\4311E\E781.311

Filesize
600B

MD5
4ccb62746a053cbaf0cc2b646942f917

SHA1
827703d48349b14df7d06953d20a7ab192beeb5d

SHA256
9e338c9715b9e148c98da89689c3bc392b6bc0697cfa0cb171435998e0fd85be

SHA512
d87d241a0eebc4e27d1eb8ba5b2cc7859e578b5a5baf32ff960cae8486aa44f3587078147782f95a6fd46921a736f37297dfd801504e46372221ba977fd0f319

Download Submit
C:\Users\Admin\AppData\Roaming\4311E\E781.311

Filesize
1KB

MD5
7569575c587e60ee3dd93990a93c58c5

SHA1
da5340be64c625e6a31649b2166f2f58a658e086

SHA256
303b74d069a9d3b58c7bfed56bcbae6abd22ac8264f691b3119e29de90e125da

SHA512
c32a85fc0b3d5c84305a9c11833b481a6f458d12b7a58aa786c1acd18f9f3d79e458dfa1b53f284a6819208bf748fdafe6fb655ec5934936cb3b2b1da1058dd5

Download Submit
memory/1056-111-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1652-1-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1652-2-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1652-13-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1652-14-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1652-278-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2408-11-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2408-12-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing