cycbot | b42700e37a30c62e93ac6025c363ec4806b96c7115dcbccaceb07d7985a525e0

General

Target

JaffaCakes118_0a7ef0db037432a8e0108bc391a7c95d.exe
Size

180KB
MD5

0a7ef0db037432a8e0108bc391a7c95d
SHA1

f440542b4a2412f2569e47fdaeb7499cffff0205
SHA256

b42700e37a30c62e93ac6025c363ec4806b96c7115dcbccaceb07d7985a525e0
SHA512

36f622dfc5e7146cef4111799c4ad61a13dda5dea60262bb56f57983bbac10af9f65d20b275f61670736bbf2a8dc807f6fc410923dbc3380b135b91dfecee00b
SSDEEP

3072:UhbaPUwzSWpXRnAowR0Hdn+zZnAlu5JTBdZagoye3N2i8luzhtwnaXMMxZ8pGLRU:UhbOWWtWoAid+zZAQRZagoypi8lK9cMz

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2260-15-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/768-16-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/768-17-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral1/memory/2520-125-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/768-296-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/768-3-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2260-14-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2260-15-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/768-16-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/768-17-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/2520-125-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2520-123-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/768-296-0x0000000000400000-0x0000000000455000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0a7ef0db037432a8e0108bc391a7c95d.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 768 wrote to memory of 2260	768	JaffaCakes118_0a7ef0db037432a8e0108bc391a7c95d.exe	30
PID 768 wrote to memory of 2260	768	JaffaCakes118_0a7ef0db037432a8e0108bc391a7c95d.exe	30
PID 768 wrote to memory of 2260	768	JaffaCakes118_0a7ef0db037432a8e0108bc391a7c95d.exe	30
PID 768 wrote to memory of 2260	768	JaffaCakes118_0a7ef0db037432a8e0108bc391a7c95d.exe	30
PID 768 wrote to memory of 2520	768	JaffaCakes118_0a7ef0db037432a8e0108bc391a7c95d.exe	33
PID 768 wrote to memory of 2520	768	JaffaCakes118_0a7ef0db037432a8e0108bc391a7c95d.exe	33
PID 768 wrote to memory of 2520	768	JaffaCakes118_0a7ef0db037432a8e0108bc391a7c95d.exe	33
PID 768 wrote to memory of 2520	768	JaffaCakes118_0a7ef0db037432a8e0108bc391a7c95d.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0a7ef0db037432a8e0108bc391a7c95d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0a7ef0db037432a8e0108bc391a7c95d.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:768
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0a7ef0db037432a8e0108bc391a7c95d.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0a7ef0db037432a8e0108bc391a7c95d.exe startC:\Program Files (x86)\LP\A507\533.exe%C:\Program Files (x86)\LP\A507
  2⤵
  PID:2260
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0a7ef0db037432a8e0108bc391a7c95d.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0a7ef0db037432a8e0108bc391a7c95d.exe startC:\Users\Admin\AppData\Roaming\7E4C3\733A5.exe%C:\Users\Admin\AppData\Roaming\7E4C3
  2⤵
  PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\7E4C3\3810.E4C

Filesize
996B

MD5
2cd5a09ae8dcd241496c206d9bdbb0fc

SHA1
4152cdaa763d08d52f17df6743e97fc85e3de9cf

SHA256
1f84031c79ae6f0b9a5c9ac386c2287b0c5d05eea92c5fc9d30f731df7af982b

SHA512
d841d8457ecae4e7477afc099e3c83bd58113609a28e3caf867a760c098f3a0b0f28e24e77d47431835ae27b6750d802216c6573042d543d79e0044a9b284097

Download Submit
C:\Users\Admin\AppData\Roaming\7E4C3\3810.E4C

Filesize
600B

MD5
b38cb686d65a829338d786e93562ea40

SHA1
db0f1a0ac1cad980a63963e5b36802a69a26946a

SHA256
ebcf2f0afff8676de573c222088bf178d0ade38437d9e5b4e608b0b41ee78004

SHA512
c653863833b137e78392cda26a081d4ec0a384ef3e9baef996e3ef96c9fe00261531defdb8a27533cfa5cc5c08a1192d5430f977b0de2780322a1e41d5537af8

Download Submit
C:\Users\Admin\AppData\Roaming\7E4C3\3810.E4C

Filesize
1KB

MD5
1f4eaf79c340b8d451686dbf58e45960

SHA1
e1296317fc2793022a4be337413e4b500c587ec4

SHA256
4de99812b7c2038aa45a1e5c5ae807b1e9ed93a60da82f4836ab6733571ade01

SHA512
7e4126102d8f9172baf9f84b4c1793b42014abed907f3ebb85d63222464763089294512d299ed292e3060c90309765976a144a8cbafdd9fc82b1424a66378786

Download Submit
memory/768-2-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/768-3-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/768-0-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/768-296-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/768-16-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/768-17-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2260-13-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2260-15-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2260-14-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2520-123-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2520-125-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing