cycbot | b071bb8e665df5dc810f2279186b3e4330914b2385e838727300ef3552b2eea3

General

Target

JaffaCakes118_127debdb6f2bb4cd058dafbdd2377cc0.exe
Size

186KB
MD5

127debdb6f2bb4cd058dafbdd2377cc0
SHA1

5e19d6b60eb12afae809165cd44dac1107ee67ab
SHA256

b071bb8e665df5dc810f2279186b3e4330914b2385e838727300ef3552b2eea3
SHA512

c2bffbad64b7a01ca262b243a4f833b3d6aea5539cb3bf0b67083fbc2c332a4f5a4c96d481dd042ee0592fdd6464af94b1598fc371a9b3a5b0b8d57f6741349e
SSDEEP

3072:s1RbS0WogAmsEELVgQrYrUVDZCKHKssM3tinK0465AS8ls247AjMWP:s18og9sEEKQsAlZCsKBKt1BM8lsvkjM0

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/1716-13-0x0000000000400000-0x0000000000454000-memory.dmp	family_cycbot
behavioral1/memory/2616-14-0x0000000000400000-0x0000000000454000-memory.dmp	family_cycbot
behavioral1/memory/2616-15-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral1/memory/536-124-0x0000000000400000-0x0000000000454000-memory.dmp	family_cycbot
behavioral1/memory/2616-279-0x0000000000400000-0x0000000000454000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2616-2-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/1716-12-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/1716-13-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2616-14-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2616-15-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/536-124-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2616-279-0x0000000000400000-0x0000000000454000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_127debdb6f2bb4cd058dafbdd2377cc0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_127debdb6f2bb4cd058dafbdd2377cc0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_127debdb6f2bb4cd058dafbdd2377cc0.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2616 wrote to memory of 1716	2616	JaffaCakes118_127debdb6f2bb4cd058dafbdd2377cc0.exe	30
PID 2616 wrote to memory of 1716	2616	JaffaCakes118_127debdb6f2bb4cd058dafbdd2377cc0.exe	30
PID 2616 wrote to memory of 1716	2616	JaffaCakes118_127debdb6f2bb4cd058dafbdd2377cc0.exe	30
PID 2616 wrote to memory of 1716	2616	JaffaCakes118_127debdb6f2bb4cd058dafbdd2377cc0.exe	30
PID 2616 wrote to memory of 536	2616	JaffaCakes118_127debdb6f2bb4cd058dafbdd2377cc0.exe	33
PID 2616 wrote to memory of 536	2616	JaffaCakes118_127debdb6f2bb4cd058dafbdd2377cc0.exe	33
PID 2616 wrote to memory of 536	2616	JaffaCakes118_127debdb6f2bb4cd058dafbdd2377cc0.exe	33
PID 2616 wrote to memory of 536	2616	JaffaCakes118_127debdb6f2bb4cd058dafbdd2377cc0.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_127debdb6f2bb4cd058dafbdd2377cc0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_127debdb6f2bb4cd058dafbdd2377cc0.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2616
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_127debdb6f2bb4cd058dafbdd2377cc0.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_127debdb6f2bb4cd058dafbdd2377cc0.exe startC:\Program Files (x86)\LP\001C\BF8.exe%C:\Program Files (x86)\LP\001C
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1716
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_127debdb6f2bb4cd058dafbdd2377cc0.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_127debdb6f2bb4cd058dafbdd2377cc0.exe startC:\Users\Admin\AppData\Roaming\C1A64\9B600.exe%C:\Users\Admin\AppData\Roaming\C1A64
  2⤵
  - System Location Discovery: System Language Discovery
  PID:536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\C1A64\4F61.1A6

Filesize
996B

MD5
349609b49f70a081f3c32118396f39f6

SHA1
03defd7b41251f66ad483f0ab7aca75118da2ed0

SHA256
4078010d331452ab7b5a61d6362428bbb454952c3bf3466765a9d0e0cd0b6816

SHA512
d81e5ce82bed134ce0845e1e133e5bd6017846ae83323c4d7b7fdb09947d0e75e97449a551a5af61e23eb6d408c2199dd41b8fe0418b8fc2edc8a08bfa75d8b8

Download Submit
C:\Users\Admin\AppData\Roaming\C1A64\4F61.1A6

Filesize
600B

MD5
67856224fbca36a4d623ee24bfeecb9d

SHA1
e53f17e4b44d8dc72abe17f6fe9c3fd9006fa37d

SHA256
3a39f2d73891800315dd4e6298f05559cc4e974a4beeedb1ef9709952b413d91

SHA512
355e57b1418e015229f2b7cee105e1a6a5367ce3b41cdb456b9a3843444054a055342645dbd7e33fca35404deacd67908b6bb3399d3442b31d9870f29ffd36e9

Download Submit
C:\Users\Admin\AppData\Roaming\C1A64\4F61.1A6

Filesize
1KB

MD5
601527d7489998c2f7970ae7ecd32dbb

SHA1
1f26266ee6e714bbc126ef16a120655cc161679e

SHA256
b77dfa056083123da59fc4f49aaebe91cfe899503f8d5cd2d1404994a53cab17

SHA512
2f0553a559642117e83d88f3df9e9d734dce14109b34d26d7b0861136b921a5aabf2ba0ec4c46ab63f202c3b29b162026666d86d44c24ad87b1f354d092f3e7f

Download Submit
memory/536-124-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1716-12-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1716-11-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1716-13-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2616-1-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2616-2-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2616-14-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2616-15-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2616-279-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing