cycbot | e66ac22a3de7d5d971c77dae5623c815cc53ab99ffebfb014ac26cd0aea2ab9b

General

Target

JaffaCakes118_210d758e01ef8a01a0808a94f0d4d8dd.exe
Size

180KB
MD5

210d758e01ef8a01a0808a94f0d4d8dd
SHA1

29315f7d862cbfe3eca53ece971dfb338bb21c77
SHA256

e66ac22a3de7d5d971c77dae5623c815cc53ab99ffebfb014ac26cd0aea2ab9b
SHA512

19e3c21099795f421e0fc39025ca5d6482ba1b6477f3b98b87ea758284dd0c08f34059363c1796ca677638342917293ee89f183eab4bd1d47e361dbf2a436747
SSDEEP

3072:p2WY9uNKKyWxchDvfSBmlQ+guC6VSUCIeKEdz8X09zS7gaYAUd:p21uNKKyWKxymlQ+ynGEdYX0S7gaYn

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2880-13-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/2128-14-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/2128-15-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral1/memory/2980-137-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/2128-312-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2128-3-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2880-13-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2128-14-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2128-15-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/2980-137-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2128-312-0x0000000000400000-0x0000000000455000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_210d758e01ef8a01a0808a94f0d4d8dd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_210d758e01ef8a01a0808a94f0d4d8dd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_210d758e01ef8a01a0808a94f0d4d8dd.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2880	2128	JaffaCakes118_210d758e01ef8a01a0808a94f0d4d8dd.exe	30
PID 2128 wrote to memory of 2880	2128	JaffaCakes118_210d758e01ef8a01a0808a94f0d4d8dd.exe	30
PID 2128 wrote to memory of 2880	2128	JaffaCakes118_210d758e01ef8a01a0808a94f0d4d8dd.exe	30
PID 2128 wrote to memory of 2880	2128	JaffaCakes118_210d758e01ef8a01a0808a94f0d4d8dd.exe	30
PID 2128 wrote to memory of 2980	2128	JaffaCakes118_210d758e01ef8a01a0808a94f0d4d8dd.exe	32
PID 2128 wrote to memory of 2980	2128	JaffaCakes118_210d758e01ef8a01a0808a94f0d4d8dd.exe	32
PID 2128 wrote to memory of 2980	2128	JaffaCakes118_210d758e01ef8a01a0808a94f0d4d8dd.exe	32
PID 2128 wrote to memory of 2980	2128	JaffaCakes118_210d758e01ef8a01a0808a94f0d4d8dd.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_210d758e01ef8a01a0808a94f0d4d8dd.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_210d758e01ef8a01a0808a94f0d4d8dd.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_210d758e01ef8a01a0808a94f0d4d8dd.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_210d758e01ef8a01a0808a94f0d4d8dd.exe startC:\Program Files (x86)\LP\D4FA\F72.exe%C:\Program Files (x86)\LP\D4FA
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2880
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_210d758e01ef8a01a0808a94f0d4d8dd.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_210d758e01ef8a01a0808a94f0d4d8dd.exe startC:\Users\Admin\AppData\Roaming\ADF8A\04BD4.exe%C:\Users\Admin\AppData\Roaming\ADF8A
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ADF8A\AF8A.DF8

Filesize
996B

MD5
d7cdf90fc4d65816636756645830d235

SHA1
7c0b5130725bf25a77e72e748cbc627d8031da17

SHA256
f4272e33e8f72b4853b11a73cc448611ebb23a4018b7fed3ef6ad6eb852cf10b

SHA512
ff7163a83cc7b9c93be4b2c1bddcb277388a284c5f4720735aa805a0875cab7005a75387e0334b15a48f75a0a9e59a509e694dd2091d74cd8f1bbec6b6c04aff

Download Submit
C:\Users\Admin\AppData\Roaming\ADF8A\AF8A.DF8

Filesize
600B

MD5
7b09fc58a7d655e8d7a3f1c68d03a247

SHA1
35ab8258500a5823829cd46f1064f70005e642cb

SHA256
f12e126c93680f2afb944003764686e8efacbfc99fe2ea6da1aea8b2ac70fcc4

SHA512
4e9b069c2c03513cb0585ab31f848df2c5dd63069c076f4cd747cae1300894a96341feeb31b886ca71093b1f08fcf906862baa7464a03108bd8f1874daf00b89

Download Submit
C:\Users\Admin\AppData\Roaming\ADF8A\AF8A.DF8

Filesize
1KB

MD5
d252f610fb5bf225114b4cb20d0f1f3b

SHA1
a178e52fb138b5c91c12cba1a430e2d9979cc284

SHA256
de2d1c956e82f840172275f58eb6766b86f24ffb7125698de02e63ee4d999361

SHA512
ade25d235460e8f63abc1fdc04dce7bd59c4373f8fd672f8557dfc029bbf8c61248b50d3e3f9c8a3dfaf8353610051fb93d24cb44ab2be36fbcbee91d71defa5

Download Submit
memory/2128-0-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2128-2-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2128-3-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2128-14-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2128-15-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2128-312-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2880-13-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2980-137-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing