cycbot | b24fdc1f56b255cf669e947a4425c8ee4483c25ff8f1ee6c7e407f1a2d1b8528

General

Target

JaffaCakes118_302351ebfcba77bd445c5c3be99b2ae0.exe
Size

200KB
MD5

302351ebfcba77bd445c5c3be99b2ae0
SHA1

e4aeacb6b1033c77035d32e6e424ea076c983551
SHA256

b24fdc1f56b255cf669e947a4425c8ee4483c25ff8f1ee6c7e407f1a2d1b8528
SHA512

7b7cf28f70868654932e127e360cd2e266ce2fc153fc40d5e4f424d9cf40732431666b165aab304f55b9c928e36d9fc7d8c2965d72b6f590fe77c67e81c87d7b
SSDEEP

3072:wczKQqlNJ/wskbQjkx0ePX+Tbl6vbI1EHsKkCkhx+3NBbv5HYnP0QAGy6t:wcmnQ8jA00vAMf94NT

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2036-15-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/3032-16-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/3032-17-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral1/memory/2940-127-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/3032-298-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3032-3-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2036-13-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2036-15-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/3032-16-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/3032-17-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/2940-127-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/3032-298-0x0000000000400000-0x0000000000455000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_302351ebfcba77bd445c5c3be99b2ae0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_302351ebfcba77bd445c5c3be99b2ae0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_302351ebfcba77bd445c5c3be99b2ae0.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 2036	3032	JaffaCakes118_302351ebfcba77bd445c5c3be99b2ae0.exe	31
PID 3032 wrote to memory of 2036	3032	JaffaCakes118_302351ebfcba77bd445c5c3be99b2ae0.exe	31
PID 3032 wrote to memory of 2036	3032	JaffaCakes118_302351ebfcba77bd445c5c3be99b2ae0.exe	31
PID 3032 wrote to memory of 2036	3032	JaffaCakes118_302351ebfcba77bd445c5c3be99b2ae0.exe	31
PID 3032 wrote to memory of 2940	3032	JaffaCakes118_302351ebfcba77bd445c5c3be99b2ae0.exe	33
PID 3032 wrote to memory of 2940	3032	JaffaCakes118_302351ebfcba77bd445c5c3be99b2ae0.exe	33
PID 3032 wrote to memory of 2940	3032	JaffaCakes118_302351ebfcba77bd445c5c3be99b2ae0.exe	33
PID 3032 wrote to memory of 2940	3032	JaffaCakes118_302351ebfcba77bd445c5c3be99b2ae0.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_302351ebfcba77bd445c5c3be99b2ae0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_302351ebfcba77bd445c5c3be99b2ae0.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_302351ebfcba77bd445c5c3be99b2ae0.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_302351ebfcba77bd445c5c3be99b2ae0.exe startC:\Program Files (x86)\LP\54F9\0A0.exe%C:\Program Files (x86)\LP\54F9
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2036
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_302351ebfcba77bd445c5c3be99b2ae0.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_302351ebfcba77bd445c5c3be99b2ae0.exe startC:\Users\Admin\AppData\Roaming\9716C\C1054.exe%C:\Users\Admin\AppData\Roaming\9716C
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\9716C\C8CB.716

Filesize
300B

MD5
7310795831b794b236bc0a6376acad5f

SHA1
3eb6692f2347df3c1020fdb78a390205ac8c8a13

SHA256
67de2263007d86c036d1e39ec5d0da79a47d516aeaaa1d82421a0c39f5f29eee

SHA512
23a0a5cc4ba81addaa826f86998f2ee62162c84a78c646b4e6d05c99cdb1c695db01226759b63f4472db59da83b54b60b6ad78370730a49093f893368a8b27e2

Download Submit
C:\Users\Admin\AppData\Roaming\9716C\C8CB.716

Filesize
996B

MD5
336d34e8315f2ba0f63ab3f5e5139cec

SHA1
2105b40449d15e1fb96a7d55e95ff984b3d5d469

SHA256
b998076038746d29d075cfe991a6b2bce608dfc1eb9dd6e874d4ededf3bd8d43

SHA512
8d80df19b30f8bf55b33c327c1e03cd2875c7338489d1488c34d872bf8448c40dbc9dc147cf315c431fedc0346b9f5503ef32c6f9bd4069e8c9fdd148e0ce829

Download Submit
C:\Users\Admin\AppData\Roaming\9716C\C8CB.716

Filesize
600B

MD5
bb11ae8c19e04f44c02a9509d193e9b3

SHA1
9a7f1d7fc86958c69bd20ac0096fd593d4b52ad7

SHA256
c75ea66040b53610cfa9456ef75cb9519c76d33225b810b9bb28c03bc7a7ab27

SHA512
534786858f98ca2447a92f28da9fb9fda27a5bf28ed45af10fbf30f0383d606c5064084c1c9fe396044c1d63ec03bae1d6541b04914e20fbf6f426ac42552458

Download Submit
C:\Users\Admin\AppData\Roaming\9716C\C8CB.716

Filesize
1KB

MD5
97e1739f5cb0900ac1d0f45d0ce978fa

SHA1
23a2018bb1b22409cd921c78df828906b56e8ef5

SHA256
04cb345faa2a8a1b7b02739fc1c9abff98729e0b09cbaf3ab3169cd21a419f95

SHA512
4161d662800d1662e9cd04827d987a528a7b2795dc9857b247c488ae1d15dbfdee18538065599143e13ec93e87cbb084caf9ad6fa297b4a95f2ece72fe1c16f4

Download Submit
memory/2036-13-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2036-15-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2940-127-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3032-17-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3032-16-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3032-0-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3032-3-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3032-2-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3032-298-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing