cycbot | 3fbc54a4a60d608803e05438a6f4142bb937013479982cdee8e8a769b87feed2

General

Target

JaffaCakes118_2d5d06944fee42a022a80ec116e95f0b.exe
Size

175KB
MD5

2d5d06944fee42a022a80ec116e95f0b
SHA1

f17e20da49e42a82a0a336ca57105d7753ec094e
SHA256

3fbc54a4a60d608803e05438a6f4142bb937013479982cdee8e8a769b87feed2
SHA512

eb444850c0c695d97dd783f25646608a8953a5223769c3cb662fe4b7a8b37be43820996c1916bc1124d5c9620ee6fea0e62f966786a2f36293e058d9586206b8
SSDEEP

3072:PJ3iQmKim4BBfIAD1XtfU6o9MnFJaYdhD7E8+TZ7KfQDJ/hH3dtSk2C4xUkKm:PJ3XmFBfIADX86o9MnFo8hv/+xK4D1hn

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2756-15-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/3040-16-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/3040-17-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral1/memory/1664-115-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/3040-270-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3040-3-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2756-13-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2756-14-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2756-15-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/3040-16-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/3040-17-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/1664-115-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/3040-270-0x0000000000400000-0x0000000000455000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2d5d06944fee42a022a80ec116e95f0b.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 2756	3040	JaffaCakes118_2d5d06944fee42a022a80ec116e95f0b.exe	30
PID 3040 wrote to memory of 2756	3040	JaffaCakes118_2d5d06944fee42a022a80ec116e95f0b.exe	30
PID 3040 wrote to memory of 2756	3040	JaffaCakes118_2d5d06944fee42a022a80ec116e95f0b.exe	30
PID 3040 wrote to memory of 2756	3040	JaffaCakes118_2d5d06944fee42a022a80ec116e95f0b.exe	30
PID 3040 wrote to memory of 1664	3040	JaffaCakes118_2d5d06944fee42a022a80ec116e95f0b.exe	32
PID 3040 wrote to memory of 1664	3040	JaffaCakes118_2d5d06944fee42a022a80ec116e95f0b.exe	32
PID 3040 wrote to memory of 1664	3040	JaffaCakes118_2d5d06944fee42a022a80ec116e95f0b.exe	32
PID 3040 wrote to memory of 1664	3040	JaffaCakes118_2d5d06944fee42a022a80ec116e95f0b.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2d5d06944fee42a022a80ec116e95f0b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2d5d06944fee42a022a80ec116e95f0b.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2d5d06944fee42a022a80ec116e95f0b.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2d5d06944fee42a022a80ec116e95f0b.exe startC:\Program Files (x86)\LP\EC02\379.exe%C:\Program Files (x86)\LP\EC02
  2⤵
  PID:2756
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2d5d06944fee42a022a80ec116e95f0b.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2d5d06944fee42a022a80ec116e95f0b.exe startC:\Users\Admin\AppData\Roaming\21B7B\6B1EC.exe%C:\Users\Admin\AppData\Roaming\21B7B
  2⤵
  PID:1664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\21B7B\BAF2.1B7

Filesize
996B

MD5
8d1f348cc3aed5ca73b5a1f8948e13f1

SHA1
a489f164ce5440f492cbbdff1bab084a0520d48d

SHA256
1ec866ea4a7a375f997bfb0f78c4763b186f849b74a07ee08d90f593271f7410

SHA512
f96c0f963367d7efd639a0c9ccfc0b56d8e703019afaf1416c2bd1725d7c467c38df6fe51447374d5b819797946ac9ca767031f3b9128bb4ab01010bb4ec0deb

Download Submit
C:\Users\Admin\AppData\Roaming\21B7B\BAF2.1B7

Filesize
600B

MD5
c38890c355665780bafe18e068d3d3b1

SHA1
9cab84331e465f0a988cb10bdc440bc193e1900a

SHA256
aa2ce28cba43d7aa542b9e752bd66827216fafcdfb1e636ce2fdff97104fc1c7

SHA512
f14f0c39c1ff3094560de3be47b7a77922b020234e5d2fe6b040f4cc5a1c3394e9cf25e96fac3079cecedca1fd67608c9659d0ae30fc3de132aefc671c4a5999

Download Submit
C:\Users\Admin\AppData\Roaming\21B7B\BAF2.1B7

Filesize
1KB

MD5
d1d4d15a2cca5c58edd2db8000928c79

SHA1
fdd2854df8eb1c40389f446cb2bb49c531cb84ab

SHA256
edfd56dd000a8036a86d6d463a132e73d9471c8d84ce07390e19e5fdc31d0874

SHA512
353a5acd69e263b9e34ef6e08c9fc8dc4cbb061cb5954ab843a301db5f9f364daf2166546ec819391de6d410dfb4b9528acd8b86a579be5e96c62639f9ed3024

Download Submit
memory/1664-115-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2756-13-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2756-15-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2756-14-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3040-16-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3040-17-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3040-0-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3040-3-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3040-2-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3040-270-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing