cycbot | 73a7c36c46316077f8f6e26c4c0f095f65f19ce2d735851fdeea535dd860334f

General

Target

JaffaCakes118_42d8d4574b0560902ae5d4c1496cda10.exe
Size

180KB
MD5

42d8d4574b0560902ae5d4c1496cda10
SHA1

a9dd3edb68b369deed8799fec8fa7d6cbae4ae82
SHA256

73a7c36c46316077f8f6e26c4c0f095f65f19ce2d735851fdeea535dd860334f
SHA512

03ca6353de58fb966ae0d5b3bb3a1d86d6951878019fc36e638d878300423ad084d6882e410c3fdad06cceb2548c5669cf3dfa24907f32852ebb0505b7eee09b
SSDEEP

3072:n6VNvSDMdkeWP1CSmEp71GA3/0uhc5yIvckEIQnqoPtKV0Sp5ZdVOwR:6ZfybTmcGA3zhc5yIvcSsJtGjp5t

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2336-16-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/2348-17-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/2348-18-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral1/memory/2620-108-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/2348-287-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2348-3-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2336-14-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2336-16-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2348-17-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2348-18-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/2620-108-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2348-287-0x0000000000400000-0x0000000000455000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_42d8d4574b0560902ae5d4c1496cda10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_42d8d4574b0560902ae5d4c1496cda10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_42d8d4574b0560902ae5d4c1496cda10.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 2336	2348	JaffaCakes118_42d8d4574b0560902ae5d4c1496cda10.exe	31
PID 2348 wrote to memory of 2336	2348	JaffaCakes118_42d8d4574b0560902ae5d4c1496cda10.exe	31
PID 2348 wrote to memory of 2336	2348	JaffaCakes118_42d8d4574b0560902ae5d4c1496cda10.exe	31
PID 2348 wrote to memory of 2336	2348	JaffaCakes118_42d8d4574b0560902ae5d4c1496cda10.exe	31
PID 2348 wrote to memory of 2620	2348	JaffaCakes118_42d8d4574b0560902ae5d4c1496cda10.exe	33
PID 2348 wrote to memory of 2620	2348	JaffaCakes118_42d8d4574b0560902ae5d4c1496cda10.exe	33
PID 2348 wrote to memory of 2620	2348	JaffaCakes118_42d8d4574b0560902ae5d4c1496cda10.exe	33
PID 2348 wrote to memory of 2620	2348	JaffaCakes118_42d8d4574b0560902ae5d4c1496cda10.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_42d8d4574b0560902ae5d4c1496cda10.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_42d8d4574b0560902ae5d4c1496cda10.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_42d8d4574b0560902ae5d4c1496cda10.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_42d8d4574b0560902ae5d4c1496cda10.exe startC:\Program Files (x86)\LP\EA35\F8C.exe%C:\Program Files (x86)\LP\EA35
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2336
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_42d8d4574b0560902ae5d4c1496cda10.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_42d8d4574b0560902ae5d4c1496cda10.exe startC:\Users\Admin\AppData\Roaming\56D45\ACAEA.exe%C:\Users\Admin\AppData\Roaming\56D45
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\56D45\59B4.6D4

Filesize
300B

MD5
529b7fcb2b9f0a3df2fee172529ad597

SHA1
7c465b791f9e55e9f9391111cc577bd429141155

SHA256
4cedd5d8d47f4640b77e566733b2c9b801d7a350899dbab71c65b60c246fc6f3

SHA512
dbc9ecc8f5eb55a61dbceebeddf9fb1b7e727ca74f92273d6aac5b99f0a93d82b81dfaed4f5eb8be3b43726735711a7b4578d14b20656f08775a4f66665320b6

Download Submit
C:\Users\Admin\AppData\Roaming\56D45\59B4.6D4

Filesize
996B

MD5
09632267cd50166e7871e73c8bf3d221

SHA1
3189c99e2125569ae2bc69d7a5166a7abe0f83a3

SHA256
f4a6be1e9ac66a8b75b5f039b6fab46b95ebff8c2fe2a163c5d924455585f451

SHA512
b83466ec17b335b235141f726a471a17410593f23eaef3f4adfb92b4f4c17d47b63f5d4dc04f23f8f5fc8346a719165b6dafe97e1326e3df5202bb03aad523d6

Download Submit
C:\Users\Admin\AppData\Roaming\56D45\59B4.6D4

Filesize
600B

MD5
2517758af13ee6dbd442362c7548e2d1

SHA1
701d80486743d1da18a7e74e54f28b0bbbdf1194

SHA256
189dfcbc639e412cb73dd0915f0d5e7b07dc3ee73794ff09c4aab1d207a9b5b7

SHA512
fbb214ae72fc2792d4d88ac8e225c56535f3ce12b4f53648e1736593cb72dc7da551899a2e9cf40392aa574fb7b56ce544354c3473428d71c8b3375236524aae

Download Submit
C:\Users\Admin\AppData\Roaming\56D45\59B4.6D4

Filesize
1KB

MD5
9813f169595e863b66fe35d05ca527a9

SHA1
c9ecf7f47e344d6ce1e484a8acd9fedf48d7bfda

SHA256
03bca77bcb0f584433134237df6868f32fff38d794162b1a3604fedb022d4c8c

SHA512
b613226d28922a9c25d580032bfffd4e0e3c5b5cc1a37d005367113517de14ab21953d62a5ba624170d6ce9b9480f086b5d145a6039afd719b4a24db0558be65

Download Submit
memory/2336-14-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2336-13-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2336-16-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2348-3-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2348-17-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2348-18-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2348-0-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2348-2-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2348-287-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2620-108-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing