cycbot | 481e8252b1e083eef939cf57c6b1dd2929083b72a0517dcfa78243aad442dbac

General

Target

JaffaCakes118_438840a828a259f5191d80436faf37ad.exe
Size

187KB
MD5

438840a828a259f5191d80436faf37ad
SHA1

31eb51f3627d1fcdd3895cd5969cb77dba0c1926
SHA256

481e8252b1e083eef939cf57c6b1dd2929083b72a0517dcfa78243aad442dbac
SHA512

548759e865b2d15f38f67f400ee926ff2bf2b19806ee4e1f79eb44e411f24e449c86d05c356ca08af8cac5c342c30b7d5b3a66013363dd81a78d5f426438f253
SSDEEP

3072:crWqzy/iFj85uZvlywtd94jALUbM1qQpIDUPFdpyXkU6lxDswlRc3lgTX0PBxJ5G:c9qf5ue84jkUA1q6P3pydwxDs4RcVKEu

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 6 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2800-14-0x0000000000400000-0x0000000000454000-memory.dmp	family_cycbot
behavioral1/memory/2772-15-0x0000000000400000-0x0000000000454000-memory.dmp	family_cycbot
behavioral1/memory/2772-16-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral1/memory/860-119-0x0000000000400000-0x0000000000454000-memory.dmp	family_cycbot
behavioral1/memory/860-121-0x0000000000400000-0x0000000000454000-memory.dmp	family_cycbot
behavioral1/memory/2772-299-0x0000000000400000-0x0000000000454000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2772-2-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2800-12-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2800-11-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2800-14-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2772-15-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2772-16-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/860-119-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/860-121-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2772-299-0x0000000000400000-0x0000000000454000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_438840a828a259f5191d80436faf37ad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_438840a828a259f5191d80436faf37ad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_438840a828a259f5191d80436faf37ad.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2772 wrote to memory of 2800	2772	JaffaCakes118_438840a828a259f5191d80436faf37ad.exe	30
PID 2772 wrote to memory of 2800	2772	JaffaCakes118_438840a828a259f5191d80436faf37ad.exe	30
PID 2772 wrote to memory of 2800	2772	JaffaCakes118_438840a828a259f5191d80436faf37ad.exe	30
PID 2772 wrote to memory of 2800	2772	JaffaCakes118_438840a828a259f5191d80436faf37ad.exe	30
PID 2772 wrote to memory of 860	2772	JaffaCakes118_438840a828a259f5191d80436faf37ad.exe	32
PID 2772 wrote to memory of 860	2772	JaffaCakes118_438840a828a259f5191d80436faf37ad.exe	32
PID 2772 wrote to memory of 860	2772	JaffaCakes118_438840a828a259f5191d80436faf37ad.exe	32
PID 2772 wrote to memory of 860	2772	JaffaCakes118_438840a828a259f5191d80436faf37ad.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_438840a828a259f5191d80436faf37ad.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_438840a828a259f5191d80436faf37ad.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_438840a828a259f5191d80436faf37ad.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_438840a828a259f5191d80436faf37ad.exe startC:\Program Files (x86)\LP\9FD4\CF5.exe%C:\Program Files (x86)\LP\9FD4
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2800
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_438840a828a259f5191d80436faf37ad.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_438840a828a259f5191d80436faf37ad.exe startC:\Users\Admin\AppData\Roaming\4B095\2169F.exe%C:\Users\Admin\AppData\Roaming\4B095
  2⤵
  - System Location Discovery: System Language Discovery
  PID:860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\4B095\59F4.B09

Filesize
996B

MD5
bfeaa20be3230873df490197618da0be

SHA1
9f568fec7427c11eb651cd3c6efca309fa169996

SHA256
b477892a20f482664d0038bb48a754f6236c7a422ef84ab81bff0fe5b1091341

SHA512
e5925fdfaf0d3b8370632f74ffd716a7c882ea3e4804f45a627e32b5130a29d58138ad2a3494f20c45598dff11d8fe14aec9d27cca093bfc9748017ae23d2897

Download Submit
C:\Users\Admin\AppData\Roaming\4B095\59F4.B09

Filesize
600B

MD5
92d5aac27cc860729fd9d390dd0e0722

SHA1
72b7c7dbb01030c8fb33f8805e305c0bee0edf19

SHA256
44e4cf20517397080ec004c31e2d324614be3f24df755c65496ee1aa0f56b28d

SHA512
858a3491e846afec4ed626b1ee0727ae153032c59d2ce82b95f718d4e7041a8eab691064ff4713e84d42bbc66017028edd0159593e394d43daafed2b446bd54b

Download Submit
C:\Users\Admin\AppData\Roaming\4B095\59F4.B09

Filesize
1KB

MD5
a5bcc370293b6a37e22554db07dd01e1

SHA1
077e3fc11870686c2d7a2edefa3d953f58cc9795

SHA256
b0e48cffc3057d811a889d955a2f9ae010ca2e2240a301aa6abc24386d0c38ab

SHA512
64d3e0488b02a5b8c623e49c06af932cfc69a5d7972db7a6a939c72f98b97de15ee1287669c89b83dea1240467c2d84bd7381668d8d80cfc8a81dd654fa26b9e

Download Submit
memory/860-118-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/860-121-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/860-119-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2772-16-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2772-1-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2772-15-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2772-2-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2772-299-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2800-14-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2800-11-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2800-12-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing