cycbot | 63130c80578b44d6ba0c7f7c13cfb4e893967a81608d0ec8993dfe6020f268c3

General

Target

JaffaCakes118_771873432a46048391d86de0cf6e6ebb.exe
Size

178KB
MD5

771873432a46048391d86de0cf6e6ebb
SHA1

5a07c7e3345210329d4d0cc17a6e1d86585b121d
SHA256

63130c80578b44d6ba0c7f7c13cfb4e893967a81608d0ec8993dfe6020f268c3
SHA512

30ee54e452069c52253d92360a5cd94fb33747319f7263de4d3383477601b47ccc41a7038162a104763238b663f0a50ee76f9cd0ddc0d384b558a945af6dabd8
SSDEEP

3072:/L/wyNqKMLufKePcPRD5kFR+rUr1YdDrgXvftX48yr2goxiX:/L/wfLufDwIR6d/gXHtXJm5R

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2648-14-0x0000000000400000-0x0000000000454000-memory.dmp	family_cycbot
behavioral1/memory/2828-15-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral1/memory/2828-16-0x0000000000400000-0x0000000000454000-memory.dmp	family_cycbot
behavioral1/memory/2280-131-0x0000000000400000-0x0000000000454000-memory.dmp	family_cycbot
behavioral1/memory/2828-294-0x0000000000400000-0x0000000000454000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2828-2-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2648-11-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2648-14-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2648-12-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2828-15-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/2828-16-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2280-131-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/2828-294-0x0000000000400000-0x0000000000454000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_771873432a46048391d86de0cf6e6ebb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_771873432a46048391d86de0cf6e6ebb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_771873432a46048391d86de0cf6e6ebb.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2828 wrote to memory of 2648	2828	JaffaCakes118_771873432a46048391d86de0cf6e6ebb.exe	30
PID 2828 wrote to memory of 2648	2828	JaffaCakes118_771873432a46048391d86de0cf6e6ebb.exe	30
PID 2828 wrote to memory of 2648	2828	JaffaCakes118_771873432a46048391d86de0cf6e6ebb.exe	30
PID 2828 wrote to memory of 2648	2828	JaffaCakes118_771873432a46048391d86de0cf6e6ebb.exe	30
PID 2828 wrote to memory of 2280	2828	JaffaCakes118_771873432a46048391d86de0cf6e6ebb.exe	32
PID 2828 wrote to memory of 2280	2828	JaffaCakes118_771873432a46048391d86de0cf6e6ebb.exe	32
PID 2828 wrote to memory of 2280	2828	JaffaCakes118_771873432a46048391d86de0cf6e6ebb.exe	32
PID 2828 wrote to memory of 2280	2828	JaffaCakes118_771873432a46048391d86de0cf6e6ebb.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_771873432a46048391d86de0cf6e6ebb.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_771873432a46048391d86de0cf6e6ebb.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_771873432a46048391d86de0cf6e6ebb.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_771873432a46048391d86de0cf6e6ebb.exe startC:\Program Files (x86)\LP\32FF\5C6.exe%C:\Program Files (x86)\LP\32FF
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2648
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_771873432a46048391d86de0cf6e6ebb.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_771873432a46048391d86de0cf6e6ebb.exe startC:\Users\Admin\AppData\Roaming\F355F\AC432.exe%C:\Users\Admin\AppData\Roaming\F355F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\F355F\FF4C.355

Filesize
996B

MD5
9d41aded6fb1eb4b6f9bc072db569d87

SHA1
f5d1b4fff0bcf72adde74cff6bd3ab3e0996291c

SHA256
9261810d6145077b0a2415be5c085d42faf18f8e4fc23a841ef7687c6fc41dac

SHA512
13d0b662d6eb32db702c10e457a1517c98ae695c7b0aedab5eecf9b8f21495cadbba71dec5d260071dd358b05735be62dd49a5e7a674b2c47008e4f24e2c0a61

Download Submit
C:\Users\Admin\AppData\Roaming\F355F\FF4C.355

Filesize
600B

MD5
85739d4022fbb3a194666aa42ca6277b

SHA1
a6919aa4f34bb4baab7b2a314189c42ade175def

SHA256
bd703b3fbd72cb885c381815e81e55d53bd8ca70b6548d93ebad9e25857ee91e

SHA512
6bf281b11a8466a7b3db63852d0d17c795fc85acc6d03d359d942719c15f7c669412896daa46ea1b89bbe8013e4d52ae17238ea381a843a6f682d5555f47586a

Download Submit
C:\Users\Admin\AppData\Roaming\F355F\FF4C.355

Filesize
1KB

MD5
3992a94893619c0468b83ad572d6ebaa

SHA1
84a240a37365651be6d7d813946e40318e37eb85

SHA256
9bf284acf44d78a5fb8bc882fcc7b27169cef50afbddeafa51cb3b086cfb0752

SHA512
9ae7303c19cad4a7a0102975def732a378aaf3a2ce4e194a92723660308b484de48138acab42752e60df466cd237047755418702b535ec56045eb95693b0ee16

Download Submit
memory/2280-131-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2280-129-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2648-14-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2648-12-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2648-11-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2828-16-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2828-15-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2828-1-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2828-2-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2828-294-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing