cycbot | 1280c3015517aad9db42e2eeb89248e2918e06164803d602fadeec6a3a55faf7

General

Target

JaffaCakes118_797c25ac265de8037108f4e94eaeffe8.exe
Size

188KB
MD5

797c25ac265de8037108f4e94eaeffe8
SHA1

7b7f0074f0d4359c12c758cfeb7683429da78278
SHA256

1280c3015517aad9db42e2eeb89248e2918e06164803d602fadeec6a3a55faf7
SHA512

ae8cbc9bb743a47a728890cfc36d71d5c7e9355ef0794dcb7702d11690d4c56a07ee78de4b221f954b24872517562b07691609dea75be94ffa33f4311eaa624c
SSDEEP

3072:BT4VNXhYIY2Cf6owIOa5SKsStD3ortfAdIJcCaP4BcrYeLO11ui+lIgnD:BqNX6CnowIOaQiD4JfUycC5WrY71uiNK

Score

10^/10

cycbot backdoor discovery rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/1940-9-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/2044-14-0x0000000000400000-0x0000000000452000-memory.dmp	family_cycbot
behavioral1/memory/2044-15-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/1092-81-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot
behavioral1/memory/2044-180-0x0000000000400000-0x0000000000455000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2044-2-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1940-7-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1940-9-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2044-14-0x0000000000400000-0x0000000000452000-memory.dmp	upx
behavioral1/memory/2044-15-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1092-81-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2044-180-0x0000000000400000-0x0000000000455000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_797c25ac265de8037108f4e94eaeffe8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_797c25ac265de8037108f4e94eaeffe8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_797c25ac265de8037108f4e94eaeffe8.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 1940	2044	JaffaCakes118_797c25ac265de8037108f4e94eaeffe8.exe	30
PID 2044 wrote to memory of 1940	2044	JaffaCakes118_797c25ac265de8037108f4e94eaeffe8.exe	30
PID 2044 wrote to memory of 1940	2044	JaffaCakes118_797c25ac265de8037108f4e94eaeffe8.exe	30
PID 2044 wrote to memory of 1940	2044	JaffaCakes118_797c25ac265de8037108f4e94eaeffe8.exe	30
PID 2044 wrote to memory of 1092	2044	JaffaCakes118_797c25ac265de8037108f4e94eaeffe8.exe	33
PID 2044 wrote to memory of 1092	2044	JaffaCakes118_797c25ac265de8037108f4e94eaeffe8.exe	33
PID 2044 wrote to memory of 1092	2044	JaffaCakes118_797c25ac265de8037108f4e94eaeffe8.exe	33
PID 2044 wrote to memory of 1092	2044	JaffaCakes118_797c25ac265de8037108f4e94eaeffe8.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_797c25ac265de8037108f4e94eaeffe8.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_797c25ac265de8037108f4e94eaeffe8.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_797c25ac265de8037108f4e94eaeffe8.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_797c25ac265de8037108f4e94eaeffe8.exe startC:\Program Files (x86)\LP\D3AF\EB6.exe%C:\Program Files (x86)\LP\D3AF
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1940
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_797c25ac265de8037108f4e94eaeffe8.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_797c25ac265de8037108f4e94eaeffe8.exe startC:\Users\Admin\AppData\Roaming\F7DA6\B2ED3.exe%C:\Users\Admin\AppData\Roaming\F7DA6
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\F7DA6\625A.7DA

Filesize
1KB

MD5
fd86f9016b66bfeef2f86955aec15589

SHA1
f159efb9bc8b9cd5d2097797d3602fdd001f6ef8

SHA256
25f70b0386c42c9a38b091fec740fa0a59d336d6fa5b0076d9ec4ac500c45e5a

SHA512
a0f3700a0cff3c346d4ea2e1716d0c0b68909ce167e679fec2768230dad13518f5aec6e31065d0415eb995b1bccc3ec671f6e23cf7412e093db9442e2099d02b

Download Submit
C:\Users\Admin\AppData\Roaming\F7DA6\625A.7DA

Filesize
600B

MD5
f918f0df37a47b43a823b9ea03dd4af8

SHA1
c7745c77bc73a74f97c62ea6a31ae496dfb9ea50

SHA256
f9aca44a7d0810f5c04c9e8b3eb9d71a2b3bd608213cd7bca87cb23a9ffaccd7

SHA512
341b66883f17ba950e5b5730407cc34ff9089f661e56b41f898c4acf21d1af6bfe646ae44d3b18d8558cd553cd902ad92d704ceb9bcf9701f644b8528822bac0

Download Submit
C:\Users\Admin\AppData\Roaming\F7DA6\625A.7DA

Filesize
996B

MD5
7df7f4fdf89825dcd6d838a63225c9d4

SHA1
322768ea5f4039fdfe186cc6fd63604eea8fbba5

SHA256
677dc6ef5a9ae4a0b3a3aa25ea66e7326335ea3d6f5d7662b8e5665acaee8448

SHA512
a81294117f0ac21fbffc91afa88987c527b58f8fdb31d600c8b7b52abbdeaf44f3a31183f930a8e8d743275468d60feccccdbe33492aac5d96570dea235cae32

Download Submit
memory/1092-80-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1092-81-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1940-7-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1940-9-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2044-1-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2044-2-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2044-14-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2044-15-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2044-180-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download

Analysis

Sharing