cryptbot | 8a7ab275acf36cb7306f18f953b72f45213904632243a8290d8868008b5f4ae2

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08-04-2024 23:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e8abf51b99ff390aad5f8044e88ac806_JaffaCakes118.exe
Size

2.5MB
MD5

e8abf51b99ff390aad5f8044e88ac806
SHA1

0004179b8721abb457d17c6ede713ddb1152640a
SHA256

8a7ab275acf36cb7306f18f953b72f45213904632243a8290d8868008b5f4ae2
SHA512

a01cb76c58a3cd1d96fdb128ea9707e4af163b2531980c1b5b07826fdd2456e1e95fadc31317456eba13d9a4bf74e22f222817e48033194833927bb74a531c87
SSDEEP

49152:okFvNW035OI9Q/RKs2f8I08WWKH9FXBj0EjtCOmHgYxrhebg+b:ooNxJO0Q6E/8WN9j0iDmHgYObVb

Score

10^/10

cryptbot discovery evasion spyware stealer themida trojan

Malware Config

Extracted

Family

cryptbot

veotyc21.top

morpib02.top

Attributes

payload_url
http://tynoev02.top/download.php?file=lv.exe

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

e8abf51b99ff390aad5f8044e88ac806_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ e8abf51b99ff390aad5f8044e88ac806_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	e8abf51b99ff390aad5f8044e88ac806_JaffaCakes118.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e8abf51b99ff390aad5f8044e88ac806_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	e8abf51b99ff390aad5f8044e88ac806_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	e8abf51b99ff390aad5f8044e88ac806_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 17 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/3048-0-0x0000000000400000-0x0000000000A8F000-memory.dmp	themida
behavioral2/memory/3048-2-0x0000000000400000-0x0000000000A8F000-memory.dmp	themida
behavioral2/memory/3048-3-0x0000000000400000-0x0000000000A8F000-memory.dmp	themida
behavioral2/memory/3048-114-0x0000000000400000-0x0000000000A8F000-memory.dmp	themida
behavioral2/memory/3048-116-0x0000000000400000-0x0000000000A8F000-memory.dmp	themida
behavioral2/memory/3048-119-0x0000000000400000-0x0000000000A8F000-memory.dmp	themida
behavioral2/memory/3048-122-0x0000000000400000-0x0000000000A8F000-memory.dmp	themida
behavioral2/memory/3048-125-0x0000000000400000-0x0000000000A8F000-memory.dmp	themida
behavioral2/memory/3048-129-0x0000000000400000-0x0000000000A8F000-memory.dmp	themida
behavioral2/memory/3048-132-0x0000000000400000-0x0000000000A8F000-memory.dmp	themida
behavioral2/memory/3048-135-0x0000000000400000-0x0000000000A8F000-memory.dmp	themida
behavioral2/memory/3048-138-0x0000000000400000-0x0000000000A8F000-memory.dmp	themida
behavioral2/memory/3048-141-0x0000000000400000-0x0000000000A8F000-memory.dmp	themida
behavioral2/memory/3048-144-0x0000000000400000-0x0000000000A8F000-memory.dmp	themida
behavioral2/memory/3048-147-0x0000000000400000-0x0000000000A8F000-memory.dmp	themida
behavioral2/memory/3048-150-0x0000000000400000-0x0000000000A8F000-memory.dmp	themida
behavioral2/memory/3048-153-0x0000000000400000-0x0000000000A8F000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

e8abf51b99ff390aad5f8044e88ac806_JaffaCakes118.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA e8abf51b99ff390aad5f8044e88ac806_JaffaCakes118.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

e8abf51b99ff390aad5f8044e88ac806_JaffaCakes118.exe

pid process

3048 e8abf51b99ff390aad5f8044e88ac806_JaffaCakes118.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	e8abf51b99ff390aad5f8044e88ac806_JaffaCakes118.exe

pid	process
3048	e8abf51b99ff390aad5f8044e88ac806_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e8abf51b99ff390aad5f8044e88ac806_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	e8abf51b99ff390aad5f8044e88ac806_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	e8abf51b99ff390aad5f8044e88ac806_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

e8abf51b99ff390aad5f8044e88ac806_JaffaCakes118.exe

pid process

3048 e8abf51b99ff390aad5f8044e88ac806_JaffaCakes118.exe
3048 e8abf51b99ff390aad5f8044e88ac806_JaffaCakes118.exe

pid	process
3048	e8abf51b99ff390aad5f8044e88ac806_JaffaCakes118.exe
3048	e8abf51b99ff390aad5f8044e88ac806_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\e8abf51b99ff390aad5f8044e88ac806_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e8abf51b99ff390aad5f8044e88ac806_JaffaCakes118.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3048

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EsKCUGGnY\TXCiolsjBdfdC.zip
Filesize
51KB

MD5
815a4dd361e62e82b62355aee8d48ad0

SHA1
141fb85b0a60ca0c1f1994e3fdfb7538b50e9c76

SHA256
43bba85c5993ffd7885855f33ecdd29c6a18e829078e9352495ccc84fb94f75c

SHA512
ba3e835772551132c2a5d15b28ebfbf215419ab96749eef84c2833109bdc90f1ffa9d602b797e1bae2c698a5b5921bf716201a49df775fffef62437bc4afd46b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EsKCUGGnY\_Files\_Information.txt
Filesize
3KB

MD5
ce3767e4f84dbb50ff1f5f3508746095

SHA1
aa20fe7a77351b63132a48b7ce13908aca909324

SHA256
a6b3aa58a8e134ced437f81732289e1856cc1c321c3e8ab0f4a8edcc68df208b

SHA512
a0f5ab2246e6c6358851551dda1124764f374a08b6cb87907aaecf1b70fb42b278c0c3690fe961eda9e9659543108bb29ed0d6fe761d8128ade98c1ca10b339b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EsKCUGGnY\_Files\_Information.txt
Filesize
4KB

MD5
72e2c62ffec6aa687fd2255008902de8

SHA1
5c94324bfa40725014bcef9939e2d0c6e172f5cf

SHA256
28e1efe9060a47baa8dc005734454dc587576612229df52dfe83f5b7975f1fdc

SHA512
6a211cc1c075cf2f1f8591d2fefa77ae93d976bab4f0cda52d174757a46cbf57d0b3850591fe4ab90e201eaf9e30e6b68d45777a873b557cba214408e2a856b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\EsKCUGGnY\_Files\_Screen_Desktop.jpeg
Filesize
56KB

MD5
ff78f9185b9ee7ea0e9adf576979743b

SHA1
ad4e70a602d6e2bc0719ed9493f2c9ac384d5d3d

SHA256
e2a4c157fabf6642882fd6d22c2f083dc21a2b4a6867ca2245ef2b6609042cbc

SHA512
83c034a41c12fbc6c5765173b623f845e63c29c9bec7f7194e50047ff28153e49069241a1d4147e322d0e5eaa3a748e008ce2bfd4b7df86436c44b543bca9f72

Download Submit
memory/3048-119-0x0000000000400000-0x0000000000A8F000-memory.dmp

Filesize
6.6MB

Download
memory/3048-129-0x0000000000400000-0x0000000000A8F000-memory.dmp

Filesize
6.6MB

Download
memory/3048-2-0x0000000000400000-0x0000000000A8F000-memory.dmp

Filesize
6.6MB

Download
memory/3048-114-0x0000000000400000-0x0000000000A8F000-memory.dmp

Filesize
6.6MB

Download
memory/3048-116-0x0000000000400000-0x0000000000A8F000-memory.dmp

Filesize
6.6MB

Download
memory/3048-1-0x00000000774A4000-0x00000000774A6000-memory.dmp

Filesize
8KB

Download
memory/3048-0-0x0000000000400000-0x0000000000A8F000-memory.dmp

Filesize
6.6MB

Download
memory/3048-122-0x0000000000400000-0x0000000000A8F000-memory.dmp

Filesize
6.6MB

Download
memory/3048-125-0x0000000000400000-0x0000000000A8F000-memory.dmp

Filesize
6.6MB

Download
memory/3048-3-0x0000000000400000-0x0000000000A8F000-memory.dmp

Filesize
6.6MB

Download
memory/3048-132-0x0000000000400000-0x0000000000A8F000-memory.dmp

Filesize
6.6MB

Download
memory/3048-135-0x0000000000400000-0x0000000000A8F000-memory.dmp

Filesize
6.6MB

Download
memory/3048-138-0x0000000000400000-0x0000000000A8F000-memory.dmp

Filesize
6.6MB

Download
memory/3048-141-0x0000000000400000-0x0000000000A8F000-memory.dmp

Filesize
6.6MB

Download
memory/3048-144-0x0000000000400000-0x0000000000A8F000-memory.dmp

Filesize
6.6MB

Download
memory/3048-147-0x0000000000400000-0x0000000000A8F000-memory.dmp

Filesize
6.6MB

Download
memory/3048-150-0x0000000000400000-0x0000000000A8F000-memory.dmp

Filesize
6.6MB

Download
memory/3048-153-0x0000000000400000-0x0000000000A8F000-memory.dmp

Filesize
6.6MB

Download