cryptbot | 962a4193daff6b2f63d74054afef07f91d0c187f5191cb7d13eb1cce3af4e31f

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08-04-2024 21:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e86b888ecea9692c31348554c521383d_JaffaCakes118.exe
Size

557KB
MD5

e86b888ecea9692c31348554c521383d
SHA1

59b2cbeb270908c441fd42d65664a820c71f2a70
SHA256

962a4193daff6b2f63d74054afef07f91d0c187f5191cb7d13eb1cce3af4e31f
SHA512

e6f2dda5fd62024faf1dd18fe31efc1d4cd71bf607adeac38d7dd11742fda0b40ce5621548390bad408b4c632a3745fa964372e10001b5522270d9af11e678c4
SSDEEP

12288:cTY6maNikdruhUIfVjKzC/9zGW4kmYqCViIatmg5nCZ+qzA8n9EwoO:B2ikpIfhKu8cqCViI08W89u

Score

10^/10

cryptbot discovery spyware stealer

Malware Config

Extracted

Family

cryptbot

hairdx22.top

morqoi02.top

Attributes

payload_url
http://zelpdo03.top/download.php?file=lv.exe

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2156-2-0x0000000004480000-0x0000000004520000-memory.dmp	family_cryptbot
behavioral1/memory/2156-3-0x0000000000400000-0x0000000002CC2000-memory.dmp	family_cryptbot
behavioral1/memory/2156-221-0x0000000000400000-0x0000000002CC2000-memory.dmp	family_cryptbot
behavioral1/memory/2156-225-0x0000000004480000-0x0000000004520000-memory.dmp	family_cryptbot

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e86b888ecea9692c31348554c521383d_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	e86b888ecea9692c31348554c521383d_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	e86b888ecea9692c31348554c521383d_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

e86b888ecea9692c31348554c521383d_JaffaCakes118.exe

pid process

2156 e86b888ecea9692c31348554c521383d_JaffaCakes118.exe
2156 e86b888ecea9692c31348554c521383d_JaffaCakes118.exe

pid	process
2156	e86b888ecea9692c31348554c521383d_JaffaCakes118.exe
2156	e86b888ecea9692c31348554c521383d_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\e86b888ecea9692c31348554c521383d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e86b888ecea9692c31348554c521383d_JaffaCakes118.exe"
1⤵
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:2156

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ToC61pkcoaM\_Files\_Information.txt
Filesize
1KB

MD5
82a57770111f09f10ec841e96f53023c

SHA1
b1bfb4aca4627afc790338a79665e14d6b7ed1e6

SHA256
3ff203af13f7e6f3fb4303b5fbc6e71e811928eee95a759ee7f34005da9595d4

SHA512
d33fca206ffa257b0fd7d12b5138ab7c15a951b3c75f5b423b653bcc5fe6455411527e51c0aed7049c0455c089c18ffe03a8c5c9bba74e40b6a9c6823ede86cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ToC61pkcoaM\_Files\_Information.txt
Filesize
3KB

MD5
818f882cf14a8e907c6a08623206046b

SHA1
470c72bb39f13a9f89fe5c528178c204baea9f50

SHA256
3d2e8ceaf09ff224cecf85f8148b3a210ce1f0d8d5908ccd357cd4f9ba53173b

SHA512
125e5f241988b972cdbc14867f3e9538b75d1e3ac5fd7952cc1d502acc6aa21a5aebcda0de5b122bdf302b12e842f727fdc6d48e69a8c0b7e08710584b35cb35

Download Submit
C:\Users\Admin\AppData\Local\Temp\ToC61pkcoaM\_Files\_Information.txt
Filesize
3KB

MD5
b38fc943283cf629c0359865081ab4a5

SHA1
44ea1d6d855b3c4b0234991e72a594f1af201f26

SHA256
dacd6d549af60f7749309a9e164c50488c111e087df9f3094b85e8eef33a8ec3

SHA512
d8b9a9a756d8f45871293602866e596933b082430313b374b522f5d9694bf24b7e4d294448f47f725a7e2f6d85ba249bafa2c6a1ea7342456fc521547f6bd83b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ToC61pkcoaM\_Files\_Information.txt
Filesize
3KB

MD5
e0a0497c6bd603a25b8be9d2577fca6e

SHA1
fd2b83b297b2d38757fd665e27bfe52dbc0d22b6

SHA256
378313990e444db459ca62036ef0ea65ea092f96ebf0c59788900becf02c0680

SHA512
94fe5b00084c31ea7db282a125bcc2bea7c810faa9d586344b1e81751bf4f64d1732417579bbf6134b54a31a9dec371643ebe28f30062b8d18b01d31e0609ecd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ToC61pkcoaM\_Files\_Information.txt
Filesize
6KB

MD5
ddecbb92d3f82d0003e46805e0733711

SHA1
9f3dbb2b9256a1f15edf360a07aaf29b1a7b1ea4

SHA256
d7c3dafcd28fa5c5e7015b66cb3b946e63ae555621f7ae0a4b0b6be6182312eb

SHA512
73ae26fd9e512e5ec05e7ae700cbde3f953656419447b60b1898a7d6f86ba390ce0c81566da9dcc515da6e55f4773b513b94bf3140793ffdb08fc2e6fcc18068

Download Submit
C:\Users\Admin\AppData\Local\Temp\ToC61pkcoaM\_Files\_Screen_Desktop.jpeg
Filesize
43KB

MD5
12e4517eb1daaf7cb4b0c693974551da

SHA1
2cdd02c7057aed08b76d478669cd028b9e1d6357

SHA256
9c8b0ccf75095be3ecdbaf44d4f208c521efc06efa1d6756ba5354ca4559a37f

SHA512
0a6bb2dc2a99534771c63a17a90adafa5125d5d12d66e315eea0d2aee74269bf02afc968c09b9d044f62a873045cfb7e1dcce0d9e09960bfe2c52f308373271a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ToC61pkcoaM\files_\system_info.txt
Filesize
2KB

MD5
b352f3c0b9e17a97e6b96fd40ca0ed0c

SHA1
eaaa33463739a3807559f1fee2056ac90364cf7e

SHA256
8d4d2bdebf513db45240e6abdd9fce0eadffe484aa76397987989f1d38fee4bb

SHA512
4f96beb655ea8e4ff1f56dff814c1ad298343a97c70d651978a113143de7a3f2a0e7f92110b00435c4b0765bfe9e3f01a4540385eba1be2e62f481b540f45c6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ToC61pkcoaM\files_\system_info.txt
Filesize
3KB

MD5
8b925311adddaf6a33e719d95ffa160c

SHA1
2f2077171cd18fc8408f50dcf52f46a460feed8f

SHA256
8d18e552cd71ae06593e86dd4cf6e6782951f7ce2f15f05886e1f2b8b653c558

SHA512
9798bf85bc63e181a5ce8c7ac5036da3640b5db048da5dbec29cd4c979a20a77482abf531900fbc79264cbfd08792adf10a7dea0569791f2d1c4e74df637926f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ToC61pkcoaM\files_\system_info.txt
Filesize
3KB

MD5
0be6396e5e22760d96a5a98e833d0fef

SHA1
bb1fe60a1e7fdfd658a913c56aafd7375daa47c4

SHA256
0f19780ef39b0edb084480f2e5c0d91087e79988327e5464c5926f50d0589d3c

SHA512
5f9a50b6911181e010124b9e4e7c6214d3690be0ebb52de4866e367338cfe002d26686e582e5b7b3f11115fb315ba305684405a0131821bbcc911a537c7b0850

Download Submit
C:\Users\Admin\AppData\Local\Temp\ToC61pkcoaM\files_\system_info.txt
Filesize
8KB

MD5
74f95a2451d23fcd52d13ed1e3801791

SHA1
77e5b58a07e0b817855a32a6a898fc5219534f02

SHA256
55d33c5252869eaba139fd69a69c1e91c3b7687525b0a9a175b6be94bb658308

SHA512
624b36d05bb44f247e1790498555983def75dec094722f34a5802ebfc94041f4f0f55fecad7dc5f07820db93c7b06c63770c7b5edddd2b6dd97abfc6e27abd2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ToC61pkcoaM\yGAI1szLhB81.zip
Filesize
36KB

MD5
d573c3c5c918bc4d5cda87599388cc78

SHA1
a0d2b259f38079abf8275eaf2b059de8a00f92a1

SHA256
afe81704e3411ba6b5ecfd0245203318c8b529c5cc0a943f3942f0fb5235928a

SHA512
8c084a9dbd074335e4b7a286034874ca8fe2a862d9791781def7148ca4d248e223101c3a0cfe4c7abb7ca5c10a0dd50f23ad3d9c23d9a2dca44a650c576b0538

Download Submit
memory/2156-1-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/2156-4-0x00000000046E0000-0x00000000046E1000-memory.dmp

Filesize
4KB

Download
memory/2156-2-0x0000000004480000-0x0000000004520000-memory.dmp

Filesize
640KB

Download
memory/2156-221-0x0000000000400000-0x0000000002CC2000-memory.dmp

Filesize
40.8MB

Download
memory/2156-223-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/2156-225-0x0000000004480000-0x0000000004520000-memory.dmp

Filesize
640KB

Download
memory/2156-227-0x00000000046E0000-0x00000000046E1000-memory.dmp

Filesize
4KB

Download
memory/2156-3-0x0000000000400000-0x0000000002CC2000-memory.dmp

Filesize
40.8MB

Download