cryptbot | 1c0e9c19952db42f2e8b9b8c158e1d761e1d58a548eda1b09984a510ed9c7541

Analysis

max time kernel
147s
max time network
153s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10-04-2024 09:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eace6cd84265058817841921eb59d13a_JaffaCakes118.exe
Size

663KB
MD5

eace6cd84265058817841921eb59d13a
SHA1

f775412ce8d51fbce4d8b589a7bacb9470487daa
SHA256

1c0e9c19952db42f2e8b9b8c158e1d761e1d58a548eda1b09984a510ed9c7541
SHA512

105c9bdd3cbccd4c2b1b50f84e4322b7438d8896830157236c6276271528f89adafd8c71cc5645ce3829415e66e283ace9a37e844bb1ee0385f5c02716cc787f
SSDEEP

12288:FgEZDdRJJSlTCRU2amM90djFPogwEl11SnuTCK8OiyZkx1bdi+S76q4tjjIy:FPQlTCRHdBPJ/Qn68OiyZiyR4tPIy

Score

10^/10

cryptbot discovery spyware stealer

Malware Config

Extracted

Family

cryptbot

ewaumk24.top

morzup02.top

Attributes

payload_url
http://winqoz02.top/download.php?file=lv.exe

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2648-2-0x00000000004D0000-0x0000000000570000-memory.dmp	family_cryptbot
behavioral1/memory/2648-3-0x0000000000400000-0x00000000004C1000-memory.dmp	family_cryptbot
behavioral1/memory/2648-221-0x0000000000400000-0x00000000004C1000-memory.dmp	family_cryptbot
behavioral1/memory/2648-225-0x00000000004D0000-0x0000000000570000-memory.dmp	family_cryptbot

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

eace6cd84265058817841921eb59d13a_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	eace6cd84265058817841921eb59d13a_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	eace6cd84265058817841921eb59d13a_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

eace6cd84265058817841921eb59d13a_JaffaCakes118.exe

pid process

2648 eace6cd84265058817841921eb59d13a_JaffaCakes118.exe
2648 eace6cd84265058817841921eb59d13a_JaffaCakes118.exe

pid	process
2648	eace6cd84265058817841921eb59d13a_JaffaCakes118.exe
2648	eace6cd84265058817841921eb59d13a_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\eace6cd84265058817841921eb59d13a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eace6cd84265058817841921eb59d13a_JaffaCakes118.exe"
1⤵
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:2648

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\sfVFD3JZuka\_Files\_Information.txt
Filesize
1KB

MD5
9d6c916a44a009a3b5bb32a5edf90d67

SHA1
837001b0b344c7a58eb7739b5df05cfe6654b05a

SHA256
2a68397525d9e1cb750cec7e0d2ee02aad340009125bc4b6dc8fef9fc9abb81e

SHA512
86ad29c1144e3c9ccb1ce4a63bd6c6a30650533edb4c926f12fff8434b780b83e5318f60c02048cf4eefd9687b617b670a9aa956e10fefc8a7c9d7e03ce880d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\sfVFD3JZuka\_Files\_Information.txt
Filesize
3KB

MD5
3e60568386c4ff9aec81cb80618a8e69

SHA1
a4b2305c3c7e4c189158ad9aed1816486deae47d

SHA256
9186d18f0a3eae2698cc1b27de20f4b059953826277904a9b0859b93114e4346

SHA512
8acf6d61c21c29b303a4e6b711c49cc577a2cc32c4237f342f69d51fcbbc4f53d18dc9180898b4f606abf7004bc5f4b0194801f12a457922235ccac8fb25b217

Download Submit
C:\Users\Admin\AppData\Local\Temp\sfVFD3JZuka\_Files\_Information.txt
Filesize
5KB

MD5
944a3344f5b4b073ea22d47a4b26b973

SHA1
c77b247fdcaf2e18a17bb07978b16dac9a273f42

SHA256
5576e4295ce7a25dd7d91ff6ba52561160292eeb7572c8f5f701dfa10a272bd1

SHA512
ea252c04f49964c59f3bac3eb214f1e183f786e57375ed0866175eee104e73a36e8e5136cb0acf1081f4a31f7fefb3bc563f615ca30229a0ce20384509d9f6fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\sfVFD3JZuka\_Files\_Screen_Desktop.jpeg
Filesize
49KB

MD5
bf9c3ec6d442928b51657dd704c7841d

SHA1
0bef1d292919f642b43f8afb1a130293c1948d0f

SHA256
b10c76314a5597e25e25bf9edc1a77d9c2600e6c2cbdefc281e0411dbf105b98

SHA512
8fd8b98fb9380a635c4fb0f6f975c2829b3d770aab71aee0723f934645b8b5fca1b45553a6646105468907b2126a24efe6d4037c11802f7ddc8a64ea48154e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\sfVFD3JZuka\eab0Iy0Gv1eY7.zip
Filesize
42KB

MD5
e3e7825e8dab8b18d6995366b66c993a

SHA1
cd19a8415238e4b904cbd421affaf7048d708675

SHA256
c9b6393ff1ea78839d990dfca86c49462d7908cc21833e45e43ed2807f337d72

SHA512
add830d0300f2597f96a64467d736aa14eacbb373fdae9b4de501acfbb073485e2872bc7946bd37fde6b007bb857dc4d15a2f7e49cf790d138fb7eeaa37742c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\sfVFD3JZuka\files_\system_info.txt
Filesize
1KB

MD5
23e39fabfbe7ebd8c75bb09f748722de

SHA1
6ea46b8939b65643d4a01fc32004f1ac7f4107df

SHA256
d30c183354218e7d8d61b84df241a1b40280d3327c564525883731deb809f98c

SHA512
0c2c059fbc230b25785aca8d9e8cd9fd579c861d89b7a1c815ceb9d556a209d19d73b2dd382c4bd38c51ebcb91803fc23c0549be33082f94b1dea76bc705ed41

Download Submit
C:\Users\Admin\AppData\Local\Temp\sfVFD3JZuka\files_\system_info.txt
Filesize
1KB

MD5
ca816290d4870f00b42c58d056e551bc

SHA1
de0ada523424b26c9eee4e083ed018deac43faaf

SHA256
a61d0d2abe391f639b9fd71440d3e5a9137e44588896d4f4f2af6c541ae413e5

SHA512
20303987672b337e3424a0d3b022c62d92e3a340ee6b57907cea32b2e2702680f160997d3528f9fab0a7bfe941770c8371a280a5c9de41badf865b53e1b7d75b

Download Submit
C:\Users\Admin\AppData\Local\Temp\sfVFD3JZuka\files_\system_info.txt
Filesize
6KB

MD5
093ff00b978a2cc06c7d4f1ff63b5977

SHA1
1121bdd8579065dedc0e6c2a5003dbf6f00cfbbc

SHA256
0843075a66b22ad9425416ed14e46bc48a7ae016dc358e48ebaf78660fc7d50a

SHA512
31b086ab7805af92a77c312e80e51fd168aab672919b1850d1847a3edc98f8bab6524cf1307443e9aed3096993a27cb0b59007613e7be6684afdf174e26f9aa2

Download Submit
memory/2648-4-0x0000000001E40000-0x0000000001E41000-memory.dmp

Filesize
4KB

Download
memory/2648-1-0x0000000000230000-0x0000000000330000-memory.dmp

Filesize
1024KB

Download
memory/2648-3-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2648-221-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2648-224-0x0000000000230000-0x0000000000330000-memory.dmp

Filesize
1024KB

Download
memory/2648-225-0x00000000004D0000-0x0000000000570000-memory.dmp

Filesize
640KB

Download
memory/2648-227-0x0000000001E40000-0x0000000001E41000-memory.dmp

Filesize
4KB

Download
memory/2648-2-0x00000000004D0000-0x0000000000570000-memory.dmp

Filesize
640KB

Download