cryptbot | bd7020c913d0170d15354c8e693a4b2469d2332768ef477c702bd1c51e41887c

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
15-04-2024 23:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f23000a51a7ac80b39bab71e83c3983a_JaffaCakes118.exe
Size

1.5MB
MD5

f23000a51a7ac80b39bab71e83c3983a
SHA1

647a3ce6cfc9e4a4f5c952678d8c7bda038a14f5
SHA256

bd7020c913d0170d15354c8e693a4b2469d2332768ef477c702bd1c51e41887c
SHA512

e7193498cea1d3a56a4a207c3f94aff45b591d4dc95b2ba67830a1252dd79560b63c8abdb36216f90e74fae22123c38f82b606953551ca54f1b015ca987ee7f3
SSDEEP

24576:VyEptD7sRjWDFtr9xE8OoNTtfvJeqkIftCstIt2J5CNmfh8+IED471iuejTya:jZARsFtrTRbdtw4tC0LkyqED4xiuej

Score

10^/10

cryptbot discovery persistence spyware stealer

Malware Config

Extracted

Family

cryptbot

ewaqfe45.top

morjau04.top

Attributes

payload_url
http://winhaf05.top/download.php?file=lv.exe

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2020-25-0x00000000042C0000-0x0000000004363000-memory.dmp	family_cryptbot
behavioral1/memory/2020-26-0x00000000042C0000-0x0000000004363000-memory.dmp	family_cryptbot
behavioral1/memory/2020-27-0x00000000042C0000-0x0000000004363000-memory.dmp	family_cryptbot
behavioral1/memory/2020-29-0x00000000042C0000-0x0000000004363000-memory.dmp	family_cryptbot
behavioral1/memory/2020-246-0x00000000042C0000-0x0000000004363000-memory.dmp	family_cryptbot

Executes dropped EXE 2 IoCs

Processes:

Vorra.exe.comVorra.exe.com

pid process

4160 Vorra.exe.com
2020 Vorra.exe.com
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4160	Vorra.exe.com
2020	Vorra.exe.com

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

f23000a51a7ac80b39bab71e83c3983a_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f23000a51a7ac80b39bab71e83c3983a_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Vorra.exe.com

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Vorra.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Vorra.exe.com

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4032 PING.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Vorra.exe.com

pid process

2020 Vorra.exe.com
2020 Vorra.exe.com

pid	process
4032	PING.EXE

pid	process
2020	Vorra.exe.com
2020	Vorra.exe.com

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

f23000a51a7ac80b39bab71e83c3983a_JaffaCakes118.execmd.execmd.exeVorra.exe.com

description	pid	process	target process
PID 2464 wrote to memory of 2832	2464	f23000a51a7ac80b39bab71e83c3983a_JaffaCakes118.exe	cmd.exe
PID 2464 wrote to memory of 2832	2464	f23000a51a7ac80b39bab71e83c3983a_JaffaCakes118.exe	cmd.exe
PID 2464 wrote to memory of 2832	2464	f23000a51a7ac80b39bab71e83c3983a_JaffaCakes118.exe	cmd.exe
PID 2464 wrote to memory of 1240	2464	f23000a51a7ac80b39bab71e83c3983a_JaffaCakes118.exe	cmd.exe
PID 2464 wrote to memory of 1240	2464	f23000a51a7ac80b39bab71e83c3983a_JaffaCakes118.exe	cmd.exe
PID 2464 wrote to memory of 1240	2464	f23000a51a7ac80b39bab71e83c3983a_JaffaCakes118.exe	cmd.exe
PID 1240 wrote to memory of 3640	1240	cmd.exe	cmd.exe
PID 1240 wrote to memory of 3640	1240	cmd.exe	cmd.exe
PID 1240 wrote to memory of 3640	1240	cmd.exe	cmd.exe
PID 3640 wrote to memory of 4904	3640	cmd.exe	findstr.exe
PID 3640 wrote to memory of 4904	3640	cmd.exe	findstr.exe
PID 3640 wrote to memory of 4904	3640	cmd.exe	findstr.exe
PID 3640 wrote to memory of 4160	3640	cmd.exe	Vorra.exe.com
PID 3640 wrote to memory of 4160	3640	cmd.exe	Vorra.exe.com
PID 3640 wrote to memory of 4160	3640	cmd.exe	Vorra.exe.com
PID 3640 wrote to memory of 4032	3640	cmd.exe	PING.EXE
PID 3640 wrote to memory of 4032	3640	cmd.exe	PING.EXE
PID 3640 wrote to memory of 4032	3640	cmd.exe	PING.EXE
PID 4160 wrote to memory of 2020	4160	Vorra.exe.com	Vorra.exe.com
PID 4160 wrote to memory of 2020	4160	Vorra.exe.com	Vorra.exe.com
PID 4160 wrote to memory of 2020	4160	Vorra.exe.com	Vorra.exe.com

C:\Users\Admin\AppData\Local\Temp\f23000a51a7ac80b39bab71e83c3983a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f23000a51a7ac80b39bab71e83c3983a_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2464

C:\Windows\SysWOW64\cmd.exe
cmd /c rgmLAtaO
2⤵
PID:2832

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Pel.pptx
2⤵
- Suspicious use of WriteProcessMemory
PID:1240

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Suspicious use of WriteProcessMemory
PID:3640

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^zhstQWiUaSsAnmkEODbzVxaWPpDrIiPtovZYFBuQSwQDdEWokoffoLwZVcgHzrklejseAhZhbHAUDOGlhxSmSAWbcqephnvOQFArhTIXpeSAlucuPrzYkLaCdUGAkPqYlMtYhCXzLUdQHchgE$" Aggiogati.pptx
4⤵
PID:4904

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vorra.exe.com
Vorra.exe.com o
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4160

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vorra.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vorra.exe.com o
5⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:2020

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 30
4⤵
- Runs ping.exe
PID:4032

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Aggiogati.pptx
Filesize
872KB

MD5
f435197ac66954c9aaa768c402bb2f6e

SHA1
81cb16becf08ab1cb2d88c1a0d51872aac7af78f

SHA256
682c0c70fdc6522a9ee445de9439348405b945ef9707b983ddf3e88c869ea576

SHA512
ca39a95f003340290b4ae5037313432061c1213f976253bbda8b5149f0f1e295cacbc43dbe63fa1cc54e5336a3161eac7962f73afad775a4122ad23f0330117b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fresco.pptx
Filesize
733KB

MD5
6ef148867d1e6e66271e86d6bfab3869

SHA1
589cfd4129777c088f4b53f5dc723ada5f51b302

SHA256
0768633b95a60df47da99c4f6c92cb703c61e547652e6831ff918a9c48ae7720

SHA512
8ba444184340843551dbe1dbec38f15a8a30aa3e97811e300b4fcae2c791254c84576d3b8d7299cca48ae0a3a8e443bbc71d0325283df7a46773747ef72b41e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pel.pptx
Filesize
487B

MD5
b508376c348b13291d124eab9cce3534

SHA1
26e23e157da1b214a98d84c581c103a97d2f4121

SHA256
a0a6240b767c17f2bbe16985044599f369fdee62ee626a4326e975edbb01a9b4

SHA512
018c7dcf04180da81065647d957e4d08e40ee7e6ca93fe70ab6bfa49ab8532fcd40fe9add8ddc09816e343f04174b1d3e3dc16ba4cd7c93545814fc1992256b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Seduce.pptx
Filesize
634KB

MD5
c5a42d35b245941d0acde1ecc0858cd2

SHA1
d34859da52fe96c5ea0b580d24dd05404af91a89

SHA256
0f7917bc1c77ced2004a06f52195e492fcbc4a1bee59f345dd8210df14e12e4c

SHA512
a6d283988467152fe85fa9bac1f6dbd7fa88631af90198d10b912b5589186b1a8920ec3f8a6fee5ce3c58c415c860ab429b10c1d1c77de2a3f4c91843ee63564

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vorra.exe.com
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\xkjn6FMRF\KaKqXPhjTXhUZK.zip
Filesize
42KB

MD5
ab9bc2835ccd8fa5b9c290ec1a29c7f4

SHA1
2874714bba2adf4a777980889a2ef2d5a6727dc7

SHA256
fe42b7da297d1b6c711f3d21883a80804a608a09b6b9f21c77b5abf383990127

SHA512
8e2a1e4831974bd8bc0c5184eeaa89d9dcd9918e5178fb958be65b12e4f6c706100dddaa91b834017ba59a8b9f3d6adc05517c380b7d1de7e904dfa094742669

Download Submit
C:\Users\Admin\AppData\Local\Temp\xkjn6FMRF\_Files\_Information.txt
Filesize
1KB

MD5
cf4404592f917064610dfe0dde2194d3

SHA1
148165f8c44d1703b9cea9e117867e414743edbf

SHA256
4ca35a9d3f01bededd78f7dc93906c4b3e4f2f5ac7fe63a983c11a6e86f4d259

SHA512
fec14d10e2893296aed2b5abf0b91d96b3ba289cc0f50fb6a2829477941b1a66e3a4f454bc00a7451dcd589dc4841315805ad5cfa3953a8300b9d02d2a6d36e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\xkjn6FMRF\_Files\_Information.txt
Filesize
1KB

MD5
e144d7a7ec1a47765105946f0082c493

SHA1
3e3fc338f298bf4bb9f5523a4b3270aa5aa46561

SHA256
2981f1c76b87ea87b50737ff097555a4bd50b72cc97daec85c353a990daaa829

SHA512
5c5eec8c80f156b8b814c5f0f8543fd86013663ed70381ec896e33eaff1c4051f87d86d6538d988513cc6ff3cdbcf06fe4015d47d795b9621ff3a7e5d5320196

Download Submit
C:\Users\Admin\AppData\Local\Temp\xkjn6FMRF\_Files\_Information.txt
Filesize
2KB

MD5
4ac36deb1875f2abb046dfa9dfd026f7

SHA1
a7581d0ef08500799eb683024da0b4522e9b58fd

SHA256
722c27fe3cd9dcd8af85be58ba57ef212e3c3ad621bef7f3349741cc8078e35b

SHA512
673bd86a4299e681da8f3b28d2febb1eef93e8f0ba6abf7db548879d79d313da7d404dbf9722e07014f5a2a8b36dd7468dd5619ccd7fbb221d278f1b89166c37

Download Submit
C:\Users\Admin\AppData\Local\Temp\xkjn6FMRF\_Files\_Information.txt
Filesize
3KB

MD5
8beead6343eaa0ed9d9e26cc417706a9

SHA1
392608490cbe613ef9b0c9951cf30b90fd125d3c

SHA256
e79ee751421276863f86192ba46a68bc2a3444c851365ff08d67bd742b1d9867

SHA512
f11e1f7ed3fcf86b5bad9768d6b59798ec03f3cfcd46373a1b896776748ea743bed2087f43f11db235ca4d6ba4f9dc36f02673276955b48b00bba1844db877b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\xkjn6FMRF\_Files\_Information.txt
Filesize
4KB

MD5
e468964823f2f298e8e71284bbf3be3a

SHA1
a20f2433acba4e0854834f489363780aaaf7a27a

SHA256
da19a372c8108f02bd8561014e5d0e04ab567bd2f4f470cc5159d216c4eabadd

SHA512
53dab2c993cf9b05722539699406356e11c87d7bed0f12aa25c1433d8f512dbb3285490c81310deaf329514d44b4ce9447069a165b54a6f9b7d5b3e2cec4d260

Download Submit
C:\Users\Admin\AppData\Local\Temp\xkjn6FMRF\_Files\_Screen_Desktop.jpeg
Filesize
48KB

MD5
7801d65ffb97c6690cf48dabf5e295dd

SHA1
b26367bde7ef928b08189aef6fb948cf2d53231f

SHA256
675455888056031b192d7258bacc58a49e3c384648a38ae7b27014d07a7c8223

SHA512
b4d00c360531744a5fa78f63368e6e2218fc3f13f8a2cfe453afb766ef440a65ae7ea2f369b91b1eb39723829a160753602eb418e6474b1ecad33bb4b6d6757d

Download Submit
C:\Users\Admin\AppData\Local\Temp\xkjn6FMRF\files_\system_info.txt
Filesize
694B

MD5
59ab4bc79958f52451a1eeb80ac8ef97

SHA1
ca9417383653bfff9df33ec0a7ec828bb22b1958

SHA256
131d00e1c09d0ae269cdd57c0c6bab1ebf676407e5d7361667552523ea76cfda

SHA512
c89acc4fc4609c63a72a48a063efc0a441dae7a3a89a76078bac66f053c8963acaef014a9fe7c0a4536cdc0520389fcfdbe8631550039d66e3359cd09d550960

Download Submit
C:\Users\Admin\AppData\Local\Temp\xkjn6FMRF\files_\system_info.txt
Filesize
7KB

MD5
ea2875163176a5ebedf615590169e1e0

SHA1
2d0392d11ee7904ae6120da2cf33465375a80e0a

SHA256
4d19f77ef1e248478297ee44530bddfdadefc74fc8570e0a6a0cbc28a49f1146

SHA512
0f30a55a8bf850345a0a28b1ca624d0f8548926e2a9b467f67110eb2a356af59ce94fbf1681ec6dbc76455a59d99f2bf46f55be674aecca23940e0197e5415da

Download Submit
memory/2020-21-0x0000000004150000-0x0000000004151000-memory.dmp

Filesize
4KB

Download
memory/2020-29-0x00000000042C0000-0x0000000004363000-memory.dmp

Filesize
652KB

Download
memory/2020-27-0x00000000042C0000-0x0000000004363000-memory.dmp

Filesize
652KB

Download
memory/2020-26-0x00000000042C0000-0x0000000004363000-memory.dmp

Filesize
652KB

Download
memory/2020-25-0x00000000042C0000-0x0000000004363000-memory.dmp

Filesize
652KB

Download
memory/2020-24-0x00000000042C0000-0x0000000004363000-memory.dmp

Filesize
652KB

Download
memory/2020-23-0x00000000042C0000-0x0000000004363000-memory.dmp

Filesize
652KB

Download
memory/2020-22-0x00000000042C0000-0x0000000004363000-memory.dmp

Filesize
652KB

Download
memory/2020-246-0x00000000042C0000-0x0000000004363000-memory.dmp

Filesize
652KB

Download