cryptbot | a0d24046e0163fe30edd9cf0c27f3a4cd59435b95c2da05bfcfa329c240bf7a2

Analysis

max time kernel
94s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
15-04-2024 04:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f048e67cc8bab2caf9435c2b90d50e98_JaffaCakes118.exe
Size

3.2MB
MD5

f048e67cc8bab2caf9435c2b90d50e98
SHA1

355013d007818be0492a9901e49b4b08eca97c07
SHA256

a0d24046e0163fe30edd9cf0c27f3a4cd59435b95c2da05bfcfa329c240bf7a2
SHA512

c558df1942ce5634ba1ef23cdf467338a2ce757a0c74c20f19db6ffa158cff718bca550dc1848b462f874f330dff4fd08947b50e9b33d3bd516dae39c7bddcee
SSDEEP

49152:jMb83QBX4PU0ga6edgVVO90D9naQEQEdFEqSpRZFWwDxtKfrtDCV+m1SYj:jWX4PU076TV89S9nhRzqSRy6SLmj

Score

10^/10

cryptbot discovery evasion spyware stealer themida trojan

Malware Config

Extracted

Family

cryptbot

bunole21.top

moreid02.top

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 8 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1496-3-0x0000000000B10000-0x0000000001304000-memory.dmp	family_cryptbot
behavioral2/memory/1496-4-0x0000000000B10000-0x0000000001304000-memory.dmp	family_cryptbot
behavioral2/memory/1496-5-0x0000000000B10000-0x0000000001304000-memory.dmp	family_cryptbot
behavioral2/memory/1496-6-0x0000000000B10000-0x0000000001304000-memory.dmp	family_cryptbot
behavioral2/memory/1496-7-0x0000000000B10000-0x0000000001304000-memory.dmp	family_cryptbot
behavioral2/memory/1496-8-0x0000000000B10000-0x0000000001304000-memory.dmp	family_cryptbot
behavioral2/memory/1496-9-0x0000000000B10000-0x0000000001304000-memory.dmp	family_cryptbot
behavioral2/memory/1496-231-0x0000000000B10000-0x0000000001304000-memory.dmp	family_cryptbot

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

f048e67cc8bab2caf9435c2b90d50e98_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ f048e67cc8bab2caf9435c2b90d50e98_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	f048e67cc8bab2caf9435c2b90d50e98_JaffaCakes118.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f048e67cc8bab2caf9435c2b90d50e98_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	f048e67cc8bab2caf9435c2b90d50e98_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	f048e67cc8bab2caf9435c2b90d50e98_JaffaCakes118.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

f048e67cc8bab2caf9435c2b90d50e98_JaffaCakes118.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation f048e67cc8bab2caf9435c2b90d50e98_JaffaCakes118.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	f048e67cc8bab2caf9435c2b90d50e98_JaffaCakes118.exe

Themida packer 10 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/1496-0-0x0000000000B10000-0x0000000001304000-memory.dmp	themida
behavioral2/memory/1496-2-0x0000000000B10000-0x0000000001304000-memory.dmp	themida
behavioral2/memory/1496-3-0x0000000000B10000-0x0000000001304000-memory.dmp	themida
behavioral2/memory/1496-4-0x0000000000B10000-0x0000000001304000-memory.dmp	themida
behavioral2/memory/1496-5-0x0000000000B10000-0x0000000001304000-memory.dmp	themida
behavioral2/memory/1496-6-0x0000000000B10000-0x0000000001304000-memory.dmp	themida
behavioral2/memory/1496-7-0x0000000000B10000-0x0000000001304000-memory.dmp	themida
behavioral2/memory/1496-8-0x0000000000B10000-0x0000000001304000-memory.dmp	themida
behavioral2/memory/1496-9-0x0000000000B10000-0x0000000001304000-memory.dmp	themida
behavioral2/memory/1496-231-0x0000000000B10000-0x0000000001304000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

f048e67cc8bab2caf9435c2b90d50e98_JaffaCakes118.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA f048e67cc8bab2caf9435c2b90d50e98_JaffaCakes118.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

f048e67cc8bab2caf9435c2b90d50e98_JaffaCakes118.exe

pid process

1496 f048e67cc8bab2caf9435c2b90d50e98_JaffaCakes118.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f048e67cc8bab2caf9435c2b90d50e98_JaffaCakes118.exe

pid	process
1496	f048e67cc8bab2caf9435c2b90d50e98_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f048e67cc8bab2caf9435c2b90d50e98_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	f048e67cc8bab2caf9435c2b90d50e98_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	f048e67cc8bab2caf9435c2b90d50e98_JaffaCakes118.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4664 timeout.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

f048e67cc8bab2caf9435c2b90d50e98_JaffaCakes118.exe

pid process

1496 f048e67cc8bab2caf9435c2b90d50e98_JaffaCakes118.exe
1496 f048e67cc8bab2caf9435c2b90d50e98_JaffaCakes118.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

f048e67cc8bab2caf9435c2b90d50e98_JaffaCakes118.exe

pid process

1496 f048e67cc8bab2caf9435c2b90d50e98_JaffaCakes118.exe
1496 f048e67cc8bab2caf9435c2b90d50e98_JaffaCakes118.exe

pid	process
4664	timeout.exe

pid	process
1496	f048e67cc8bab2caf9435c2b90d50e98_JaffaCakes118.exe
1496	f048e67cc8bab2caf9435c2b90d50e98_JaffaCakes118.exe

pid	process
1496	f048e67cc8bab2caf9435c2b90d50e98_JaffaCakes118.exe
1496	f048e67cc8bab2caf9435c2b90d50e98_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

f048e67cc8bab2caf9435c2b90d50e98_JaffaCakes118.execmd.exe

description	pid	process	target process
PID 1496 wrote to memory of 2608	1496	f048e67cc8bab2caf9435c2b90d50e98_JaffaCakes118.exe	cmd.exe
PID 1496 wrote to memory of 2608	1496	f048e67cc8bab2caf9435c2b90d50e98_JaffaCakes118.exe	cmd.exe
PID 1496 wrote to memory of 2608	1496	f048e67cc8bab2caf9435c2b90d50e98_JaffaCakes118.exe	cmd.exe
PID 2608 wrote to memory of 4664	2608	cmd.exe	timeout.exe
PID 2608 wrote to memory of 4664	2608	cmd.exe	timeout.exe
PID 2608 wrote to memory of 4664	2608	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\f048e67cc8bab2caf9435c2b90d50e98_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f048e67cc8bab2caf9435c2b90d50e98_JaffaCakes118.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\hABISDZp & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\f048e67cc8bab2caf9435c2b90d50e98_JaffaCakes118.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2608

C:\Windows\SysWOW64\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:4664

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hABISDZp\CWQQHQ~1.ZIP
Filesize
1.0MB

MD5
9e0ebadc47a1164eed43e58020c2d65a

SHA1
1fb2ab8ee8cf996240018138deceea91dcee45b4

SHA256
627f3f841464adf32a03169ce18f3d7cbcea3ff85a72c288a6d9964957856b44

SHA512
3c090859d578d59a387e6f65460fac8222075aca7229b7e330573b7cce9cd23948901a008d22bd035de5f4dd17d2c549bf07dbe9724a449a907ea7c2105c786f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hABISDZp\CdIZyROi.zip
Filesize
1009KB

MD5
25d684a4b41ab590f78923e239af703c

SHA1
74d45243210e0edeacbf65c535c92e423702c472

SHA256
97ac5da72aaf1e57cfc5d5c2f882e5dd1bc289311d98dead7fa9fdf7c4686a0e

SHA512
af8f837280425a90478ed71ebc36a7acf3c95ec8d4afb0edfaca69d53cedb081c29746daeda3bde496c9646316b541c2bfe83a213e862a475dba8506c9ff0153

Download Submit
C:\Users\Admin\AppData\Local\Temp\hABISDZp\_Files\_Files\AddCompress.txt
Filesize
1007KB

MD5
f17e06c8e48479be847522e1ab256ff2

SHA1
085d952e9ae078ee38da98dd1c0cd22a36cbd84e

SHA256
c8365f1dd08f3fd8c235421d5a74dff9223c9e085e4dacb69e78f56c2a5698b3

SHA512
c4cab4a5f246d8e168cc259c239206cc636a5b54d35c79ed3911d6fb21973f4429f1d2a54089bc2c5ec219fca0acd8ec6a079e1f2e9f8e2edccc0adfe28fa344

Download Submit
C:\Users\Admin\AppData\Local\Temp\hABISDZp\_Files\_INFOR~1.TXT
Filesize
7KB

MD5
afb8d9f141ce0a5ff1a639d9500a4cb0

SHA1
f2869172d59faf98ba9053716870002e1fb85cf9

SHA256
afd0df8425949b5e59a7c2f6c4513a7af2db0d7e9981915ce5df13fe3c20c1c6

SHA512
e7fbac5de1fd821025274bf53e19d30b3be14c0f3bc525812110e7645d32712bdde81a454b434dfd255b74332658b83e43e8e93f17f88c7e10ab342dce4a8303

Download Submit
C:\Users\Admin\AppData\Local\Temp\hABISDZp\_Files\_Information.txt
Filesize
2KB

MD5
10adf8031a0f952299af60622603c66c

SHA1
c122a6c397db83eafc953418299e9b09a0c886e1

SHA256
767918b4fec345f0ba645dcd49c69cfd51d6c8996db8e5acd2df54f96aa6248f

SHA512
2d095a72efb99cd52ecc00ac0a19390ea3ca1bc817b424378a31811e0e591fbb772d327c02ee1f3128f280118a85258f7e3d4cf4aeb51fd9c702c4f5f1742f33

Download Submit
C:\Users\Admin\AppData\Local\Temp\hABISDZp\_Files\_Information.txt
Filesize
4KB

MD5
41affa7eb57dd4077dbbe28e21c93f60

SHA1
55c81dbfd0079c0641b8df15e74f77b6f6aab439

SHA256
c7103482b8361a6adba02c53bf3baa37dc7cca9e4bfec446542e173ab044e519

SHA512
742a1109fb968f03bfa6f66f3ec42692104ca4041bd912a745e57107238813ca2b4bb4bc668e801c758af1bd91b7321a2e1f89d573e9d0e64d2be5212ae68d87

Download Submit
C:\Users\Admin\AppData\Local\Temp\hABISDZp\_Files\_SCREE~1.JPE
Filesize
48KB

MD5
bb2f4dfa1e2a99280bee1a01087fe3b8

SHA1
d02a13f802451405c7b0a5df0dc793077b5cf972

SHA256
1cbe0dccf4e8f8f145a5dacc625434eaab640b49c4180dacc4cdfc45d8e85235

SHA512
6c1bb494b732fe6717ebce10cccd872aaddb3514a73b1bb42bafe2daf69751fe6db89010b2d7d2630745078d03ba5ac6b777b005de62902526e8bdba78e0b240

Download Submit
C:\Users\Admin\AppData\Local\Temp\hABISDZp\files_\SYSTEM~1.TXT
Filesize
7KB

MD5
8a6c23f9139f495818c69fc73851d4f2

SHA1
174f24e68b70f7f682a5e5800525ef1c0522f2e7

SHA256
a28512567a39f51b34ca9a1749835277cfaac66e480fa3d117a5a01cc7ae8d3e

SHA512
b345e45cc18417fff1404e739f4aa3820bfe351ca336a06f118bec20d9f231bce579328c7ec85efae8e171dd4b296e0be42ca35733df3c02bb102105853eeb54

Download Submit
C:\Users\Admin\AppData\Local\Temp\hABISDZp\files_\system_info.txt
Filesize
836B

MD5
0703d6a3e705ff37440ec99c83e72a7f

SHA1
1c0ba634fed939d37a7c1f4729d0f675c75ce6b5

SHA256
938b2e60d6671c6ac1ffecefcbb70d2d9a71eee9cc4ce3bb9c5199cd76b807d2

SHA512
fd906dea1b8b362d3396c96e3660d442a2b82ece835fd99f1f9ff53775da4d71eabd5a21e8d63125f820decda56ef122d83632fc0c4848455b416ad6af43ec92

Download Submit
C:\Users\Admin\AppData\Local\Temp\hABISDZp\files_\system_info.txt
Filesize
1KB

MD5
bca7e8b38af46ed319d5263c2128c4bc

SHA1
e2c9d51f9efe0410744d63aa7e54dd3c4c4fdac7

SHA256
96239823b7d8a3410276f6157d135a308724cf425bc9b7e397105c0b9ab8b23e

SHA512
d67ad8f06679851eaaeac8a48ae37343d7b4b3e594830fcf5e4003e723ea355f65932c1b52c66902286ee9c70b1ca07576b73c20f056ee1528eb84e8e9d0efee

Download Submit
C:\Users\Admin\AppData\Local\Temp\hABISDZp\files_\system_info.txt
Filesize
5KB

MD5
f0118f53e64f1655334b3fd7be5428f4

SHA1
8ffb7a0ba3f42ba8e6d96088c73557015bce739a

SHA256
dadb3b4e2d131adfe4ac934c2ff677892f817e1dccf0c1852ff8e3438b61d26f

SHA512
d4ff7afb1c3fa2461fa0163c627ad3a1deb1ba091bf8b2ecd9f0484638594fc24c773b676cc96874a798c3e4ff7a9defaee2a8e068fd2c1baaf5d860a30e7b9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\hABISDZp\files_\system_info.txt
Filesize
4KB

MD5
eb8672a6f7942724db48b42dc8d0fe50

SHA1
9e7e1043889aa3d5c82498ad3fac8aaeea125e65

SHA256
795dc764b5dc97d98fcbec89b71df842821e3221edbb4f03f597204c5c5bd3b8

SHA512
a07742028680ba3ae681b12cfd706a872b0de6fa5c58eff83a1e2ee63a3e7eeff64c2790e8a518487e6d9bf1b1d8c524c733e493daf32bf3468ddba82d51117b

Download Submit
memory/1496-9-0x0000000000B10000-0x0000000001304000-memory.dmp

Filesize
8.0MB

Download
memory/1496-8-0x0000000000B10000-0x0000000001304000-memory.dmp

Filesize
8.0MB

Download
memory/1496-7-0x0000000000B10000-0x0000000001304000-memory.dmp

Filesize
8.0MB

Download
memory/1496-0-0x0000000000B10000-0x0000000001304000-memory.dmp

Filesize
8.0MB

Download
memory/1496-6-0x0000000000B10000-0x0000000001304000-memory.dmp

Filesize
8.0MB

Download
memory/1496-231-0x0000000000B10000-0x0000000001304000-memory.dmp

Filesize
8.0MB

Download
memory/1496-5-0x0000000000B10000-0x0000000001304000-memory.dmp

Filesize
8.0MB

Download
memory/1496-4-0x0000000000B10000-0x0000000001304000-memory.dmp

Filesize
8.0MB

Download
memory/1496-3-0x0000000000B10000-0x0000000001304000-memory.dmp

Filesize
8.0MB

Download
memory/1496-1-0x0000000076F64000-0x0000000076F66000-memory.dmp

Filesize
8KB

Download
memory/1496-2-0x0000000000B10000-0x0000000001304000-memory.dmp

Filesize
8.0MB

Download