cryptbot | 03f1f8cb65e89c21c87f0e04c65dace4d48c708dd175056e581516bd94c50bfa

Analysis

max time kernel
147s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
16-04-2024 03:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f295b6024d248163f14b87bc6aed9db5_JaffaCakes118.exe
Size

675KB
MD5

f295b6024d248163f14b87bc6aed9db5
SHA1

b16d00942ca755d99f061ec63411c5cdd521f64c
SHA256

03f1f8cb65e89c21c87f0e04c65dace4d48c708dd175056e581516bd94c50bfa
SHA512

c52252e801997ae01487cb57e3eec2b2b92303a49fceba676fd746c5c2e6d8c6fc8d60c25f7de07794893c0d43ebcc6b786eea68188df222e980df8542a49063
SSDEEP

12288:JmfR9Cu6Hml1T4pOJK6DzMJKtB61OPu7faLc5kSEkwVgyo22tDtuejoWXNj0p6Pj:YCu6Hmz456fMJI8O4hY+yoltDwetKp6

Score

10^/10

cryptbot discovery spyware stealer

Malware Config

Extracted

Family

cryptbot

ewaqly46.top

morjau04.top

Attributes

payload_url
http://winhaf05.top/download.php?file=lv.exe

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1900-2-0x0000000004F40000-0x0000000004FE0000-memory.dmp	family_cryptbot
behavioral2/memory/1900-3-0x0000000000400000-0x00000000032A4000-memory.dmp	family_cryptbot
behavioral2/memory/1900-111-0x0000000000400000-0x00000000032A4000-memory.dmp	family_cryptbot
behavioral2/memory/1900-220-0x0000000000400000-0x00000000032A4000-memory.dmp	family_cryptbot
behavioral2/memory/1900-222-0x0000000004F40000-0x0000000004FE0000-memory.dmp	family_cryptbot

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f295b6024d248163f14b87bc6aed9db5_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	f295b6024d248163f14b87bc6aed9db5_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	f295b6024d248163f14b87bc6aed9db5_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

f295b6024d248163f14b87bc6aed9db5_JaffaCakes118.exe

pid process

1900 f295b6024d248163f14b87bc6aed9db5_JaffaCakes118.exe
1900 f295b6024d248163f14b87bc6aed9db5_JaffaCakes118.exe

pid	process
1900	f295b6024d248163f14b87bc6aed9db5_JaffaCakes118.exe
1900	f295b6024d248163f14b87bc6aed9db5_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\f295b6024d248163f14b87bc6aed9db5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f295b6024d248163f14b87bc6aed9db5_JaffaCakes118.exe"
1⤵
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:1900

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\VpesB8i3H\_Files\_Information.txt
Filesize
1KB

MD5
857c6a6a4f264665f4c31046362f3c4a

SHA1
b4e24b68b804158cee1750c1ca00e170d57cb1ef

SHA256
296083cf654b98ecce0e4eeaccca61b4931d8daeb981e49589ec8f10e4c864a6

SHA512
bd421a7feb20bbc1033c73c96a78c9637b50203ef62c308263f69112908f925d0c0e00e46ed4b88dccadcbe4f7a119e82dd0b120faceb3c15a80bec76f02d5d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\VpesB8i3H\_Files\_Information.txt
Filesize
4KB

MD5
b45adb49924f7e89961a5583fd555771

SHA1
02fa03ef4f9631f083e63b2531ee88646a2472e6

SHA256
1bea253db3c57bcadb2be4100134b8460b6865cdfd158d017b37b0c3c38813ca

SHA512
faf9a0bd2dab38e65917ff91894070d283b60b578b57c09b984290070ab569a53760c5c5198e0ca5a6685dbbe9132b27c5221a436bd52f7b467fa0156d98e310

Download Submit
C:\Users\Admin\AppData\Local\Temp\VpesB8i3H\_Files\_Screen_Desktop.jpeg
Filesize
50KB

MD5
c04c65fdb9fed32de09cfa5aeb8fc475

SHA1
4a90c9fb2b73990e501424ceaa3341ed40598a32

SHA256
7aba1dd1c21195f5214b830fe4bcbd15cc81ac2af15a88c6c51b42419b9adc50

SHA512
9053877d021ab91de3a3b3140813c0e53e925d6e3423b38ca2c4ba441a3092d4516937ed04ac311aee219625f7d054915f11373f03aecfbdf47fe67d5fef2c8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VpesB8i3H\ehvaK2GAcJX.zip
Filesize
44KB

MD5
789337889c364137f7a5ba7880cdf672

SHA1
bbb923cf720d14f55a589d81e07fd10612287457

SHA256
c580c1b4763f0feb4984cc6e1b694cc3c23491d7fb8c4469596508bac709d245

SHA512
3cd7809ffea365f6e3ec9cd097ac4d09515bcdf207241c478ef8be723b127c5ddd76ca5cc6a6e0da5801539f866c940339f2cdc0a24a20893adc08a72b91a3af

Download Submit
C:\Users\Admin\AppData\Local\Temp\VpesB8i3H\files_\system_info.txt
Filesize
7KB

MD5
9693f093154d6c40527891f216f6ad43

SHA1
55c26700da7b4b93620eea2484955b5199f9d57c

SHA256
3a84eeef28cef7fe91e3050e5cafba6eb6f40bbb3ff97004d8ab1aa698a39005

SHA512
997d26233ba92af3f10ce7d51ccd9c26039cdd82cd79e943622da6b92257274b598d0d6c7fc2f27113f9fae072a8515aba7eb1726f72730d670b3d1ddce7965f

Download Submit
C:\Users\Admin\AppData\Local\Temp\VpesB8i3H\zXKnjAgy0MQ6U.zip
Filesize
44KB

MD5
c2d06e1569041214efe7e307c749a682

SHA1
a6577201b6344c10fe176457de4cdf0b407c84ad

SHA256
01f08d8844d703bb87f940191969e8ef58fbb1dfb6d3c3c22dcd63f104cbdbdd

SHA512
2d9dd368cff775ac30043a2d9d5316c50cd9b6bec39f5dae00383d82e0d21bddedb911bd9a5ec8e721f8c7185c913556598787f57cc18dcb2179f378f9c058f6

Download Submit
memory/1900-111-0x0000000000400000-0x00000000032A4000-memory.dmp

Filesize
46.6MB

Download
memory/1900-1-0x0000000003310000-0x0000000003410000-memory.dmp

Filesize
1024KB

Download
memory/1900-220-0x0000000000400000-0x00000000032A4000-memory.dmp

Filesize
46.6MB

Download
memory/1900-221-0x0000000003310000-0x0000000003410000-memory.dmp

Filesize
1024KB

Download
memory/1900-222-0x0000000004F40000-0x0000000004FE0000-memory.dmp

Filesize
640KB

Download
memory/1900-3-0x0000000000400000-0x00000000032A4000-memory.dmp

Filesize
46.6MB

Download
memory/1900-2-0x0000000004F40000-0x0000000004FE0000-memory.dmp

Filesize
640KB

Download