cryptbot | 20f73e57b047b1b45f2537f0780b17cd5ad2324a60bacfd05ebf796f8ff51da3

Analysis

max time kernel
147s
max time network
151s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16-04-2024 04:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f2bd0df5311675a26219beb6a7ecf4c3_JaffaCakes118.exe
Size

1.5MB
MD5

f2bd0df5311675a26219beb6a7ecf4c3
SHA1

a7bd8e4857dfbb5186f822868422a25628c8981c
SHA256

20f73e57b047b1b45f2537f0780b17cd5ad2324a60bacfd05ebf796f8ff51da3
SHA512

756052c3ddce25b2987464d01f2532ecd1b876ee279a2ac6c09cb725819bcfcb986dc1ad029747ccef27ab284c25c252151f9fb5ceecaa6b6d6fe7f7075bf14d
SSDEEP

24576:KGFBn/Vm6itNg/LpSxvsfC3KIZGhbOvYbCXOg8EpGw65lMuwDS14fbUaEmAlUEFn:FFBnNmlCjoxZZdvYbCXOTzwWvwG10bC+

Score

10^/10

cryptbot discovery persistence spyware stealer

Malware Config

Extracted

Family

cryptbot

ewazda75.top

moraiw07.top

Attributes

payload_url
http://winfyn10.top/download.php?file=lv.exe

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2692-28-0x0000000003AB0000-0x0000000003B53000-memory.dmp	family_cryptbot
behavioral1/memory/2692-30-0x0000000003AB0000-0x0000000003B53000-memory.dmp	family_cryptbot
behavioral1/memory/2692-29-0x0000000003AB0000-0x0000000003B53000-memory.dmp	family_cryptbot
behavioral1/memory/2692-31-0x0000000003AB0000-0x0000000003B53000-memory.dmp	family_cryptbot
behavioral1/memory/2692-251-0x0000000003AB0000-0x0000000003B53000-memory.dmp	family_cryptbot

Executes dropped EXE 2 IoCs

Processes:

Obliare.exe.comObliare.exe.com

pid process

2648 Obliare.exe.com
2692 Obliare.exe.com
Loads dropped DLL 2 IoCs

Processes:

cmd.exeObliare.exe.com

pid process

2516 cmd.exe
2648 Obliare.exe.com
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2648	Obliare.exe.com
2692	Obliare.exe.com

pid	process
2516	cmd.exe
2648	Obliare.exe.com

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

f2bd0df5311675a26219beb6a7ecf4c3_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f2bd0df5311675a26219beb6a7ecf4c3_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Obliare.exe.com

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Obliare.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Obliare.exe.com

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2588 PING.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Obliare.exe.com

pid process

2692 Obliare.exe.com
2692 Obliare.exe.com

pid	process
2588	PING.EXE

pid	process
2692	Obliare.exe.com
2692	Obliare.exe.com

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

f2bd0df5311675a26219beb6a7ecf4c3_JaffaCakes118.execmd.execmd.exeObliare.exe.com

description	pid	process	target process
PID 2868 wrote to memory of 2892	2868	f2bd0df5311675a26219beb6a7ecf4c3_JaffaCakes118.exe	dllhost.exe
PID 2868 wrote to memory of 2892	2868	f2bd0df5311675a26219beb6a7ecf4c3_JaffaCakes118.exe	dllhost.exe
PID 2868 wrote to memory of 2892	2868	f2bd0df5311675a26219beb6a7ecf4c3_JaffaCakes118.exe	dllhost.exe
PID 2868 wrote to memory of 2892	2868	f2bd0df5311675a26219beb6a7ecf4c3_JaffaCakes118.exe	dllhost.exe
PID 2868 wrote to memory of 2500	2868	f2bd0df5311675a26219beb6a7ecf4c3_JaffaCakes118.exe	cmd.exe
PID 2868 wrote to memory of 2500	2868	f2bd0df5311675a26219beb6a7ecf4c3_JaffaCakes118.exe	cmd.exe
PID 2868 wrote to memory of 2500	2868	f2bd0df5311675a26219beb6a7ecf4c3_JaffaCakes118.exe	cmd.exe
PID 2868 wrote to memory of 2500	2868	f2bd0df5311675a26219beb6a7ecf4c3_JaffaCakes118.exe	cmd.exe
PID 2500 wrote to memory of 2516	2500	cmd.exe	cmd.exe
PID 2500 wrote to memory of 2516	2500	cmd.exe	cmd.exe
PID 2500 wrote to memory of 2516	2500	cmd.exe	cmd.exe
PID 2500 wrote to memory of 2516	2500	cmd.exe	cmd.exe
PID 2516 wrote to memory of 2536	2516	cmd.exe	findstr.exe
PID 2516 wrote to memory of 2536	2516	cmd.exe	findstr.exe
PID 2516 wrote to memory of 2536	2516	cmd.exe	findstr.exe
PID 2516 wrote to memory of 2536	2516	cmd.exe	findstr.exe
PID 2516 wrote to memory of 2648	2516	cmd.exe	Obliare.exe.com
PID 2516 wrote to memory of 2648	2516	cmd.exe	Obliare.exe.com
PID 2516 wrote to memory of 2648	2516	cmd.exe	Obliare.exe.com
PID 2516 wrote to memory of 2648	2516	cmd.exe	Obliare.exe.com
PID 2516 wrote to memory of 2588	2516	cmd.exe	PING.EXE
PID 2516 wrote to memory of 2588	2516	cmd.exe	PING.EXE
PID 2516 wrote to memory of 2588	2516	cmd.exe	PING.EXE
PID 2516 wrote to memory of 2588	2516	cmd.exe	PING.EXE
PID 2648 wrote to memory of 2692	2648	Obliare.exe.com	Obliare.exe.com
PID 2648 wrote to memory of 2692	2648	Obliare.exe.com	Obliare.exe.com
PID 2648 wrote to memory of 2692	2648	Obliare.exe.com	Obliare.exe.com
PID 2648 wrote to memory of 2692	2648	Obliare.exe.com	Obliare.exe.com

C:\Users\Admin\AppData\Local\Temp\f2bd0df5311675a26219beb6a7ecf4c3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f2bd0df5311675a26219beb6a7ecf4c3_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2868

C:\Windows\SysWOW64\dllhost.exe
dllhost.exe
2⤵
PID:2892

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Tese.cda
2⤵
- Suspicious use of WriteProcessMemory
PID:2500

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2516

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^SkrprNmxsapVXgwQJIfBGsUyrxvnNVjZIUgrROXCmqXbKCPONriyOFRAsXuJsqHvuphrqXYVLNeFxvcAEILJNukeeNMTIhknzBsAgMNPyjzqDkuV$" Far.cda
4⤵
PID:2536

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Obliare.exe.com
Obliare.exe.com q
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Obliare.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Obliare.exe.com q
5⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:2692

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 30
4⤵
- Runs ping.exe
PID:2588

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Far.cda
Filesize
872KB

MD5
e8965baeaf038d5abe64c8eb90cc3e19

SHA1
d1e45c2432106e09625c70f0d3c456fca26132ff

SHA256
b6d20957a61943a9bc2f6ace4170a5c631c774e35d22382cc6f60c39514ffbae

SHA512
1f4eda3751d27df9b702ce6a1c1471307a3e7947ff9959ea895fab19d34057e68868d6e93712bfe3aa4ef8cab663c13c51a04412de6173a7c4f87db5d4d1e333

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sogni.cda
Filesize
634KB

MD5
33ea431acdc54eb20055057f41e6fc6e

SHA1
efdc7197e542a048873b464640abf48bde6e0855

SHA256
39afe9026b4c30249948f45bb4a1fcadba83642b5af0e7da03583ef58a8e10d1

SHA512
59b1dc7ca075c14520068bd9eadcbb6c561b182190671edc1b3f0426db7e4d95e4e950b1aa788b52386f96d2ddb523a6c447ddb6b6b8757fb16f0bec612e1567

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Splendore.cda
Filesize
745KB

MD5
1bbdc57424a53f6a10b2692db95066a8

SHA1
1ce47faa742a4312abd9ee1d6e67ad04b45afae2

SHA256
4ca0f711bdef0fdcd6dfc84fa03189555afe30e7c335a243e89bf702d9892e46

SHA512
9dc675231c47bcb3d60c054f72a1c198cc490f88ed49f781bb679166913694782b43d732107738fb99cb2a74c90fd84503c19dcb10a0971518061af8cc956d4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tese.cda
Filesize
459B

MD5
05e2ab200a15fe20d618c59990c8b9f3

SHA1
ceb19d0006b3372187582f880242fb718046fc8a

SHA256
bdc88dfbfe456b5b1c21bd69e8588654e7a7c2105f740cade301e0f91a5795db

SHA512
1a3f3538aaea1092ad6fe1c633f8dbe5e669cf88bf3f750c82d517713011387da3a76e4c8fd8c3a355decb4e1b532bb22f852e5ddb4b9d6b74c0090ab806d332

Download Submit
C:\Users\Admin\AppData\Local\Temp\xl1gUwl\_Files\_Information.txt
Filesize
8KB

MD5
29f4cabb3977d2a6afbd4e9797d51c2a

SHA1
7451a91eb6f29b9d80afa6fadd7ea076ebc2bc85

SHA256
9ead3b76ba7d2a9ce3974b46e5cd49cac8dbd10ad02526d71985e97476165398

SHA512
237b94da5e29e653832238492eac349e3f36ca58c9f2f4c8812e5299277332f7c99b7a1751cc0aa7873369114ab6b3fa6d25eb158683b327e68ae746f0b1610e

Download Submit
C:\Users\Admin\AppData\Local\Temp\xl1gUwl\_Files\_Screen_Desktop.jpeg
Filesize
46KB

MD5
42d6fff7668a4d04d71cbddec33d6375

SHA1
666b6b2957a705eb025939dc98f7108c4eee4275

SHA256
9425b8513a1084bd9673ff001040251f6542d431ed1a456cd78a8e3fa2405777

SHA512
1e0f8d8bafc82ed81f52385f8a41e60475a71a1087c5c3ef2c928346b4a591415380ae91d317456430332c2d02361a390c6b43a96ddfe164915b84a9aa6505ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\xl1gUwl\files_\system_info.txt
Filesize
696B

MD5
7eb8596b07f16e34807211b691dca44e

SHA1
671810f83020cee65f10af10d066d8b84698a989

SHA256
18c11675255e79d371cbd63fff9e3452d0b8902e995c4ddd6bc8929c424afc34

SHA512
e0e2d99e436bc7714e7068405ca0a9ba0701753e9c560f786691a56e16ec9a015fa49c294e8ae6484bad566560d9bbec010aa4eb9fc876736bce60387dbc449c

Download Submit
C:\Users\Admin\AppData\Local\Temp\xl1gUwl\files_\system_info.txt
Filesize
4KB

MD5
bb298be6bd096801f720278876c6032b

SHA1
7f0815e57e4a7d00082f3195429998930f0de52c

SHA256
04fec950cc359c3d072c4c728d9f92880690a6576d261a4743db777119d29dbb

SHA512
8a0e3c3dc31274a19c1914530d8b9d5c4cc38dfeec8e74212d91835a7177fd8d4ca1acefb02b988f5066125fe583587e65773522131e9c1494282cad6c1a9b79

Download Submit
C:\Users\Admin\AppData\Local\Temp\xl1gUwl\gpPe54FN1r5.zip
Filesize
39KB

MD5
e6b41675ac7c33e82936c0e59c257461

SHA1
04e3aabdb59eba3311ec78a34cb3e1bbb2838daf

SHA256
7e5239411a193dcc5c2bca0b44e28b3e24d56e94d87f16dc733580d70c312d32

SHA512
2f258c455016f3fea8643d421f99c659bf4e3e8ed328917c3ef07be77dc2d2ce2b439db032be6e904cac7611488a9feddcc4098950895a549dee739a2fc72d1c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Obliare.exe.com
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
memory/2692-24-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2692-29-0x0000000003AB0000-0x0000000003B53000-memory.dmp

Filesize
652KB

Download
memory/2692-31-0x0000000003AB0000-0x0000000003B53000-memory.dmp

Filesize
652KB

Download
memory/2692-32-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/2692-30-0x0000000003AB0000-0x0000000003B53000-memory.dmp

Filesize
652KB

Download
memory/2692-28-0x0000000003AB0000-0x0000000003B53000-memory.dmp

Filesize
652KB

Download
memory/2692-27-0x0000000003AB0000-0x0000000003B53000-memory.dmp

Filesize
652KB

Download
memory/2692-26-0x0000000003AB0000-0x0000000003B53000-memory.dmp

Filesize
652KB

Download
memory/2692-251-0x0000000003AB0000-0x0000000003B53000-memory.dmp

Filesize
652KB

Download
memory/2692-252-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/2692-25-0x0000000003AB0000-0x0000000003B53000-memory.dmp

Filesize
652KB

Download