cryptbot | b1b56f177a463229c447d60683f7420530042faefc2f50077d7dd137ee40ba5d

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
16-04-2024 14:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f3b72059e2de728e8e501e3ad626af45_JaffaCakes118.exe
Size

378KB
MD5

f3b72059e2de728e8e501e3ad626af45
SHA1

1af07d2d24adf92faf1bdf2357a098b3949fdbb3
SHA256

b1b56f177a463229c447d60683f7420530042faefc2f50077d7dd137ee40ba5d
SHA512

6fcc5c5e548b14705762f801f6bb30960ab7da481a7ea5f90d4f7af716046b327c401389ccd931e323b637333090f5ae765389da58b4be365ad447838a2b7a46
SSDEEP

6144:ohVc2rkTw3AQ0U+cUGh/ixN2r05y1FskG5btnMhoe9E:ohVcI0UXixN75cG5btn+d9

Score

10^/10

cryptbot discovery spyware stealer

Malware Config

Extracted

Family

cryptbot

cemfyj62.top

morota06.top

Attributes

payload_url
http://bojitn09.top/download.php?file=lv.exe

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f3b72059e2de728e8e501e3ad626af45_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	f3b72059e2de728e8e501e3ad626af45_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	f3b72059e2de728e8e501e3ad626af45_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\f3b72059e2de728e8e501e3ad626af45_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f3b72059e2de728e8e501e3ad626af45_JaffaCakes118.exe"
1⤵
- Checks processor information in registry
PID:1812

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lQXrSBuku\_Files\_Information.txt
Filesize
2KB

MD5
e118b95bf956cf1009a2e824c5e2ca13

SHA1
e581e0dfe5c91b940a5016aab38caca5a6f2a30b

SHA256
3ac9758d584890b3b8cb22a2d96ad51be9ebe592bb2a07433a9f3d2c7d869046

SHA512
b8c3e987776e0781a06caaf334913fbee8b553076b89660db5e99b83fc099ca8573dca46d5b520bffdb0adf65b483d2b420492e3ecf00d3536869abfa53bd54b

Download Submit
C:\Users\Admin\AppData\Local\Temp\lQXrSBuku\_Files\_Information.txt
Filesize
5KB

MD5
d258202846a942a82c61399bf693ee61

SHA1
21a66c5d3410d6f104af84d6cb747a71dd73f3d8

SHA256
8dc05232f8b86044e6400baa8329fe83a3f24b78dd93b0667034a162b16c9f76

SHA512
2aeeb754e269150e236e3f1f153a965575855ca054de36a5166991e6a291239258738378d91798042d84fe220e9b17662f1c7a21375364b641921f4e710c0fac

Download Submit
C:\Users\Admin\AppData\Local\Temp\lQXrSBuku\_Files\_Screen_Desktop.jpeg
Filesize
51KB

MD5
867977a9ed5115c2d7103971619f66df

SHA1
50d0e006f0df94f33d5f2703148ea255aa173a93

SHA256
b7dc06eb559b1a540b9e7bc8ec07be9cf2c657c4cd9eba2d5b85a658f2c69e25

SHA512
617fc68067ba1c374721360b287fafb7cbab62338ac4b00da7428097108e9c742342c6984e51fff6eb6f10c2a19301d68178a4933c0209d9e7046fb6e25afc8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\lQXrSBuku\tbYioyiRBpPT.zip
Filesize
45KB

MD5
355a018f9718e58bfc6bce4c6f2d10cb

SHA1
68e8120ce2af2c81f4c24c3bb3df010122839a04

SHA256
bf1f588d7ae25e36e9f6d924e14fe962a1f59e4b82fe8d68f20ef1561663bb53

SHA512
edc56dfedf38f0bd5e809efbf9a226ae5ed96481ae3817c5ab842b5b8034d08325a02561b131292e0681d254ecf1baed6ae8fbe04931b38e444ba3e3d693c8ab

Download Submit
memory/1812-126-0x0000000000400000-0x00000000016D2000-memory.dmp

Filesize
18.8MB

Download
memory/1812-129-0x0000000000400000-0x00000000016D2000-memory.dmp

Filesize
18.8MB

Download
memory/1812-114-0x0000000000400000-0x00000000016D2000-memory.dmp

Filesize
18.8MB

Download
memory/1812-120-0x0000000000400000-0x00000000016D2000-memory.dmp

Filesize
18.8MB

Download
memory/1812-121-0x0000000001980000-0x0000000001A80000-memory.dmp

Filesize
1024KB

Download
memory/1812-123-0x0000000003420000-0x0000000003465000-memory.dmp

Filesize
276KB

Download
memory/1812-125-0x0000000000400000-0x00000000016D2000-memory.dmp

Filesize
18.8MB

Download
memory/1812-2-0x0000000003420000-0x0000000003465000-memory.dmp

Filesize
276KB

Download
memory/1812-1-0x0000000001980000-0x0000000001A80000-memory.dmp

Filesize
1024KB

Download
memory/1812-3-0x0000000000400000-0x00000000016D2000-memory.dmp

Filesize
18.8MB

Download
memory/1812-132-0x0000000000400000-0x00000000016D2000-memory.dmp

Filesize
18.8MB

Download
memory/1812-135-0x0000000000400000-0x00000000016D2000-memory.dmp

Filesize
18.8MB

Download
memory/1812-138-0x0000000000400000-0x00000000016D2000-memory.dmp

Filesize
18.8MB

Download
memory/1812-141-0x0000000000400000-0x00000000016D2000-memory.dmp

Filesize
18.8MB

Download
memory/1812-145-0x0000000000400000-0x00000000016D2000-memory.dmp

Filesize
18.8MB

Download
memory/1812-148-0x0000000000400000-0x00000000016D2000-memory.dmp

Filesize
18.8MB

Download
memory/1812-151-0x0000000000400000-0x00000000016D2000-memory.dmp

Filesize
18.8MB

Download
memory/1812-154-0x0000000000400000-0x00000000016D2000-memory.dmp

Filesize
18.8MB

Download
memory/1812-157-0x0000000000400000-0x00000000016D2000-memory.dmp

Filesize
18.8MB

Download
memory/1812-160-0x0000000000400000-0x00000000016D2000-memory.dmp

Filesize
18.8MB

Download