cryptbot | 28877275c2c938f24cd0bf43f2c0cef090c58b7a85a988b2f6dff4970660b07d

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19-04-2024 23:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb660cd8294a2f697bc610d746833d91_JaffaCakes118.exe
Size

760KB
MD5

fb660cd8294a2f697bc610d746833d91
SHA1

e9cfc83ec806592a49bd094e2bbc07c937e0c9e2
SHA256

28877275c2c938f24cd0bf43f2c0cef090c58b7a85a988b2f6dff4970660b07d
SHA512

10da1e75c4aeb3df811dd22a2da4528227f8d7350bfa5992ef6cc4f3f8822e2c7ffdf897040635c1476f95b0112f13376be7cb849a8dea81455db73056329c92
SSDEEP

12288:n0JPFOR1iusUfrhWlR7b00lfTu+PaOpGEIyl+fnbKx/Dpclca1lUSvsNdH1GXiD:KOR1iusUT0L7fTuMNuydFaYSgHcXi

Score

10^/10

cryptbot discovery spyware stealer

Malware Config

Extracted

Family

cryptbot

ewaisg12.top

morvay01.top

Attributes

payload_url
http://winezo01.top/download.php?file=lv.exe

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1284-2-0x0000000002140000-0x0000000002221000-memory.dmp	family_cryptbot
behavioral2/memory/1284-3-0x0000000000400000-0x00000000004E5000-memory.dmp	family_cryptbot
behavioral2/memory/1284-223-0x0000000000400000-0x00000000004E5000-memory.dmp	family_cryptbot
behavioral2/memory/1284-233-0x0000000002140000-0x0000000002221000-memory.dmp	family_cryptbot

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

fb660cd8294a2f697bc610d746833d91_JaffaCakes118.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation fb660cd8294a2f697bc610d746833d91_JaffaCakes118.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4796 1284 WerFault.exe fb660cd8294a2f697bc610d746833d91_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	fb660cd8294a2f697bc610d746833d91_JaffaCakes118.exe

pid	pid_target	process	target process
4796	1284	WerFault.exe	fb660cd8294a2f697bc610d746833d91_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fb660cd8294a2f697bc610d746833d91_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	fb660cd8294a2f697bc610d746833d91_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	fb660cd8294a2f697bc610d746833d91_JaffaCakes118.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4084 timeout.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

fb660cd8294a2f697bc610d746833d91_JaffaCakes118.exe

pid process

1284 fb660cd8294a2f697bc610d746833d91_JaffaCakes118.exe
1284 fb660cd8294a2f697bc610d746833d91_JaffaCakes118.exe

pid	process
4084	timeout.exe

pid	process
1284	fb660cd8294a2f697bc610d746833d91_JaffaCakes118.exe
1284	fb660cd8294a2f697bc610d746833d91_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

fb660cd8294a2f697bc610d746833d91_JaffaCakes118.execmd.exe

description	pid	process	target process
PID 1284 wrote to memory of 1272	1284	fb660cd8294a2f697bc610d746833d91_JaffaCakes118.exe	cmd.exe
PID 1284 wrote to memory of 1272	1284	fb660cd8294a2f697bc610d746833d91_JaffaCakes118.exe	cmd.exe
PID 1284 wrote to memory of 1272	1284	fb660cd8294a2f697bc610d746833d91_JaffaCakes118.exe	cmd.exe
PID 1272 wrote to memory of 4084	1272	cmd.exe	timeout.exe
PID 1272 wrote to memory of 4084	1272	cmd.exe	timeout.exe
PID 1272 wrote to memory of 4084	1272	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\fb660cd8294a2f697bc610d746833d91_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fb660cd8294a2f697bc610d746833d91_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1284

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\vIHNdGSqGWE & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\fb660cd8294a2f697bc610d746833d91_JaffaCakes118.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1272

C:\Windows\SysWOW64\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:4084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 1400
2⤵
- Program crash
PID:4796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1284 -ip 1284
1⤵
PID:1768

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\vIHNdGSqGWE\DZMJMW~1.ZIP
Filesize
37KB

MD5
5385a747c33e6c26598873fbd498778f

SHA1
15ce1ee4f5a7525260430e05b298073be6a571a0

SHA256
28748aff1fa00f294e35895daeda739449466fd8a5859235e44f91eb41b5c95e

SHA512
7b0411d0bb05f6d510b712dddced69684df9282bc8dac9758c2eff051ab52a3ec8a286571c41d449e17c4f5d1bb795ec24b4beea8ddf2d96c42a74d6384f7fef

Download Submit
C:\Users\Admin\AppData\Local\Temp\vIHNdGSqGWE\YFUAXY~1.ZIP
Filesize
37KB

MD5
e765903538f06810641d6ea47829b5a7

SHA1
5bf1e8c0cd91b883a7fcb07df8b2533d8494f180

SHA256
c355e3a91278242aa66b3f84575eb159b2e6bf68fea49456725fe27c3c31672b

SHA512
d7f5e549eb4e9d36704b632d4e51cbbf2b3bae16c4fd25265e7bc5c3e784d3e8a05d3cbe2b70c655669d99bfa1fc6ea53ecaac2adfa2ee93dadf7a77b8640567

Download Submit
C:\Users\Admin\AppData\Local\Temp\vIHNdGSqGWE\_Files\_INFOR~1.TXT
Filesize
7KB

MD5
1528a770e1013a8b0d8359b6f4483c17

SHA1
a668822bcb54333430f16c130ad6b548f56c8dc1

SHA256
496e6fe3f1444c5dc98308c82e9dd447a04456603769b926f13f7894f58a52e4

SHA512
231f68a079774b5312026b98ac68d16668e5317c93967b202d63d69373cbf6fd52d1402f5139bcafe9f6193456a25a6b5045236b1c12c6b58ca2dccbb9074e9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vIHNdGSqGWE\_Files\_Information.txt
Filesize
1KB

MD5
2ac579113668ca516899238f045e02db

SHA1
c1f3aedd93c027930fb87e350fc1c13483639219

SHA256
d383537ba9d9b8b8a43d09deb1ec212e707d31241fcc906d493c38a4af0d3cb2

SHA512
4a30f92782e220a2e60f37c5dffabd5e114585a5d0543c7f4433639a9c76fedd5234eb1a1f7213161005255a061814a4823d265516920fd4353d1accc5f8d397

Download Submit
C:\Users\Admin\AppData\Local\Temp\vIHNdGSqGWE\_Files\_Information.txt
Filesize
4KB

MD5
cf721ca009fc40320f5185bbc9e5f045

SHA1
6dfbbad329464be5688c49a24706702c95647888

SHA256
7fff3d0094e5ba52f8540c68c139cdd0db51e81c03f1714ff999555fcb476b92

SHA512
244f02fce54996d61329184555b0829fe3d174e7a7d7d61d025c4cb21472bb6a2ec88f340fcd95749f470d81d075687f5177be504c566da8c56584e1d2cc217e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vIHNdGSqGWE\_Files\_Screen_Desktop.jpeg
Filesize
43KB

MD5
630a3ffde64cd7efadd191dccbfc78bf

SHA1
05bda8e84dc67c5a2a988fea941ffef2726be6aa

SHA256
93ce6ba6339e4e7d7b893debabb9dd0e46db73eb94de003cfffca97221a6b72d

SHA512
1e96bf38c13ad4aeff38c901d6e785d1494d11b97946d2d9985188c871d9ef5d296f1895bcf5057b0e8fdf830253d3738a5b5c2418f0fabd6d50babdb463cffc

Download Submit
C:\Users\Admin\AppData\Local\Temp\vIHNdGSqGWE\files_\system_info.txt
Filesize
7KB

MD5
dfcb40acc4ed42c04efa5fe30c395225

SHA1
6ce531c06cd85c453ff21cf8be4edbec9570e305

SHA256
e2c35465482610131bc4eb29e8ebf1de064901df13588987f4330bd2b718ee69

SHA512
40bd9a4b05038c1e16c15dbefebe3ecd76069f981efac70706130d1db84ab67204a3495f5197fb34accdf82a452ab60dbcedba6125fb1148c313ccaf782f31f4

Download Submit
memory/1284-223-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/1284-224-0x00000000005D0000-0x00000000006D0000-memory.dmp

Filesize
1024KB

Download
memory/1284-1-0x00000000005D0000-0x00000000006D0000-memory.dmp

Filesize
1024KB

Download
memory/1284-3-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/1284-2-0x0000000002140000-0x0000000002221000-memory.dmp

Filesize
900KB

Download
memory/1284-233-0x0000000002140000-0x0000000002221000-memory.dmp

Filesize
900KB

Download