cryptbot | 194c939150cd885553cc6e02f1c8dbe5fb7bf327556245d76d6ea165ec959670

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19-04-2024 01:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f93df5b9d273ec9921943e36de014dfc_JaffaCakes118.exe
Size

759KB
MD5

f93df5b9d273ec9921943e36de014dfc
SHA1

95d42a9e6c989ebd15b24c2ae997b142f5c063cd
SHA256

194c939150cd885553cc6e02f1c8dbe5fb7bf327556245d76d6ea165ec959670
SHA512

4fd5fbc6cd08367de3bbf71d05dd5ef0dd205ee8655b4511ff6249db2d47870a8173fee158a66bab55d8bcf5c02cb4f402584d23274fd8184d24264657e60cf0
SSDEEP

12288:afyWzL1hFtK0pMQS3NRLSbL/3PiSQ9GLLsHBsVIdEJ6p206Z0yY9qigKekeqn/:sL1hFtK+9vPc9G4BsZP0RyABePqn/

Score

10^/10

cryptbot discovery spyware stealer

Malware Config

Extracted

Family

cryptbot

smarew72.top

moriwi07.top

Attributes

payload_url
http://guruzo10.top/download.php?file=lv.exe

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3900-2-0x00000000022C0000-0x00000000023A1000-memory.dmp	family_cryptbot
behavioral2/memory/3900-3-0x0000000000400000-0x00000000004E5000-memory.dmp	family_cryptbot
behavioral2/memory/3900-223-0x0000000000400000-0x00000000004E5000-memory.dmp	family_cryptbot
behavioral2/memory/3900-232-0x00000000022C0000-0x00000000023A1000-memory.dmp	family_cryptbot

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

f93df5b9d273ec9921943e36de014dfc_JaffaCakes118.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\Control Panel\International\Geo\Nation f93df5b9d273ec9921943e36de014dfc_JaffaCakes118.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4652 3900 WerFault.exe f93df5b9d273ec9921943e36de014dfc_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\Control Panel\International\Geo\Nation	f93df5b9d273ec9921943e36de014dfc_JaffaCakes118.exe

pid	pid_target	process	target process
4652	3900	WerFault.exe	f93df5b9d273ec9921943e36de014dfc_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f93df5b9d273ec9921943e36de014dfc_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	f93df5b9d273ec9921943e36de014dfc_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	f93df5b9d273ec9921943e36de014dfc_JaffaCakes118.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4712 timeout.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

f93df5b9d273ec9921943e36de014dfc_JaffaCakes118.exe

pid process

3900 f93df5b9d273ec9921943e36de014dfc_JaffaCakes118.exe
3900 f93df5b9d273ec9921943e36de014dfc_JaffaCakes118.exe

pid	process
4712	timeout.exe

pid	process
3900	f93df5b9d273ec9921943e36de014dfc_JaffaCakes118.exe
3900	f93df5b9d273ec9921943e36de014dfc_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

f93df5b9d273ec9921943e36de014dfc_JaffaCakes118.execmd.exe

description	pid	process	target process
PID 3900 wrote to memory of 4248	3900	f93df5b9d273ec9921943e36de014dfc_JaffaCakes118.exe	cmd.exe
PID 3900 wrote to memory of 4248	3900	f93df5b9d273ec9921943e36de014dfc_JaffaCakes118.exe	cmd.exe
PID 3900 wrote to memory of 4248	3900	f93df5b9d273ec9921943e36de014dfc_JaffaCakes118.exe	cmd.exe
PID 4248 wrote to memory of 4712	4248	cmd.exe	timeout.exe
PID 4248 wrote to memory of 4712	4248	cmd.exe	timeout.exe
PID 4248 wrote to memory of 4712	4248	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\f93df5b9d273ec9921943e36de014dfc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f93df5b9d273ec9921943e36de014dfc_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3900

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\BvwgWdgV & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\f93df5b9d273ec9921943e36de014dfc_JaffaCakes118.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4248

C:\Windows\SysWOW64\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:4712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 1252
2⤵
- Program crash
PID:4652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3900 -ip 3900
1⤵
PID:1552

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BvwgWdgV\IOTFIB~1.ZIP
Filesize
44KB

MD5
feb866487134327c2f60ae208cbbde93

SHA1
99601a780dc7b4da4d7bc2dd6db917b4bc370252

SHA256
709816e9b2da07e6a89d80400f9b69f4ada641c500967c9ff666d31db3e92a6e

SHA512
1ba2210b8327c9d36217745256ac0970223c768ebdb730dadf88feccf9eb02877ce8f0cbcface2c298a505dab10fbb59c04a244d438a27b700d76bfe64e0112b

Download Submit
C:\Users\Admin\AppData\Local\Temp\BvwgWdgV\SCCXQK~1.ZIP
Filesize
44KB

MD5
cefb3855e3c44a57bbe727d380884ed9

SHA1
d2653b2e16cd721ad993aceb6d21d027ce1f7375

SHA256
b69083ff955738403ba38fedd0321fe568d19933ef422529e2093cab15aa8a53

SHA512
c0607d1809ea2546c8a53aca9d22c62a362b0892eb79f2042b3f2a22cf903481476d94ef4a14b107b638213138aecd6ac1f6fad93d0f65c83d507b8b8a123435

Download Submit
C:\Users\Admin\AppData\Local\Temp\BvwgWdgV\_Files\_INFOR~1.TXT
Filesize
7KB

MD5
4dc0a371da04290e6a569e8ba9b72104

SHA1
1d3fed478b5774297751e762739fdb634f122cda

SHA256
da5938472218a6fc38d80fb808d5007c647b5f4f93787f1ad70be1f1ddcafa10

SHA512
21e28a3046667730aec0e5295717990409e099481849b9b8a615643910ef1bb8c8b22fb79da4ae5ad8ad6a9505fc733a38834183aae17bf851f3611bbfcf72d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\BvwgWdgV\_Files\_Information.txt
Filesize
4KB

MD5
7c36932d4a173dc0a37999ceb5948e75

SHA1
43a33af493389048f394ff56d6ed0a510b5b3c5b

SHA256
da6e07d54975dc44948644a19f12e63dc82e4bcf5164813e5f0933f474bac9af

SHA512
91a17408ef07713c45509a1969af0f8294569ee8f2ba87bd8a144c484761ce63edf9ec135641eb83a4160981ead49b531a04365d0c93235b3946a138d955e931

Download Submit
C:\Users\Admin\AppData\Local\Temp\BvwgWdgV\_Files\_Screen_Desktop.jpeg
Filesize
49KB

MD5
5352f627e32d358d3ec577b36a8279b2

SHA1
e81e6a6fe3c32772414e6eb681a9fa4af5aadad5

SHA256
ce79fa500617628eaaaf6b25e9b20e2776bb7a90457fab1043e3f547185d511c

SHA512
5f6c5f7d5e45d2d5d7591939afa21045cdecddf11e9bdee93e29d975fd0141d64f2a78ffca65ad0ecb1ffeb7119f957e1475f8c00347b7025ff718efbd2c7467

Download Submit
C:\Users\Admin\AppData\Local\Temp\BvwgWdgV\files_\system_info.txt
Filesize
1KB

MD5
9a6802e0f2ad35fb1b4c8075fa7d3fbe

SHA1
9b34b34fa16a43b4440e99aa8b61e6763c8e6b1d

SHA256
deac04fbb10d985bcec67f97b4cd10cb2e7c4b85384a91ed82f6974b9ca4edea

SHA512
0850100ffb14820133727e245d1840e9f2bd6ebe522490ed41fb413aa142da82388a4eccebca27b3e54017dd8124d851f3b009d5a94154fa2e0f0091f6819951

Download Submit
C:\Users\Admin\AppData\Local\Temp\BvwgWdgV\files_\system_info.txt
Filesize
7KB

MD5
a1840cad6fc551737978b2ce2b656390

SHA1
f557c21d1511dce718c052a989ff7b6fddd199ba

SHA256
180785f1593de58a846092727bd07f8959f95fc51619e8439e957f4da1fb2bcd

SHA512
80a9efaa41a0ab528351f0f67f6b7c099547bd518ac6cc580360c64a804fc6ee3d3494c17d0677dab8b55928df398b1a0aed426b937672e0a128ba444c876c0d

Download Submit
memory/3900-223-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/3900-1-0x0000000000720000-0x0000000000820000-memory.dmp

Filesize
1024KB

Download
memory/3900-3-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/3900-2-0x00000000022C0000-0x00000000023A1000-memory.dmp

Filesize
900KB

Download
memory/3900-230-0x0000000000720000-0x0000000000820000-memory.dmp

Filesize
1024KB

Download
memory/3900-232-0x00000000022C0000-0x00000000023A1000-memory.dmp

Filesize
900KB

Download