cryptbot | 2027a3fc488a5ecfa69e9a9057c8975e2d28cd6c937197ec69fc896c971285c3

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
21-04-2024 05:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe905ed17bcf3e53a9a38f0ace182e96_JaffaCakes118.exe
Size

1.5MB
MD5

fe905ed17bcf3e53a9a38f0ace182e96
SHA1

ff1cefd1d5310c2d1aee48f770753bd7cd64e669
SHA256

2027a3fc488a5ecfa69e9a9057c8975e2d28cd6c937197ec69fc896c971285c3
SHA512

4c09285f0629ead58770238b2637abd561ec39748336526903fa943cc3a11cf51c1d5c38d5d145b8d857cfa3f3fc12a85d288797c398c284de817f51ccf087c7
SSDEEP

24576:fFb534xD3XpyiIkLlHpEZDsKdW4RvYijfWHaAZ0iWc7MupkAy/jLAT5FrFlPMtcm:Jh4ZdZpyDsKdWbijoT5fMupfILWlBpMt

Score

10^/10

cryptbot discovery persistence spyware stealer

Malware Config

Extracted

Family

cryptbot

ewaqfe45.top

morjau04.top

Attributes

payload_url
http://winhaf05.top/download.php?file=lv.exe

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3992-25-0x0000000000710000-0x00000000007B3000-memory.dmp	family_cryptbot
behavioral1/memory/3992-26-0x0000000000710000-0x00000000007B3000-memory.dmp	family_cryptbot
behavioral1/memory/3992-27-0x0000000000710000-0x00000000007B3000-memory.dmp	family_cryptbot
behavioral1/memory/3992-29-0x0000000000710000-0x00000000007B3000-memory.dmp	family_cryptbot
behavioral1/memory/3992-246-0x0000000000710000-0x00000000007B3000-memory.dmp	family_cryptbot

Executes dropped EXE 2 IoCs

Processes:

Poi.exe.comPoi.exe.com

pid process

3548 Poi.exe.com
3992 Poi.exe.com
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3548	Poi.exe.com
3992	Poi.exe.com

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

fe905ed17bcf3e53a9a38f0ace182e96_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fe905ed17bcf3e53a9a38f0ace182e96_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Poi.exe.com

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Poi.exe.com
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Poi.exe.com

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1212 PING.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Poi.exe.com

pid process

3992 Poi.exe.com
3992 Poi.exe.com

pid	process
1212	PING.EXE

pid	process
3992	Poi.exe.com
3992	Poi.exe.com

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

fe905ed17bcf3e53a9a38f0ace182e96_JaffaCakes118.execmd.execmd.exePoi.exe.com

description	pid	process	target process
PID 3268 wrote to memory of 3720	3268	fe905ed17bcf3e53a9a38f0ace182e96_JaffaCakes118.exe	cmd.exe
PID 3268 wrote to memory of 3720	3268	fe905ed17bcf3e53a9a38f0ace182e96_JaffaCakes118.exe	cmd.exe
PID 3268 wrote to memory of 3720	3268	fe905ed17bcf3e53a9a38f0ace182e96_JaffaCakes118.exe	cmd.exe
PID 3268 wrote to memory of 3144	3268	fe905ed17bcf3e53a9a38f0ace182e96_JaffaCakes118.exe	cmd.exe
PID 3268 wrote to memory of 3144	3268	fe905ed17bcf3e53a9a38f0ace182e96_JaffaCakes118.exe	cmd.exe
PID 3268 wrote to memory of 3144	3268	fe905ed17bcf3e53a9a38f0ace182e96_JaffaCakes118.exe	cmd.exe
PID 3144 wrote to memory of 4920	3144	cmd.exe	cmd.exe
PID 3144 wrote to memory of 4920	3144	cmd.exe	cmd.exe
PID 3144 wrote to memory of 4920	3144	cmd.exe	cmd.exe
PID 4920 wrote to memory of 2060	4920	cmd.exe	findstr.exe
PID 4920 wrote to memory of 2060	4920	cmd.exe	findstr.exe
PID 4920 wrote to memory of 2060	4920	cmd.exe	findstr.exe
PID 4920 wrote to memory of 3548	4920	cmd.exe	Poi.exe.com
PID 4920 wrote to memory of 3548	4920	cmd.exe	Poi.exe.com
PID 4920 wrote to memory of 3548	4920	cmd.exe	Poi.exe.com
PID 4920 wrote to memory of 1212	4920	cmd.exe	PING.EXE
PID 4920 wrote to memory of 1212	4920	cmd.exe	PING.EXE
PID 4920 wrote to memory of 1212	4920	cmd.exe	PING.EXE
PID 3548 wrote to memory of 3992	3548	Poi.exe.com	Poi.exe.com
PID 3548 wrote to memory of 3992	3548	Poi.exe.com	Poi.exe.com
PID 3548 wrote to memory of 3992	3548	Poi.exe.com	Poi.exe.com

C:\Users\Admin\AppData\Local\Temp\fe905ed17bcf3e53a9a38f0ace182e96_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fe905ed17bcf3e53a9a38f0ace182e96_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3268

C:\Windows\SysWOW64\cmd.exe
cmd /c UcNzcjbM
2⤵
PID:3720

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Amo.sys
2⤵
- Suspicious use of WriteProcessMemory
PID:3144

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Suspicious use of WriteProcessMemory
PID:4920

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^fEQJhwnKKuicpzjpscwvTJMvNeQkoysJJdDVeObWsMNmmUcuUwpUoKgFSxVlkhBEObLTPduDXttuWhWTGJsiVbAZwY$" Orti.sys
4⤵
PID:2060

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com
Poi.exe.com o
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3548

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com o
5⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:3992

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 30
4⤵
- Runs ping.exe
PID:1212

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Amo.sys
Filesize
435B

MD5
66712fc92a4d05bfc412b18541a1e8df

SHA1
bf4fb00e6b894338aea687cbf537c90fc255710a

SHA256
750eed4b135f1ea433781bc4b9bb26029b2c49dbc647248460b3409329d30e0f

SHA512
a792210dacd9018a16b3071deb823d0a9d66ec86d043d7dae5049bbec74dbf7446565d4262b01cf3acefa7088e344d15651339e7a831f96c3b68aa88e3bd8049

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Cancellato.sys
Filesize
634KB

MD5
54f0e73b5a88d409599b7e3e750d7b3e

SHA1
505d7e828d731229a6de916484cab7dedb46b514

SHA256
34ab271f23045173ce6aba259cc4a4e4c865bad16f477e6835a8bc5b7b522dbe

SHA512
1c351347ba9a1a14f9d115f62e79817e33e8029eae9f41096d082d2edd3faec7ced9fb6757750cd72d300c7b10f651f2466899cbb1586e0014a308f2aa874d9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Dov.sys
Filesize
740KB

MD5
12ff8e0efd9f2562d16b1e80732199d6

SHA1
72bee424ae31db9d44af600d3ed7efe2fd302feb

SHA256
04e8cb2989a65eba72595910983a478060804d0574f7601e63ca2a2019ea2f6d

SHA512
31e5fb89c6b1e8cf8d5880cd7be02bd211621fa9173f2e809565d050b019ff04926e12a2520c404fbf7d4ae1df9dcb52e2c6da6d68abbbaecdff6ebc7032a489

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Orti.sys
Filesize
872KB

MD5
6204adb9ff1ab1b352c0d002898066f8

SHA1
187a0baa6edf36c368228803ca848ff936d960f0

SHA256
286df8487ecbacbd539fe964823253f8d0a8f515079b44938b09a1a1bee2e6ee

SHA512
eb9478ff389a6e392d8db73240c0f917ad004ca685f35f74a36e5f779530b5f707eabb28f64be1c283c74e640817acf85b266508ee0d3360b43abfe08fc4ef32

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Poi.exe.com
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\JrBXeSxO\YUcnKIH7nNVu.zip
Filesize
39KB

MD5
e2d8180bf89a4504bc3a32e9736b1783

SHA1
28b9d446cfe3699102fa39b1b985b5866c2efd6f

SHA256
7b066afdaee7c3ee2a4397d25061e1ddeec2e253f3fd894bed4797971e0b7910

SHA512
fd7d8790a817ffdd10ec23af2661dd222ac6d08664970f76023497aab0680386589ad97b19dcd79d444e506d41ecac23df21c16f5c8c7e520d6be69eaea4af8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\JrBXeSxO\_Files\_Information.txt
Filesize
1KB

MD5
e7f81e2174bad860193c9c97e03dd070

SHA1
e82f9fa63e0e234e56b0c09cd77f8c0e3c14bd98

SHA256
4940437da70740ee2b8b44d4f9341eb617af01a77bbf7b97630fe4f2b0810e4c

SHA512
5f69bff7943495f490fb33b210dfd466650642664d9a1e565a453b36c054bcde4edae6d048b9aa75eb586161529229bcd9398462ee49eee4a035171b6d115c1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\JrBXeSxO\_Files\_Information.txt
Filesize
3KB

MD5
e239384839368b991f2cdb9e1e3e5ce1

SHA1
0e574f29d2fe734f5f488a5989798d12afa88abc

SHA256
05615bac1269dd44ab229132aee4a8b0dad5ad55316dbe70de4ea62cfa966373

SHA512
dd8bee7c59b1c4a44d39eb332f4052d6adcc693915a833194892fc010bbf17eb90e96405dd966842279df5bbe3bf7c0d09c8386a5f909ef0c5c4e041cddd8a99

Download Submit
C:\Users\Admin\AppData\Local\Temp\JrBXeSxO\_Files\_Information.txt
Filesize
4KB

MD5
a22a90d9807416f15fe9ed9dd0b6a5d7

SHA1
fd84c3927c89e5b519b976f76d7d85aad464db87

SHA256
70526ef3b0a79851faafbaf1f7a055f587df9f29e00bc74d74f59512cf749e75

SHA512
0cf6828cd49bcaeff9c99cc4ddcba13c189309b4914ad79559a76ba8171cdaca8bc7f651285995572d4269d98aa79722b0b979fb30c59b9655fc5101de8c9a07

Download Submit
C:\Users\Admin\AppData\Local\Temp\JrBXeSxO\_Files\_Screen_Desktop.jpeg
Filesize
45KB

MD5
a326699439a528f0f163620370133ff9

SHA1
058e9e1959848698bc02e0d0886054d2a1442df1

SHA256
81dcb6c72d8f828a749e8358e42e7913accead16da3ff94b16bd7c26fdfddabd

SHA512
db81a57c21a177a3b01a44b03a39990f33007d4c135ac35dd7838b8ca1323855ea521287e2a33e9e4e41f9067fb747568bcbbc6eab0141b7a9ceb937cb678a0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\JrBXeSxO\files_\system_info.txt
Filesize
1KB

MD5
73a40b352f39da72d55a855507474eed

SHA1
9addb5e82f411f277b63ea533098ed49ad215180

SHA256
e263b92b744ac0edfe32ada449028d45e1d73b7ac3fbbf1a5cfdb55d2138a55b

SHA512
644c00c4e07f292a802449210d8b2603a46b4b8c8c435bdd7f71ad3d58c071855caadf37474d9d1da01f41c64767c4e536628861ff4ce986ca851bf60fafa97a

Download Submit
C:\Users\Admin\AppData\Local\Temp\JrBXeSxO\files_\system_info.txt
Filesize
3KB

MD5
3d96dd715a261df7967805ad38ab55bb

SHA1
c320bf15a0eab59d90db60442dee2421a888fc24

SHA256
9a03b43c7fe6f18b0d0aeb427d9655e4d660535aebd05f5116ffa93982323f60

SHA512
39d944fd7481c3ef8831db60c82625ea83cb5cc7bae007a86356e449e17ff4467dfd09556d3fa5cd30bc298782f4aa951cb5240a10f8d4c327b0e3f4dad4ee14

Download Submit
C:\Users\Admin\AppData\Local\Temp\JrBXeSxO\files_\system_info.txt
Filesize
7KB

MD5
5de2cedec396ca681273c7ee552feb36

SHA1
f5503ad81aac4e7f10960ef841ac2f960468b45c

SHA256
678b77b398482a428a76f3b46848ff4225d43b10dac7eee6c6215e0c15b7fd3c

SHA512
f21a046ec53e5368c2c71de86994b1a854a36be0c2a8850db6510a5e6d27b649b8e66e2dd8a179c718d970ba6cac3674e2a87f1a67eaaf0084a8b0d664c7861a

Download Submit
memory/3992-21-0x0000000000F70000-0x0000000000F71000-memory.dmp

Filesize
4KB

Download
memory/3992-29-0x0000000000710000-0x00000000007B3000-memory.dmp

Filesize
652KB

Download
memory/3992-27-0x0000000000710000-0x00000000007B3000-memory.dmp

Filesize
652KB

Download
memory/3992-26-0x0000000000710000-0x00000000007B3000-memory.dmp

Filesize
652KB

Download
memory/3992-25-0x0000000000710000-0x00000000007B3000-memory.dmp

Filesize
652KB

Download
memory/3992-24-0x0000000000710000-0x00000000007B3000-memory.dmp

Filesize
652KB

Download
memory/3992-23-0x0000000000710000-0x00000000007B3000-memory.dmp

Filesize
652KB

Download
memory/3992-22-0x0000000000710000-0x00000000007B3000-memory.dmp

Filesize
652KB

Download
memory/3992-246-0x0000000000710000-0x00000000007B3000-memory.dmp

Filesize
652KB

Download