cryptbot | ee5b09954a950e20e33ce451943a8c5175952debebc38e9e2ef936919024ac0d

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
26-04-2024 17:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0140a745a3d50602f682794dee1d706a_JaffaCakes118.exe
Size

2.1MB
MD5

0140a745a3d50602f682794dee1d706a
SHA1

92e80b0de3d4e7a2f26269324c7fc1018d066fdf
SHA256

ee5b09954a950e20e33ce451943a8c5175952debebc38e9e2ef936919024ac0d
SHA512

41d6b17efc1cbec2433feb2dd0b39bf51c16f6c2cc384ce975b3d44c4286f8c00caa9209360eb656221ef6b67dc867ddd5b1f81bd71869fdefdaac15058ae4f7
SSDEEP

49152:ysUNRFq5IlO39JyC1lgRlX2S3aTYg0dB8nrDpH:yZdqEONJz16vmS3lg5N

Score

10^/10

cryptbot discovery evasion spyware stealer

Malware Config

Extracted

Family

cryptbot

bibinene03.top

moraass05.top

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 16 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1724-7-0x0000000000180000-0x0000000000695000-memory.dmp	family_cryptbot
behavioral1/memory/1724-237-0x0000000000180000-0x0000000000695000-memory.dmp	family_cryptbot
behavioral1/memory/1724-239-0x0000000000180000-0x0000000000695000-memory.dmp	family_cryptbot
behavioral1/memory/1724-240-0x0000000000180000-0x0000000000695000-memory.dmp	family_cryptbot
behavioral1/memory/1724-244-0x0000000000180000-0x0000000000695000-memory.dmp	family_cryptbot
behavioral1/memory/1724-246-0x0000000000180000-0x0000000000695000-memory.dmp	family_cryptbot
behavioral1/memory/1724-249-0x0000000000180000-0x0000000000695000-memory.dmp	family_cryptbot
behavioral1/memory/1724-251-0x0000000000180000-0x0000000000695000-memory.dmp	family_cryptbot
behavioral1/memory/1724-253-0x0000000000180000-0x0000000000695000-memory.dmp	family_cryptbot
behavioral1/memory/1724-256-0x0000000000180000-0x0000000000695000-memory.dmp	family_cryptbot
behavioral1/memory/1724-258-0x0000000000180000-0x0000000000695000-memory.dmp	family_cryptbot
behavioral1/memory/1724-260-0x0000000000180000-0x0000000000695000-memory.dmp	family_cryptbot
behavioral1/memory/1724-263-0x0000000000180000-0x0000000000695000-memory.dmp	family_cryptbot
behavioral1/memory/1724-265-0x0000000000180000-0x0000000000695000-memory.dmp	family_cryptbot
behavioral1/memory/1724-267-0x0000000000180000-0x0000000000695000-memory.dmp	family_cryptbot
behavioral1/memory/1724-273-0x0000000000180000-0x0000000000695000-memory.dmp	family_cryptbot

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

0140a745a3d50602f682794dee1d706a_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 0140a745a3d50602f682794dee1d706a_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	0140a745a3d50602f682794dee1d706a_JaffaCakes118.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0140a745a3d50602f682794dee1d706a_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0140a745a3d50602f682794dee1d706a_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	0140a745a3d50602f682794dee1d706a_JaffaCakes118.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

0140a745a3d50602f682794dee1d706a_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Wine 0140a745a3d50602f682794dee1d706a_JaffaCakes118.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

0140a745a3d50602f682794dee1d706a_JaffaCakes118.exe

pid process

1724 0140a745a3d50602f682794dee1d706a_JaffaCakes118.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Wine	0140a745a3d50602f682794dee1d706a_JaffaCakes118.exe

pid	process
1724	0140a745a3d50602f682794dee1d706a_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0140a745a3d50602f682794dee1d706a_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	0140a745a3d50602f682794dee1d706a_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	0140a745a3d50602f682794dee1d706a_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

0140a745a3d50602f682794dee1d706a_JaffaCakes118.exe

pid process

1724 0140a745a3d50602f682794dee1d706a_JaffaCakes118.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

0140a745a3d50602f682794dee1d706a_JaffaCakes118.exe

pid process

1724 0140a745a3d50602f682794dee1d706a_JaffaCakes118.exe
1724 0140a745a3d50602f682794dee1d706a_JaffaCakes118.exe

pid	process
1724	0140a745a3d50602f682794dee1d706a_JaffaCakes118.exe

pid	process
1724	0140a745a3d50602f682794dee1d706a_JaffaCakes118.exe
1724	0140a745a3d50602f682794dee1d706a_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\0140a745a3d50602f682794dee1d706a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0140a745a3d50602f682794dee1d706a_JaffaCakes118.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1724

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\q6OCF44bEKfN\_Files\_Information.txt
Filesize
3KB

MD5
e5a0e7ec8541588e0b617f1a1362daf8

SHA1
f8af66845f833a69597581d5e0685e8d1eae60a4

SHA256
d49277c358b9aed463fa4d7854851bf0603a08b49a2c520115b207447670d4f7

SHA512
cc3ae9937d690b70351b856694917b3d8f2a7d5fb47985f441094973f7d383d6bbeb4cf04289f8b6abf614f1e34931ee6e799f7516b44de25797a5d83dce24d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\q6OCF44bEKfN\_Files\_Information.txt
Filesize
3KB

MD5
6070f8b47340ab0e25d6fd3d7c84bd51

SHA1
b8fcc814987794fc6ad9bbf58aa340da50f7f0e6

SHA256
1439e1f65826852fda64283430ad9037c527ace18f5be4f1e92987381591b28d

SHA512
87bbd13d74ff042ad651b862180cbc328b12a6deae2cec6749b11763245fdb11cae77d425d5917b9f8f119f1bf5fa6cdd0ea76f5848f5e779f8a37b1556b7d76

Download Submit
C:\Users\Admin\AppData\Local\Temp\q6OCF44bEKfN\_Files\_Information.txt
Filesize
3KB

MD5
c5c60c51688a0e2cefc07fcff2d58884

SHA1
80de51c18b581e646461698792294e7c8afde972

SHA256
212ff932984d6e603cc427e15cfa3162180a98e7531368df488a26f353900daa

SHA512
e09cd857eee48c9ca9287953735ff26b89258eeba20cea9578628ddaf957e9d34973d4c6ce61b661b8eb4a1af781ad31bad8deb4eef4eb4e383836c503a8eda9

Download Submit
C:\Users\Admin\AppData\Local\Temp\q6OCF44bEKfN\_Files\_Information.txt
Filesize
4KB

MD5
393ff1b483f10f1bcc5932ebcea68976

SHA1
8970e4d145c91a156247140117758dac1afa798c

SHA256
b22d6b435b45ddeeeef4665c39172e02e0f2a7c51f890b2d6bace6d0408cbcf5

SHA512
c8cd9fb8ea5602636ebbee19172a95948afec40b815c133c879fbae0486b893800937f2cd812ba27299daa6473ab11fce5be03bcfee05296bc53bb05b8006733

Download Submit
C:\Users\Admin\AppData\Local\Temp\q6OCF44bEKfN\_Files\_Screen_Desktop.jpeg
Filesize
44KB

MD5
84c7dfb79986e06a04b420c67bfbc899

SHA1
5aa7d7bf86ffa1c315c5dd632c67d4e945d1ca1a

SHA256
5be1c0c1dd9a8dcb6691c715c4de8518e0d6791ad332d9fbcd7860b6e7803398

SHA512
b466f1dea46dc2a99ca7e09b1f191e7a58e2a289962d164ee8cb1f3c98b29429b3a8868fb13876f9e3aa6c6491f9ee5d0a5d32578dddc82cf3f473273b188710

Download Submit
C:\Users\Admin\AppData\Local\Temp\q6OCF44bEKfN\files_\system_info.txt
Filesize
1KB

MD5
cefa55efcdda1af5a026a5c01a5466b7

SHA1
fa2402a4dcef36838e34edda5bf59e3870d7b936

SHA256
1223eaff0c29c40a7fde8c6b3d65b9cc66d5a80516e2d9859576eca31e741c85

SHA512
0e957b72fff438d5d1d1d03791db6cd18a72d73e2dae3af2aa0fede20b139090c9e04bc0d611609bacea4d0d0b26a4bab9ce37375281a1c47a89e0a591878473

Download Submit
C:\Users\Admin\AppData\Local\Temp\q6OCF44bEKfN\files_\system_info.txt
Filesize
3KB

MD5
b6ff7a21768f2522a16fd4ba7ba9e6bb

SHA1
67a0f4e457f10a9d445e4de8aff164446653e66c

SHA256
6e95210fb597eb34881108a75607bac753e6bed0d9ba822cda75f7b864a4fdd2

SHA512
437cd1c9805167665c1c48c92ac48c0bc26bd36681f9dbf2fdf50a28af151e621cd4581d42ae944362a864e6c2a8b5c2cee396f7351c963e9251cb7f3e2fd5b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\q6OCF44bEKfN\files_\system_info.txt
Filesize
4KB

MD5
ad9c82be1dfed09234a6afe6b0c64bea

SHA1
aea5902c3a3384df042cb332dcc8aa4154c6eeaa

SHA256
db245f0ef57b5ebd300c40326cfb12a8b232b663ea09aab728ad840e9290bb15

SHA512
5c90d68dda565a6ba9de1c8ebc60983402595068d301d2261b924ae19bc68516e666ffe914fa0723baf3ba5762ebc293ab8c58ba784510d38443e925636232d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\q6OCF44bEKfN\files_\system_info.txt
Filesize
4KB

MD5
44204c7ddad0c3474b9c02e27a3b5810

SHA1
6cd279134740f9fcd96955c54b1c53ef636fa5fc

SHA256
cf0fc92d6837c4dd0c6e134e4f3bb0be7c9ffa0c747904a4b7896672b0814dc9

SHA512
ac9b474c7144e8d073fde846f3f618855766bffeddbe761d9fd9d6975a945066219558edf98a66733a1d34a6c168296aa9355cd660c1d399e4787eefaf95f316

Download Submit
C:\Users\Admin\AppData\Local\Temp\q6OCF44bEKfN\iAsKzjXKsEr8E.zip
Filesize
36KB

MD5
077e88ddf9165734647db18681234bd1

SHA1
09f77a60fcfb77e7d8debc9089a9ecd0c2e11241

SHA256
9c21a6844c24a78eb41a33e51cf569bc52cc14e84dbaa43550142212aafaf285

SHA512
fd8925a5f6f8822d42717ef40f64905ab1e6303edac8fe4654adea0f8618912097552e9c115b804aa561428481041c5d7d496a516485508e94c3366b8d23a4e7

Download Submit
memory/1724-1-0x0000000077920000-0x0000000077922000-memory.dmp

Filesize
8KB

Download
memory/1724-15-0x0000000002690000-0x0000000002691000-memory.dmp

Filesize
4KB

Download
memory/1724-3-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download
memory/1724-4-0x0000000002A10000-0x0000000002A11000-memory.dmp

Filesize
4KB

Download
memory/1724-14-0x0000000002A30000-0x0000000002A31000-memory.dmp

Filesize
4KB

Download
memory/1724-13-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/1724-16-0x0000000002BE0000-0x0000000002BE1000-memory.dmp

Filesize
4KB

Download
memory/1724-58-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/1724-56-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/1724-54-0x0000000002880000-0x0000000002881000-memory.dmp

Filesize
4KB

Download
memory/1724-9-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/1724-8-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/1724-7-0x0000000000180000-0x0000000000695000-memory.dmp

Filesize
5.1MB

Download
memory/1724-5-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download
memory/1724-6-0x00000000024B0000-0x00000000024B1000-memory.dmp

Filesize
4KB

Download
memory/1724-2-0x0000000002570000-0x0000000002572000-memory.dmp

Filesize
8KB

Download
memory/1724-11-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/1724-10-0x0000000002870000-0x0000000002871000-memory.dmp

Filesize
4KB

Download
memory/1724-12-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/1724-237-0x0000000000180000-0x0000000000695000-memory.dmp

Filesize
5.1MB

Download
memory/1724-239-0x0000000000180000-0x0000000000695000-memory.dmp

Filesize
5.1MB

Download
memory/1724-240-0x0000000000180000-0x0000000000695000-memory.dmp

Filesize
5.1MB

Download
memory/1724-241-0x0000000002BE0000-0x0000000002BE1000-memory.dmp

Filesize
4KB

Download
memory/1724-0-0x0000000000180000-0x0000000000695000-memory.dmp

Filesize
5.1MB

Download
memory/1724-244-0x0000000000180000-0x0000000000695000-memory.dmp

Filesize
5.1MB

Download
memory/1724-246-0x0000000000180000-0x0000000000695000-memory.dmp

Filesize
5.1MB

Download
memory/1724-249-0x0000000000180000-0x0000000000695000-memory.dmp

Filesize
5.1MB

Download
memory/1724-251-0x0000000000180000-0x0000000000695000-memory.dmp

Filesize
5.1MB

Download
memory/1724-253-0x0000000000180000-0x0000000000695000-memory.dmp

Filesize
5.1MB

Download
memory/1724-256-0x0000000000180000-0x0000000000695000-memory.dmp

Filesize
5.1MB

Download
memory/1724-258-0x0000000000180000-0x0000000000695000-memory.dmp

Filesize
5.1MB

Download
memory/1724-260-0x0000000000180000-0x0000000000695000-memory.dmp

Filesize
5.1MB

Download
memory/1724-263-0x0000000000180000-0x0000000000695000-memory.dmp

Filesize
5.1MB

Download
memory/1724-265-0x0000000000180000-0x0000000000695000-memory.dmp

Filesize
5.1MB

Download
memory/1724-267-0x0000000000180000-0x0000000000695000-memory.dmp

Filesize
5.1MB

Download
memory/1724-273-0x0000000000180000-0x0000000000695000-memory.dmp

Filesize
5.1MB

Download