cryptbot | ee5b09954a950e20e33ce451943a8c5175952debebc38e9e2ef936919024ac0d

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26-04-2024 17:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0140a745a3d50602f682794dee1d706a_JaffaCakes118.exe
Size

2.1MB
MD5

0140a745a3d50602f682794dee1d706a
SHA1

92e80b0de3d4e7a2f26269324c7fc1018d066fdf
SHA256

ee5b09954a950e20e33ce451943a8c5175952debebc38e9e2ef936919024ac0d
SHA512

41d6b17efc1cbec2433feb2dd0b39bf51c16f6c2cc384ce975b3d44c4286f8c00caa9209360eb656221ef6b67dc867ddd5b1f81bd71869fdefdaac15058ae4f7
SSDEEP

49152:ysUNRFq5IlO39JyC1lgRlX2S3aTYg0dB8nrDpH:yZdqEONJz16vmS3lg5N

Score

10^/10

cryptbot discovery evasion spyware stealer

Malware Config

Extracted

Family

cryptbot

bibinene03.top

moraass05.top

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 17 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3076-6-0x0000000000340000-0x0000000000855000-memory.dmp	family_cryptbot
behavioral2/memory/3076-12-0x0000000000340000-0x0000000000855000-memory.dmp	family_cryptbot
behavioral2/memory/3076-219-0x0000000000340000-0x0000000000855000-memory.dmp	family_cryptbot
behavioral2/memory/3076-221-0x0000000000340000-0x0000000000855000-memory.dmp	family_cryptbot
behavioral2/memory/3076-222-0x0000000000340000-0x0000000000855000-memory.dmp	family_cryptbot
behavioral2/memory/3076-225-0x0000000000340000-0x0000000000855000-memory.dmp	family_cryptbot
behavioral2/memory/3076-227-0x0000000000340000-0x0000000000855000-memory.dmp	family_cryptbot
behavioral2/memory/3076-231-0x0000000000340000-0x0000000000855000-memory.dmp	family_cryptbot
behavioral2/memory/3076-234-0x0000000000340000-0x0000000000855000-memory.dmp	family_cryptbot
behavioral2/memory/3076-236-0x0000000000340000-0x0000000000855000-memory.dmp	family_cryptbot
behavioral2/memory/3076-239-0x0000000000340000-0x0000000000855000-memory.dmp	family_cryptbot
behavioral2/memory/3076-242-0x0000000000340000-0x0000000000855000-memory.dmp	family_cryptbot
behavioral2/memory/3076-245-0x0000000000340000-0x0000000000855000-memory.dmp	family_cryptbot
behavioral2/memory/3076-248-0x0000000000340000-0x0000000000855000-memory.dmp	family_cryptbot
behavioral2/memory/3076-253-0x0000000000340000-0x0000000000855000-memory.dmp	family_cryptbot
behavioral2/memory/3076-256-0x0000000000340000-0x0000000000855000-memory.dmp	family_cryptbot
behavioral2/memory/3076-259-0x0000000000340000-0x0000000000855000-memory.dmp	family_cryptbot

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

0140a745a3d50602f682794dee1d706a_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 0140a745a3d50602f682794dee1d706a_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	0140a745a3d50602f682794dee1d706a_JaffaCakes118.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0140a745a3d50602f682794dee1d706a_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0140a745a3d50602f682794dee1d706a_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	0140a745a3d50602f682794dee1d706a_JaffaCakes118.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

0140a745a3d50602f682794dee1d706a_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine 0140a745a3d50602f682794dee1d706a_JaffaCakes118.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

0140a745a3d50602f682794dee1d706a_JaffaCakes118.exe

pid process

3076 0140a745a3d50602f682794dee1d706a_JaffaCakes118.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine	0140a745a3d50602f682794dee1d706a_JaffaCakes118.exe

pid	process
3076	0140a745a3d50602f682794dee1d706a_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0140a745a3d50602f682794dee1d706a_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	0140a745a3d50602f682794dee1d706a_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	0140a745a3d50602f682794dee1d706a_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

0140a745a3d50602f682794dee1d706a_JaffaCakes118.exe

pid process

3076 0140a745a3d50602f682794dee1d706a_JaffaCakes118.exe
3076 0140a745a3d50602f682794dee1d706a_JaffaCakes118.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

0140a745a3d50602f682794dee1d706a_JaffaCakes118.exe

pid process

3076 0140a745a3d50602f682794dee1d706a_JaffaCakes118.exe
3076 0140a745a3d50602f682794dee1d706a_JaffaCakes118.exe

pid	process
3076	0140a745a3d50602f682794dee1d706a_JaffaCakes118.exe
3076	0140a745a3d50602f682794dee1d706a_JaffaCakes118.exe

pid	process
3076	0140a745a3d50602f682794dee1d706a_JaffaCakes118.exe
3076	0140a745a3d50602f682794dee1d706a_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\0140a745a3d50602f682794dee1d706a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0140a745a3d50602f682794dee1d706a_JaffaCakes118.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:3076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4044 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
1⤵
PID:4380

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DcWcpgoRr2\_Files\_Information.txt
Filesize
1KB

MD5
2ccdcf5bd1f656c5d9ee67c8ac1edba5

SHA1
a877bd70f7f2ec9840048ee36c0d931db48cb466

SHA256
fa14c0d6d16b3afc2244a5cd34f3f4debf7921d4c9be0fa16508df6572e3a86f

SHA512
5fff9da8980ded8bd1f7c8e5eda9e596fcf3158a989f34f9f5e956d6a478101d68ee32cb2c3f644dd97006d603ab6e6c33029be06b70583f47ae1818a3693382

Download Submit
C:\Users\Admin\AppData\Local\Temp\DcWcpgoRr2\_Files\_Information.txt
Filesize
7KB

MD5
66c23857940ccf433991e38f443b3ba7

SHA1
8ad12017596c467c5eb20d1cb377a1738c753bbc

SHA256
4b76912634fa9c8e37258cf4fccb4a3b14389e94574545e8c83a01a5c245bb98

SHA512
8686b83d631644d34ac6d9bf0a37fae2113045b47767755073cb31a4231ea0fe3605f1bb4a5ba54225d81e4f787cfe9fb54975dcd471066eb41394c56d077ba1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DcWcpgoRr2\_Files\_Screen_Desktop.jpeg
Filesize
46KB

MD5
70c111759b5d3ae00a1c353a55ad95b6

SHA1
e3a22cd9e7c39050b8073d4d696cd3297aee58c0

SHA256
a39b00d08959ac47097b4b692c8d04daf2e5c9c5e4cf2388481ede673f2d7347

SHA512
6195536c41359c4373c1160d26837995d7a7f9d2ccefe933a2a7926b85aa9acad58f505fa959b76d1f07b78dcd97cc30690fa6d5d70be34a0f3bdd6da740d40c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DcWcpgoRr2\cR5NBBUR.zip
Filesize
40KB

MD5
386dde9b933b4db0de73d4188f49a9d8

SHA1
6567988f54de06ea1f1205230d7dbc30615249d9

SHA256
0429a67f8e47f9cf3fbc451a21aa7107871d2a5f589f7acacd815f01e6635c53

SHA512
c868759cb739312b5fd9914af704621662340664c9804798c86bf71a4f4f016a038c3f495e7646cc6d25a02614a66f5b02293f591e3f417c036adfab8b8b4aeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DcWcpgoRr2\files_\system_info.txt
Filesize
7KB

MD5
f2c677f96393e64e8b79a6c60ca1d8be

SHA1
a1521b0124c81c6524a8e324594db1ae967a9974

SHA256
293257c809d6df1512f4dab2ef84345a6b439be3662408b3d3afeec0a6f59887

SHA512
f39ec99521e78bff569ea233b7a629573e780a1a7d8d6b5bbbc6c9694957595531497acf6506d59651b6df14c628e4e6a9e0cdd43a3445472e4c695569197006

Download Submit
C:\Users\Admin\AppData\Local\Temp\DcWcpgoRr2\files_\system_info.txt
Filesize
7KB

MD5
386857fe1e17032ea9eb7bd00970fbf3

SHA1
6e6ccf08359db7c532ab798b9159298887bab716

SHA256
9d7a7c332939f27ec40f7ce8cbc4d5ebb32a6d2bd6eb853f9510cff0c65dc992

SHA512
df1fac4380f044a626cb5150742901c7ddabc9e77cf3332967e4b7f681cb078802386fe1c82027f453ca56e9c1c5fc1f25ab62213cd6d455b4e3bd7f48777597

Download Submit
C:\Users\Admin\AppData\Local\Temp\DcWcpgoRr2\kMZDweuQN0cJ1.zip
Filesize
40KB

MD5
fc5f1fe4e3c99cb0a58dcd224b59d174

SHA1
5d78aed00b07bce001d08e81eabf7b4aa598525d

SHA256
7781acdbddd9a78075b0adb36218f408c7e0d41021844f680822cfc244876c68

SHA512
aaf2e7fbbad848a688cd37e4fdf0b59e2efba0eb4e38cbc1b3e3ef7c6d4df8f040623ca08ab0eb4f2124696a2a9124c7736f58688b391ff923af65eaa97b6d3c

Download Submit
memory/3076-7-0x0000000005390000-0x0000000005391000-memory.dmp

Filesize
4KB

Download
memory/3076-3-0x00000000053C0000-0x00000000053C1000-memory.dmp

Filesize
4KB

Download
memory/3076-0-0x0000000000340000-0x0000000000855000-memory.dmp

Filesize
5.1MB

Download
memory/3076-10-0x0000000005400000-0x0000000005401000-memory.dmp

Filesize
4KB

Download
memory/3076-11-0x0000000005410000-0x0000000005411000-memory.dmp

Filesize
4KB

Download
memory/3076-12-0x0000000000340000-0x0000000000855000-memory.dmp

Filesize
5.1MB

Download
memory/3076-20-0x00000000053A0000-0x00000000053A1000-memory.dmp

Filesize
4KB

Download
memory/3076-9-0x0000000005380000-0x0000000005381000-memory.dmp

Filesize
4KB

Download
memory/3076-6-0x0000000000340000-0x0000000000855000-memory.dmp

Filesize
5.1MB

Download
memory/3076-5-0x00000000053D0000-0x00000000053D1000-memory.dmp

Filesize
4KB

Download
memory/3076-2-0x00000000053B0000-0x00000000053B1000-memory.dmp

Filesize
4KB

Download
memory/3076-4-0x00000000053E0000-0x00000000053E1000-memory.dmp

Filesize
4KB

Download
memory/3076-219-0x0000000000340000-0x0000000000855000-memory.dmp

Filesize
5.1MB

Download
memory/3076-221-0x0000000000340000-0x0000000000855000-memory.dmp

Filesize
5.1MB

Download
memory/3076-222-0x0000000000340000-0x0000000000855000-memory.dmp

Filesize
5.1MB

Download
memory/3076-8-0x00000000053F0000-0x00000000053F1000-memory.dmp

Filesize
4KB

Download
memory/3076-225-0x0000000000340000-0x0000000000855000-memory.dmp

Filesize
5.1MB

Download
memory/3076-227-0x0000000000340000-0x0000000000855000-memory.dmp

Filesize
5.1MB

Download
memory/3076-231-0x0000000000340000-0x0000000000855000-memory.dmp

Filesize
5.1MB

Download
memory/3076-234-0x0000000000340000-0x0000000000855000-memory.dmp

Filesize
5.1MB

Download
memory/3076-236-0x0000000000340000-0x0000000000855000-memory.dmp

Filesize
5.1MB

Download
memory/3076-239-0x0000000000340000-0x0000000000855000-memory.dmp

Filesize
5.1MB

Download
memory/3076-242-0x0000000000340000-0x0000000000855000-memory.dmp

Filesize
5.1MB

Download
memory/3076-245-0x0000000000340000-0x0000000000855000-memory.dmp

Filesize
5.1MB

Download
memory/3076-248-0x0000000000340000-0x0000000000855000-memory.dmp

Filesize
5.1MB

Download
memory/3076-253-0x0000000000340000-0x0000000000855000-memory.dmp

Filesize
5.1MB

Download
memory/3076-256-0x0000000000340000-0x0000000000855000-memory.dmp

Filesize
5.1MB

Download
memory/3076-1-0x0000000077954000-0x0000000077956000-memory.dmp

Filesize
8KB

Download
memory/3076-259-0x0000000000340000-0x0000000000855000-memory.dmp

Filesize
5.1MB

Download