cryptbot | e310096e361a558c51ff56f42c2639aba9027c02030888604e0f1c51afb06573

Analysis

max time kernel
145s
max time network
148s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
30-04-2024 01:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08b6bafe40b9d0a5a3663567dfaf67fe_JaffaCakes118.exe
Size

2.1MB
MD5

08b6bafe40b9d0a5a3663567dfaf67fe
SHA1

b1496d662a9178fa6cdba42d3639ccb148b3d015
SHA256

e310096e361a558c51ff56f42c2639aba9027c02030888604e0f1c51afb06573
SHA512

27e38e1ef087bc543c51bf3fad3f4e3ada0297ecedac988d60e677fd813669cc64b1c950e9cbdce4e69a3158554f9e5d63c5e16755c042b7d2fe283bd0f00b59
SSDEEP

49152:64HN7MMqMf8Rr2a7NlwifjNeYq2aTe2PuC:6y7MMwJvvLoRjrP

Score

10^/10

cryptbot discovery evasion spyware stealer

Malware Config

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

08b6bafe40b9d0a5a3663567dfaf67fe_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 08b6bafe40b9d0a5a3663567dfaf67fe_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	08b6bafe40b9d0a5a3663567dfaf67fe_JaffaCakes118.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

08b6bafe40b9d0a5a3663567dfaf67fe_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	08b6bafe40b9d0a5a3663567dfaf67fe_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	08b6bafe40b9d0a5a3663567dfaf67fe_JaffaCakes118.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

08b6bafe40b9d0a5a3663567dfaf67fe_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Wine 08b6bafe40b9d0a5a3663567dfaf67fe_JaffaCakes118.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

08b6bafe40b9d0a5a3663567dfaf67fe_JaffaCakes118.exe

pid process

2000 08b6bafe40b9d0a5a3663567dfaf67fe_JaffaCakes118.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Wine	08b6bafe40b9d0a5a3663567dfaf67fe_JaffaCakes118.exe

flow	ioc
3	ip-api.com

pid	process
2000	08b6bafe40b9d0a5a3663567dfaf67fe_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

08b6bafe40b9d0a5a3663567dfaf67fe_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	08b6bafe40b9d0a5a3663567dfaf67fe_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	08b6bafe40b9d0a5a3663567dfaf67fe_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

08b6bafe40b9d0a5a3663567dfaf67fe_JaffaCakes118.exe

pid process

2000 08b6bafe40b9d0a5a3663567dfaf67fe_JaffaCakes118.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

08b6bafe40b9d0a5a3663567dfaf67fe_JaffaCakes118.exe

pid process

2000 08b6bafe40b9d0a5a3663567dfaf67fe_JaffaCakes118.exe

pid	process
2000	08b6bafe40b9d0a5a3663567dfaf67fe_JaffaCakes118.exe

pid	process
2000	08b6bafe40b9d0a5a3663567dfaf67fe_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\08b6bafe40b9d0a5a3663567dfaf67fe_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\08b6bafe40b9d0a5a3663567dfaf67fe_JaffaCakes118.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2000

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ykcegZarCpDg\172773668.txt
Filesize
156B

MD5
b5089e0c5a3d5377e9bd19c0557ef04e

SHA1
9402e326be3d240e234c06892b15c24e93c93eb8

SHA256
d77789b2c49759c882f4fdd6f53e665b0d012f8f0949d0150eaba47fbf2a0eb5

SHA512
942349ccb99854f274ef1e20b623660588e15bd0d25bfc817fe9b2d010db656af340652e0e67b41edbf0cf259d55ab880d6b50acb1d7e8ab394f1393f7956c13

Download Submit
C:\ProgramData\ykcegZarCpDg\Files\Browsers\_FileCC.txt
Filesize
3B

MD5
ecaa88f7fa0bf610a5a26cf545dcd3aa

SHA1
57218c316b6921e2cd61027a2387edc31a2d9471

SHA256
f1945cd6c19e56b3c1c78943ef5ec18116907a4ca1efc40a57d48ab1db7adfc5

SHA512
37c783b80b1d458b89e712c2dfe2777050eff0aefc9f6d8beedee77807d9aeb2e27d14815cf4f0229b1d36c186bb5f2b5ef55e632b108cc41e9fb964c39b42a5

Download Submit
C:\ProgramData\ykcegZarCpDg\evgvPigojyN.zip
Filesize
40KB

MD5
b77b3ea6784539b1516e264e17f12e6e

SHA1
9b6c7758018f4d9b1e68fe3ca04f759df1f641e5

SHA256
89a5c23e8183e9fca6f50cc931170ff3882b9b739cfaf46ef02dfc558b35f546

SHA512
4d8ccf41f7c99366ecb8107f6d40e5c547aa9e206d06f4d035775f78bd1eb064d39699a8d2f1c987448361143df74508ec27dd0702dfb24a7f03dae271386f87

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebDataCopy
Filesize
92KB

MD5
18e04095708297d6889a6962f81e8d8f

SHA1
9a25645db1da0217092c06579599b04982192124

SHA256
4ed16c019fe50bb4ab1c9dcedf0e52f93454b5dbaf18615d60761e7927b69fb7

SHA512
45ec57bddeeb8bca05babcf8da83bf9db630819b23076a1cf79f2e54b3e88e14cd7db650332554026ab5e8634061dd699f322bcba6683765063e67ac47ea1caf

Download Submit
memory/2000-11-0x0000000004470000-0x0000000004471000-memory.dmp

Filesize
4KB

Download
memory/2000-7-0x0000000000400000-0x00000000008FF000-memory.dmp

Filesize
5.0MB

Download
memory/2000-5-0x00000000043E0000-0x00000000043E1000-memory.dmp

Filesize
4KB

Download
memory/2000-6-0x0000000004410000-0x0000000004411000-memory.dmp

Filesize
4KB

Download
memory/2000-13-0x0000000004500000-0x0000000004501000-memory.dmp

Filesize
4KB

Download
memory/2000-12-0x0000000004460000-0x0000000004461000-memory.dmp

Filesize
4KB

Download
memory/2000-0-0x0000000000400000-0x00000000008FF000-memory.dmp

Filesize
5.0MB

Download
memory/2000-10-0x00000000043F0000-0x00000000043F1000-memory.dmp

Filesize
4KB

Download
memory/2000-9-0x0000000004480000-0x0000000004481000-memory.dmp

Filesize
4KB

Download
memory/2000-8-0x00000000044B0000-0x00000000044B1000-memory.dmp

Filesize
4KB

Download
memory/2000-4-0x00000000044E0000-0x00000000044E1000-memory.dmp

Filesize
4KB

Download
memory/2000-53-0x0000000004490000-0x0000000004491000-memory.dmp

Filesize
4KB

Download
memory/2000-52-0x0000000004440000-0x0000000004441000-memory.dmp

Filesize
4KB

Download
memory/2000-51-0x00000000044A0000-0x00000000044A1000-memory.dmp

Filesize
4KB

Download
memory/2000-50-0x0000000004430000-0x0000000004431000-memory.dmp

Filesize
4KB

Download
memory/2000-49-0x0000000004400000-0x0000000004401000-memory.dmp

Filesize
4KB

Download
memory/2000-2-0x0000000004450000-0x0000000004452000-memory.dmp

Filesize
8KB

Download
memory/2000-168-0x00000000044F0000-0x00000000044F1000-memory.dmp

Filesize
4KB

Download
memory/2000-3-0x00000000044D0000-0x00000000044D1000-memory.dmp

Filesize
4KB

Download
memory/2000-174-0x0000000004420000-0x0000000004421000-memory.dmp

Filesize
4KB

Download
memory/2000-181-0x0000000000400000-0x00000000008FF000-memory.dmp

Filesize
5.0MB

Download
memory/2000-182-0x0000000000400000-0x00000000008FF000-memory.dmp

Filesize
5.0MB

Download
memory/2000-184-0x0000000000400000-0x00000000008FF000-memory.dmp

Filesize
5.0MB

Download
memory/2000-1-0x0000000077D70000-0x0000000077D72000-memory.dmp

Filesize
8KB

Download
memory/2000-186-0x0000000000400000-0x00000000008FF000-memory.dmp

Filesize
5.0MB

Download
memory/2000-188-0x0000000000400000-0x00000000008FF000-memory.dmp

Filesize
5.0MB

Download
memory/2000-191-0x0000000000400000-0x00000000008FF000-memory.dmp

Filesize
5.0MB

Download
memory/2000-193-0x0000000000400000-0x00000000008FF000-memory.dmp

Filesize
5.0MB

Download
memory/2000-195-0x0000000000400000-0x00000000008FF000-memory.dmp

Filesize
5.0MB

Download
memory/2000-197-0x0000000000400000-0x00000000008FF000-memory.dmp

Filesize
5.0MB

Download
memory/2000-200-0x0000000000400000-0x00000000008FF000-memory.dmp

Filesize
5.0MB

Download
memory/2000-202-0x0000000000400000-0x00000000008FF000-memory.dmp

Filesize
5.0MB

Download
memory/2000-204-0x0000000000400000-0x00000000008FF000-memory.dmp

Filesize
5.0MB

Download
memory/2000-206-0x0000000000400000-0x00000000008FF000-memory.dmp

Filesize
5.0MB

Download
memory/2000-209-0x0000000000400000-0x00000000008FF000-memory.dmp

Filesize
5.0MB

Download
memory/2000-211-0x0000000000400000-0x00000000008FF000-memory.dmp

Filesize
5.0MB

Download