cryptbot | 010a6069f6885e4a5a67e3e91759e7938a32ab157342d5e51eb168e57b73d7f7

Analysis

max time kernel
144s
max time network
147s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01-05-2024 04:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b0968b621bce390ddbcffe8cb910837_JaffaCakes118.exe
Size

2.0MB
MD5

0b0968b621bce390ddbcffe8cb910837
SHA1

c82603d8a9086cfa8b7de41e74dc5d5203b87b39
SHA256

010a6069f6885e4a5a67e3e91759e7938a32ab157342d5e51eb168e57b73d7f7
SHA512

c81cf7ad2ecfa9223bc7ef30cc59fa8c7e4ccd3916405dd9b1b6079536da948dd92405ecbfcff67655fa8c0f861f7c13dc70328bf3899f7610d747557a77c3b1
SSDEEP

49152:WRnh8X/iBdNckR2Tqe93bRl2lYkT9H4KmEpjppTeCQB783z5hTI2bKf:WRn2PiBPckoOKRl2lPVpzeCM78jbKf

Score

10^/10

cryptbot discovery evasion spyware stealer

Malware Config

Extracted

Family

cryptbot

bibinene01.top

moraass05.top

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 16 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2388-8-0x0000000000F10000-0x0000000001420000-memory.dmp	family_cryptbot
behavioral1/memory/2388-237-0x0000000000F10000-0x0000000001420000-memory.dmp	family_cryptbot
behavioral1/memory/2388-239-0x0000000000F10000-0x0000000001420000-memory.dmp	family_cryptbot
behavioral1/memory/2388-240-0x0000000000F10000-0x0000000001420000-memory.dmp	family_cryptbot
behavioral1/memory/2388-243-0x0000000000F10000-0x0000000001420000-memory.dmp	family_cryptbot
behavioral1/memory/2388-245-0x0000000000F10000-0x0000000001420000-memory.dmp	family_cryptbot
behavioral1/memory/2388-248-0x0000000000F10000-0x0000000001420000-memory.dmp	family_cryptbot
behavioral1/memory/2388-250-0x0000000000F10000-0x0000000001420000-memory.dmp	family_cryptbot
behavioral1/memory/2388-252-0x0000000000F10000-0x0000000001420000-memory.dmp	family_cryptbot
behavioral1/memory/2388-254-0x0000000000F10000-0x0000000001420000-memory.dmp	family_cryptbot
behavioral1/memory/2388-257-0x0000000000F10000-0x0000000001420000-memory.dmp	family_cryptbot
behavioral1/memory/2388-259-0x0000000000F10000-0x0000000001420000-memory.dmp	family_cryptbot
behavioral1/memory/2388-262-0x0000000000F10000-0x0000000001420000-memory.dmp	family_cryptbot
behavioral1/memory/2388-264-0x0000000000F10000-0x0000000001420000-memory.dmp	family_cryptbot
behavioral1/memory/2388-266-0x0000000000F10000-0x0000000001420000-memory.dmp	family_cryptbot
behavioral1/memory/2388-268-0x0000000000F10000-0x0000000001420000-memory.dmp	family_cryptbot

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

0b0968b621bce390ddbcffe8cb910837_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 0b0968b621bce390ddbcffe8cb910837_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	0b0968b621bce390ddbcffe8cb910837_JaffaCakes118.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0b0968b621bce390ddbcffe8cb910837_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0b0968b621bce390ddbcffe8cb910837_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	0b0968b621bce390ddbcffe8cb910837_JaffaCakes118.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

0b0968b621bce390ddbcffe8cb910837_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Wine 0b0968b621bce390ddbcffe8cb910837_JaffaCakes118.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

0b0968b621bce390ddbcffe8cb910837_JaffaCakes118.exe

pid process

2388 0b0968b621bce390ddbcffe8cb910837_JaffaCakes118.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Wine	0b0968b621bce390ddbcffe8cb910837_JaffaCakes118.exe

pid	process
2388	0b0968b621bce390ddbcffe8cb910837_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0b0968b621bce390ddbcffe8cb910837_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	0b0968b621bce390ddbcffe8cb910837_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	0b0968b621bce390ddbcffe8cb910837_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

0b0968b621bce390ddbcffe8cb910837_JaffaCakes118.exe

pid process

2388 0b0968b621bce390ddbcffe8cb910837_JaffaCakes118.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

0b0968b621bce390ddbcffe8cb910837_JaffaCakes118.exe

pid process

2388 0b0968b621bce390ddbcffe8cb910837_JaffaCakes118.exe
2388 0b0968b621bce390ddbcffe8cb910837_JaffaCakes118.exe

pid	process
2388	0b0968b621bce390ddbcffe8cb910837_JaffaCakes118.exe

pid	process
2388	0b0968b621bce390ddbcffe8cb910837_JaffaCakes118.exe
2388	0b0968b621bce390ddbcffe8cb910837_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\0b0968b621bce390ddbcffe8cb910837_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0b0968b621bce390ddbcffe8cb910837_JaffaCakes118.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2388

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HQWwxCL460B\_Files\_Information.txt
Filesize
8KB

MD5
eedb15997b4de4bc2077844f5d89206c

SHA1
5533edfbe60caf31384bdb16b32b070ddf8cf977

SHA256
cfd01d110735d4aeedfd04f6da4e59b5cab1d714955f16dd45dddad7afbd2594

SHA512
5b8f3788052db414ed4aee79db83216d238e99576e4c5323de88e0e015e9b968f4170e3c1a55315b5159e7ff439da12ca2eafb97a4327f509996855b90aea09b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HQWwxCL460B\_Files\_Screen_Desktop.jpeg
Filesize
40KB

MD5
acdfd5ab39830430feaa6a00ed09b29d

SHA1
2318018d4c35a3de2099e4ca409045f7a5131d54

SHA256
7c235c4295db59bfa5cd646f3e8ccfce96099c4b133dd65a3f3c4ad4002e07b7

SHA512
63d19859eee5b33a3482cb1f2a136ab05c46e5f671157633400df470e571ad1f672f841ca561736fb8d9e00211525a716f908921c5a4fb891a993ae9d51a7fa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\HQWwxCL460B\files_\system_info.txt
Filesize
8KB

MD5
fabeeeaf246c6a32db9ed2b53eab9b99

SHA1
b87f1da62eef223b53ad02e6b77f37124f5253cc

SHA256
3e6611af75defbd1838dc5c153eca57399764f77c63d0b300379ce5fd484b514

SHA512
a0d7031d19353cad7d4a5ee8a26cac5c0f6c1e11c37bc2966ec683f57194fe5e35b2457d2a6035c032b7da38de720b10d6271771a4173d498e73fe40e4c5d391

Download Submit
C:\Users\Admin\AppData\Local\Temp\HQWwxCL460B\qmGBmBWbLF.zip
Filesize
32KB

MD5
85af5f3b5e86a895a85f661b8ab9a43e

SHA1
368ae3f4dcbb2cbea89b548543ec39e7188174d0

SHA256
7186508473daaa35ba28bf5fa00cc0e6584d1bbaeb12ee9a503f87dbcc2e75af

SHA512
31aed5f66dd6a990526b8c6ba2821c6c9fe443231f10d2a793acce834ce2b56f1c647633f83ec03acb2f352003861954e5d305f90a32c4b0766e0ed8c828e70d

Download Submit
memory/2388-127-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

Filesize
4KB

Download
memory/2388-7-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/2388-0-0x0000000000F10000-0x0000000001420000-memory.dmp

Filesize
5.1MB

Download
memory/2388-3-0x0000000000D80000-0x0000000000D81000-memory.dmp

Filesize
4KB

Download
memory/2388-8-0x0000000000F10000-0x0000000001420000-memory.dmp

Filesize
5.1MB

Download
memory/2388-13-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

Filesize
4KB

Download
memory/2388-12-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/2388-11-0x0000000000E50000-0x0000000000E51000-memory.dmp

Filesize
4KB

Download
memory/2388-10-0x0000000002850000-0x0000000002851000-memory.dmp

Filesize
4KB

Download
memory/2388-9-0x0000000002830000-0x0000000002831000-memory.dmp

Filesize
4KB

Download
memory/2388-17-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download
memory/2388-16-0x0000000002970000-0x0000000002971000-memory.dmp

Filesize
4KB

Download
memory/2388-15-0x0000000002960000-0x0000000002961000-memory.dmp

Filesize
4KB

Download
memory/2388-14-0x0000000000A90000-0x0000000000A91000-memory.dmp

Filesize
4KB

Download
memory/2388-18-0x00000000029E0000-0x00000000029E1000-memory.dmp

Filesize
4KB

Download
memory/2388-4-0x0000000000F00000-0x0000000000F01000-memory.dmp

Filesize
4KB

Download
memory/2388-6-0x0000000000E40000-0x0000000000E41000-memory.dmp

Filesize
4KB

Download
memory/2388-2-0x0000000000D90000-0x0000000000D91000-memory.dmp

Filesize
4KB

Download
memory/2388-5-0x0000000002840000-0x0000000002841000-memory.dmp

Filesize
4KB

Download
memory/2388-237-0x0000000000F10000-0x0000000001420000-memory.dmp

Filesize
5.1MB

Download
memory/2388-239-0x0000000000F10000-0x0000000001420000-memory.dmp

Filesize
5.1MB

Download
memory/2388-240-0x0000000000F10000-0x0000000001420000-memory.dmp

Filesize
5.1MB

Download
memory/2388-241-0x00000000029E0000-0x00000000029E1000-memory.dmp

Filesize
4KB

Download
memory/2388-1-0x0000000077720000-0x0000000077722000-memory.dmp

Filesize
8KB

Download
memory/2388-243-0x0000000000F10000-0x0000000001420000-memory.dmp

Filesize
5.1MB

Download
memory/2388-245-0x0000000000F10000-0x0000000001420000-memory.dmp

Filesize
5.1MB

Download
memory/2388-248-0x0000000000F10000-0x0000000001420000-memory.dmp

Filesize
5.1MB

Download
memory/2388-250-0x0000000000F10000-0x0000000001420000-memory.dmp

Filesize
5.1MB

Download
memory/2388-252-0x0000000000F10000-0x0000000001420000-memory.dmp

Filesize
5.1MB

Download
memory/2388-254-0x0000000000F10000-0x0000000001420000-memory.dmp

Filesize
5.1MB

Download
memory/2388-257-0x0000000000F10000-0x0000000001420000-memory.dmp

Filesize
5.1MB

Download
memory/2388-259-0x0000000000F10000-0x0000000001420000-memory.dmp

Filesize
5.1MB

Download
memory/2388-262-0x0000000000F10000-0x0000000001420000-memory.dmp

Filesize
5.1MB

Download
memory/2388-264-0x0000000000F10000-0x0000000001420000-memory.dmp

Filesize
5.1MB

Download
memory/2388-266-0x0000000000F10000-0x0000000001420000-memory.dmp

Filesize
5.1MB

Download
memory/2388-268-0x0000000000F10000-0x0000000001420000-memory.dmp

Filesize
5.1MB

Download