cryptbot | 010a6069f6885e4a5a67e3e91759e7938a32ab157342d5e51eb168e57b73d7f7

Analysis

max time kernel
143s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
01-05-2024 04:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b0968b621bce390ddbcffe8cb910837_JaffaCakes118.exe
Size

2.0MB
MD5

0b0968b621bce390ddbcffe8cb910837
SHA1

c82603d8a9086cfa8b7de41e74dc5d5203b87b39
SHA256

010a6069f6885e4a5a67e3e91759e7938a32ab157342d5e51eb168e57b73d7f7
SHA512

c81cf7ad2ecfa9223bc7ef30cc59fa8c7e4ccd3916405dd9b1b6079536da948dd92405ecbfcff67655fa8c0f861f7c13dc70328bf3899f7610d747557a77c3b1
SSDEEP

49152:WRnh8X/iBdNckR2Tqe93bRl2lYkT9H4KmEpjppTeCQB783z5hTI2bKf:WRn2PiBPckoOKRl2lPVpzeCM78jbKf

Score

10^/10

cryptbot discovery evasion spyware stealer

Malware Config

Extracted

Family

cryptbot

bibinene01.top

moraass05.top

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 17 IoCs

Processes:

resource	yara_rule
behavioral2/memory/384-5-0x0000000000D90000-0x00000000012A0000-memory.dmp	family_cryptbot
behavioral2/memory/384-224-0x0000000000D90000-0x00000000012A0000-memory.dmp	family_cryptbot
behavioral2/memory/384-225-0x0000000000D90000-0x00000000012A0000-memory.dmp	family_cryptbot
behavioral2/memory/384-226-0x0000000000D90000-0x00000000012A0000-memory.dmp	family_cryptbot
behavioral2/memory/384-227-0x0000000000D90000-0x00000000012A0000-memory.dmp	family_cryptbot
behavioral2/memory/384-229-0x0000000000D90000-0x00000000012A0000-memory.dmp	family_cryptbot
behavioral2/memory/384-231-0x0000000000D90000-0x00000000012A0000-memory.dmp	family_cryptbot
behavioral2/memory/384-234-0x0000000000D90000-0x00000000012A0000-memory.dmp	family_cryptbot
behavioral2/memory/384-235-0x0000000000D90000-0x00000000012A0000-memory.dmp	family_cryptbot
behavioral2/memory/384-237-0x0000000000D90000-0x00000000012A0000-memory.dmp	family_cryptbot
behavioral2/memory/384-238-0x0000000000D90000-0x00000000012A0000-memory.dmp	family_cryptbot
behavioral2/memory/384-240-0x0000000000D90000-0x00000000012A0000-memory.dmp	family_cryptbot
behavioral2/memory/384-241-0x0000000000D90000-0x00000000012A0000-memory.dmp	family_cryptbot
behavioral2/memory/384-243-0x0000000000D90000-0x00000000012A0000-memory.dmp	family_cryptbot
behavioral2/memory/384-244-0x0000000000D90000-0x00000000012A0000-memory.dmp	family_cryptbot
behavioral2/memory/384-246-0x0000000000D90000-0x00000000012A0000-memory.dmp	family_cryptbot
behavioral2/memory/384-247-0x0000000000D90000-0x00000000012A0000-memory.dmp	family_cryptbot

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

0b0968b621bce390ddbcffe8cb910837_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 0b0968b621bce390ddbcffe8cb910837_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	0b0968b621bce390ddbcffe8cb910837_JaffaCakes118.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0b0968b621bce390ddbcffe8cb910837_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0b0968b621bce390ddbcffe8cb910837_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	0b0968b621bce390ddbcffe8cb910837_JaffaCakes118.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

0b0968b621bce390ddbcffe8cb910837_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Software\Wine 0b0968b621bce390ddbcffe8cb910837_JaffaCakes118.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

0b0968b621bce390ddbcffe8cb910837_JaffaCakes118.exe

pid process

384 0b0968b621bce390ddbcffe8cb910837_JaffaCakes118.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Software\Wine	0b0968b621bce390ddbcffe8cb910837_JaffaCakes118.exe

pid	process
384	0b0968b621bce390ddbcffe8cb910837_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0b0968b621bce390ddbcffe8cb910837_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	0b0968b621bce390ddbcffe8cb910837_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	0b0968b621bce390ddbcffe8cb910837_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

0b0968b621bce390ddbcffe8cb910837_JaffaCakes118.exe

pid process

384 0b0968b621bce390ddbcffe8cb910837_JaffaCakes118.exe
384 0b0968b621bce390ddbcffe8cb910837_JaffaCakes118.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

0b0968b621bce390ddbcffe8cb910837_JaffaCakes118.exe

pid process

384 0b0968b621bce390ddbcffe8cb910837_JaffaCakes118.exe
384 0b0968b621bce390ddbcffe8cb910837_JaffaCakes118.exe

pid	process
384	0b0968b621bce390ddbcffe8cb910837_JaffaCakes118.exe
384	0b0968b621bce390ddbcffe8cb910837_JaffaCakes118.exe

pid	process
384	0b0968b621bce390ddbcffe8cb910837_JaffaCakes118.exe
384	0b0968b621bce390ddbcffe8cb910837_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\0b0968b621bce390ddbcffe8cb910837_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0b0968b621bce390ddbcffe8cb910837_JaffaCakes118.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:384

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HQWwxCL460B\_Files\_Information.txt
Filesize
2KB

MD5
024c98e3233abeb2743d059e14733fe9

SHA1
103da09a65cf0d6b5d098fc0873b9b861a680f5f

SHA256
bd51825bc02daf3ba346393cf0c973c476c6e5a2aea8b8f0a89ca3a5eada0196

SHA512
1869a0d4dbf3ef1b84b56690a9d39cd221135f1d5b91d36c8cc5b07117cd28823f87d0b7c3af9e2e7a3f612d1ccdd3075106a03be9560c69cc75bfdfd7eb7619

Download Submit
C:\Users\Admin\AppData\Local\Temp\HQWwxCL460B\_Files\_Information.txt
Filesize
4KB

MD5
5c8b0ffd5773ef327ebe0c0fd1eeaf0f

SHA1
57ef25eb29c289b35babf23272fbbefd7487c057

SHA256
916d37c25ae4b96ae90b4bf81cc1327c0b2f4a0420b7f367180cd9fdc5744ce5

SHA512
a187b57380f46ab3680691c47a0f711e75dce770eefcf74f34aa1837d7413010930ce7de173082219b01123468c735970631d7a20c84a06d17b01ffaa32895e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\HQWwxCL460B\_Files\_Screen_Desktop.jpeg
Filesize
49KB

MD5
f20a3e74899cdf80f9f022905c983366

SHA1
3454ff627e1d0570fb24ba25bfefc367ae0bdad0

SHA256
6ebd408829a3d4fb79e60970837f0ec57c3128738dd106b05445169cc7905a26

SHA512
f66747532f3bfa2498e8657eb69e180c7574a9a7d074237c2c965f25c7b71c803aeb30b554907604091d890530f7e0bd4cd62479f956eebec962c7c516db2dc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\HQWwxCL460B\files_\system_info.txt
Filesize
746B

MD5
a5d9e3966ea37363c17f52b505bfe955

SHA1
5fc83a8eb75193ad2180f1698ea51e4a9139032b

SHA256
c86399c1834e11c237a7107a95a899d2e799ce152e29b51faaa57c738306e1c2

SHA512
5be3c4a1698f5dd67fad34c9e0220cd600fdd22f706ded376ed74ec3ee25ee702c2b373e5dbfdd8002a1c954243cfeb995f918f6373126007dda46028efce942

Download Submit
C:\Users\Admin\AppData\Local\Temp\HQWwxCL460B\files_\system_info.txt
Filesize
7KB

MD5
bb7c4c8b5cf795930eccb8f05b9b2506

SHA1
275a88d9294c87296717bac944d983cfcd72aba4

SHA256
3a49f8b7e228dc7ebd756e819e544f4c0b296604646494f4b353f85e069145ae

SHA512
52c3adfa5cb318d713f0d3378784c1cad8660c62bb8d0d4e66d7688356f4a9ffbbc5729441215da4cca464c585793fd68cae250639260c70ac2b659a2899ff3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\HQWwxCL460B\qmGBmBWbLF.zip
Filesize
43KB

MD5
5e77feb9b2f4d5b9397efb96ae9b86f7

SHA1
f4dc0ff573d133e86777833e03cec7a10789935e

SHA256
cd408b7bd6342321434e0201544ac7f41b661d249e63d8e3094b3ceb456a8028

SHA512
a86247d556454a47b029a3b97f5876a947b210368543d648fe4e0bb2dea6552ac766182aef24bcaa090184bfcd2c8e86a2e2f7e382eff08eb23c6cd5394d8c5d

Download Submit
memory/384-224-0x0000000000D90000-0x00000000012A0000-memory.dmp

Filesize
5.1MB

Download
memory/384-227-0x0000000000D90000-0x00000000012A0000-memory.dmp

Filesize
5.1MB

Download
memory/384-6-0x00000000052F0000-0x00000000052F1000-memory.dmp

Filesize
4KB

Download
memory/384-10-0x0000000005360000-0x0000000005361000-memory.dmp

Filesize
4KB

Download
memory/384-9-0x0000000005350000-0x0000000005351000-memory.dmp

Filesize
4KB

Download
memory/384-8-0x00000000052E0000-0x00000000052E1000-memory.dmp

Filesize
4KB

Download
memory/384-5-0x0000000000D90000-0x00000000012A0000-memory.dmp

Filesize
5.1MB

Download
memory/384-2-0x0000000005310000-0x0000000005311000-memory.dmp

Filesize
4KB

Download
memory/384-3-0x0000000005330000-0x0000000005331000-memory.dmp

Filesize
4KB

Download
memory/384-4-0x0000000005320000-0x0000000005321000-memory.dmp

Filesize
4KB

Download
memory/384-0-0x0000000000D90000-0x00000000012A0000-memory.dmp

Filesize
5.1MB

Download
memory/384-225-0x0000000000D90000-0x00000000012A0000-memory.dmp

Filesize
5.1MB

Download
memory/384-226-0x0000000000D90000-0x00000000012A0000-memory.dmp

Filesize
5.1MB

Download
memory/384-7-0x0000000005340000-0x0000000005341000-memory.dmp

Filesize
4KB

Download
memory/384-229-0x0000000000D90000-0x00000000012A0000-memory.dmp

Filesize
5.1MB

Download
memory/384-231-0x0000000000D90000-0x00000000012A0000-memory.dmp

Filesize
5.1MB

Download
memory/384-1-0x00000000775B4000-0x00000000775B6000-memory.dmp

Filesize
8KB

Download
memory/384-234-0x0000000000D90000-0x00000000012A0000-memory.dmp

Filesize
5.1MB

Download
memory/384-235-0x0000000000D90000-0x00000000012A0000-memory.dmp

Filesize
5.1MB

Download
memory/384-237-0x0000000000D90000-0x00000000012A0000-memory.dmp

Filesize
5.1MB

Download
memory/384-238-0x0000000000D90000-0x00000000012A0000-memory.dmp

Filesize
5.1MB

Download
memory/384-240-0x0000000000D90000-0x00000000012A0000-memory.dmp

Filesize
5.1MB

Download
memory/384-241-0x0000000000D90000-0x00000000012A0000-memory.dmp

Filesize
5.1MB

Download
memory/384-243-0x0000000000D90000-0x00000000012A0000-memory.dmp

Filesize
5.1MB

Download
memory/384-244-0x0000000000D90000-0x00000000012A0000-memory.dmp

Filesize
5.1MB

Download
memory/384-246-0x0000000000D90000-0x00000000012A0000-memory.dmp

Filesize
5.1MB

Download
memory/384-247-0x0000000000D90000-0x00000000012A0000-memory.dmp

Filesize
5.1MB

Download