cryptbot | 9a1d6cabb8a80b1ff7ac31d8c01f3522ca64860a8b9816eda57d44d7e994ec5a

Analysis

max time kernel
149s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04-05-2024 16:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13842292b894939dabc62c2370c0094c_JaffaCakes118.exe
Size

4.2MB
MD5

13842292b894939dabc62c2370c0094c
SHA1

405bfa3788bcf6fbab169e90442134f4e9bedeb9
SHA256

9a1d6cabb8a80b1ff7ac31d8c01f3522ca64860a8b9816eda57d44d7e994ec5a
SHA512

6e77bea261b8100d2288f8ee8f13fef033a2dc3a8d45d4198fe955bec63b82e66d6f1d542b3767e498188251d951825caaf44e4a9a40e0f15e185f59d3e828b3
SSDEEP

98304:hFhmmnjy6kFUpuf0xK/7UqS+Xv7yn3EeeQ069sWU/:hFhvm6kykf0xK/TBXmn33eCsl

Score

10^/10

cryptbot discovery evasion spyware stealer

Malware Config

Extracted

Family

cryptbot

bibinene01.top

moraass05.top

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2620-32-0x00000000003B0000-0x00000000008B7000-memory.dmp	family_cryptbot
behavioral1/memory/2620-249-0x00000000003B0000-0x00000000008B7000-memory.dmp	family_cryptbot
behavioral1/memory/2620-252-0x00000000003B0000-0x00000000008B7000-memory.dmp	family_cryptbot
behavioral1/memory/2620-253-0x00000000003B0000-0x00000000008B7000-memory.dmp	family_cryptbot
behavioral1/memory/2620-256-0x00000000003B0000-0x00000000008B7000-memory.dmp	family_cryptbot
behavioral1/memory/2620-257-0x00000000003B0000-0x00000000008B7000-memory.dmp	family_cryptbot
behavioral1/memory/2620-258-0x00000000003B0000-0x00000000008B7000-memory.dmp	family_cryptbot
behavioral1/memory/2620-261-0x00000000003B0000-0x00000000008B7000-memory.dmp	family_cryptbot
behavioral1/memory/2620-263-0x00000000003B0000-0x00000000008B7000-memory.dmp	family_cryptbot
behavioral1/memory/2620-265-0x00000000003B0000-0x00000000008B7000-memory.dmp	family_cryptbot
behavioral1/memory/2620-267-0x00000000003B0000-0x00000000008B7000-memory.dmp	family_cryptbot
behavioral1/memory/2620-269-0x00000000003B0000-0x00000000008B7000-memory.dmp	family_cryptbot
behavioral1/memory/2620-272-0x00000000003B0000-0x00000000008B7000-memory.dmp	family_cryptbot
behavioral1/memory/2620-274-0x00000000003B0000-0x00000000008B7000-memory.dmp	family_cryptbot
behavioral1/memory/2620-276-0x00000000003B0000-0x00000000008B7000-memory.dmp	family_cryptbot
behavioral1/memory/2620-278-0x00000000003B0000-0x00000000008B7000-memory.dmp	family_cryptbot
behavioral1/memory/2620-280-0x00000000003B0000-0x00000000008B7000-memory.dmp	family_cryptbot
behavioral1/memory/2620-282-0x00000000003B0000-0x00000000008B7000-memory.dmp	family_cryptbot

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

d7.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ d7.exe
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

d7.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion d7.exe
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion d7.exe
Executes dropped EXE 1 IoCs

Processes:

d7.exe

pid process

2620 d7.exe
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

d7.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine d7.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	d7.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	d7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	d7.exe

pid	process
2620	d7.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine	d7.exe

Loads dropped DLL 7 IoCs

Processes:

13842292b894939dabc62c2370c0094c_JaffaCakes118.exed7.exe

pid	process
1368	13842292b894939dabc62c2370c0094c_JaffaCakes118.exe
1368	13842292b894939dabc62c2370c0094c_JaffaCakes118.exe
1368	13842292b894939dabc62c2370c0094c_JaffaCakes118.exe
1368	13842292b894939dabc62c2370c0094c_JaffaCakes118.exe
2620	d7.exe
2620	d7.exe
2620	d7.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

d7.exe

pid process

2620 d7.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2620	d7.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d7.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	d7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	d7.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

d7.exe

pid process

2620 d7.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

d7.exe

pid process

2620 d7.exe
2620 d7.exe

pid	process
2620	d7.exe

pid	process
2620	d7.exe
2620	d7.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

13842292b894939dabc62c2370c0094c_JaffaCakes118.exe

description	pid	process	target process
PID 1368 wrote to memory of 2620	1368	13842292b894939dabc62c2370c0094c_JaffaCakes118.exe	d7.exe
PID 1368 wrote to memory of 2620	1368	13842292b894939dabc62c2370c0094c_JaffaCakes118.exe	d7.exe
PID 1368 wrote to memory of 2620	1368	13842292b894939dabc62c2370c0094c_JaffaCakes118.exe	d7.exe
PID 1368 wrote to memory of 2620	1368	13842292b894939dabc62c2370c0094c_JaffaCakes118.exe	d7.exe
PID 1368 wrote to memory of 2620	1368	13842292b894939dabc62c2370c0094c_JaffaCakes118.exe	d7.exe
PID 1368 wrote to memory of 2620	1368	13842292b894939dabc62c2370c0094c_JaffaCakes118.exe	d7.exe
PID 1368 wrote to memory of 2620	1368	13842292b894939dabc62c2370c0094c_JaffaCakes118.exe	d7.exe

C:\Users\Admin\AppData\Local\Temp\13842292b894939dabc62c2370c0094c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\13842292b894939dabc62c2370c0094c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1368

C:\Users\Admin\AppData\Local\Temp\sib8587.tmp\0\d7.exe
"C:\Users\Admin\AppData\Local\Temp\sib8587.tmp\0\d7.exe" /s
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2620

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E3Ghn0UMU\_Files\_Information.txt
Filesize
1KB

MD5
494506d76f88acc458e683697b2297db

SHA1
6308f6ce554947cefb5003a60f69a5058687ac66

SHA256
2078eb0ade7534f3a964d245064ac293c8108aa877fae28ec8e894b268167cd0

SHA512
3a0821768fc118b18952348b9e5eeb2d90a607db3f18e3c4b43c314f0e7a890e55b9fb6e14cdf72f93cbb4e7d85697f818a0d4e32b159f54ba60d5a47f7ab343

Download Submit
C:\Users\Admin\AppData\Local\Temp\E3Ghn0UMU\_Files\_Information.txt
Filesize
5KB

MD5
12df64d5d312967a304fd680296c132d

SHA1
70ee354f7280d95c1e48eb9e8e9e0daa2081aeaa

SHA256
6bc1eacb0ff61d3e603608f12f598b70b4654992e599fab578ca6ac3f29ee912

SHA512
52c50c4bb763dcd1a00396aa36e1094369ad64f20d325efc1867c92100fd4372f226dc441b0684722a07ba2abef6afea636cec6d8fc044aee3451c056f37492a

Download Submit
C:\Users\Admin\AppData\Local\Temp\E3Ghn0UMU\_Files\_Screen_Desktop.jpeg
Filesize
42KB

MD5
6975717f3b4ff2b49a614ab1595a870c

SHA1
cbc8df35d9f12c2fec09d9dd031683db49dfbfd9

SHA256
4c9553b9dee6b1c19198a1a5fefef41ed753be9f683793dc15fbe6ba26166a87

SHA512
95329b07016e56a4c8e723561cd29c92fa271640d6a2bbfbed0f3878f14b673bd0e4ec170d652bb9300dcf1b968b2a1f16149f5ddc2160f4bc4d762ae632ab11

Download Submit
C:\Users\Admin\AppData\Local\Temp\E3Ghn0UMU\files_\system_info.txt
Filesize
774B

MD5
0ab16cb39380f651a8515da3fc4a543f

SHA1
1d4b7ad91f27198ab51340ca054d4cb51b46862f

SHA256
cc7a643928c5dbd034669c920262373adcf5a249a39b4c86ea20776995f80b0b

SHA512
16b42bf24f3f17a9f2ad4181a31c67af6b1ab183d19e4044f58838c9f19c9c75d73d34a4bb3a21536d43f89d20d37a0f521cfd2eb7d46bf31c770d87259e6187

Download Submit
C:\Users\Admin\AppData\Local\Temp\E3Ghn0UMU\files_\system_info.txt
Filesize
8KB

MD5
dfe7d661467ca412a5a3dd4cee269949

SHA1
44aca68d0f74781f77a818c4dfcb908df4c13e66

SHA256
704a37401596b32ea46cda87768c3c256259fcefba706843143fad8301088387

SHA512
4ecf35e001f75852f57409e5bc93969656ef18f76f8eb6604b522340b43281c7a3c5f274c9b0afb18ba7f605536116939caf3f070b51a71177415f5d67afe5c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\E3Ghn0UMU\vAv3bbGg6LilOZ.zip
Filesize
34KB

MD5
4c9845452c36efbec8a7598f31ac22fe

SHA1
cbcae5d6c777997747dce6bf83edec0e96e68dfe

SHA256
3dbfcd0cd73ef21615ff324c3b15e8d8b7cf773ddec5e71d14d326fa7faedc61

SHA512
654fba80d83a084cf33d0b6483a51218ff4d390e449856c36584bb6ec46c5710b984ff08f84057fa0d8133b35b8c98d63857783b0cee85c508216924f1546de6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst848C.tmp\Sibuia.dll
Filesize
524KB

MD5
6a3c3c97e92a5949f88311e80268bbb5

SHA1
48c11e3f694b468479bc2c978749d27b5d03faa2

SHA256
7938db73242aafbe80915e4ca886d38be9b7e872b93bdae1e8ee6cf4a005b7d9

SHA512
6141886a889825ccdfa59a419f7670a34ef240c4f90a83bc17223c415f2fbd983280e98e67485710e449746b5bf3284907537bef6ab698a48954dd4910ddf693

Download Submit
\Users\Admin\AppData\Local\Temp\sib8587.tmp\0\d7.exe
Filesize
2.0MB

MD5
f7d357ad02e19287fbfdd8fc138a3662

SHA1
88ddb3cd546a4751d57fade705264d2b575ff35a

SHA256
848ebc63155b66409cd11733c08ab85b1886009dfa895c7dc56c63079d23125f

SHA512
873a7203e7c4ea6fdde068ab6d38d0355ea68820388bd92c33119082155d36d13f4cbbbc90aab9f1b4c4533e303e1b174b84c5f5bfe65dd2fbe154d13011abd4

Download Submit
\Users\Admin\AppData\Local\Temp\sib8587.tmp\SibClr.dll
Filesize
51KB

MD5
5ea6d2ffeb1be3fc0571961d0c4c2b5f

SHA1
902dfe9ae735c83fb0cb46b3e110bbf2aa80209e

SHA256
508336b6a7c3226738e74f6ce969e828da904ad9f7610b9112f883a316ee9222

SHA512
e81657087f451a37f06a07bf84175117fdaf75d5d8b84cbdc49497fcf88f96e259074518ea3037680d27c9eaeebd7a8df496297593fead88d7edea202a572585

Download Submit
memory/1368-14-0x000000000E580000-0x000000000E592000-memory.dmp

Filesize
72KB

Download
memory/1368-251-0x000000001C940000-0x000000001CE47000-memory.dmp

Filesize
5.0MB

Download
memory/1368-20-0x000000001C940000-0x000000001CE47000-memory.dmp

Filesize
5.0MB

Download
memory/1368-15-0x00000000108C0000-0x000000001097A000-memory.dmp

Filesize
744KB

Download
memory/1368-10-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2620-249-0x00000000003B0000-0x00000000008B7000-memory.dmp

Filesize
5.0MB

Download
memory/2620-258-0x00000000003B0000-0x00000000008B7000-memory.dmp

Filesize
5.0MB

Download
memory/2620-31-0x00000000003B0000-0x00000000008B7000-memory.dmp

Filesize
5.0MB

Download
memory/2620-28-0x0000000001290000-0x0000000001797000-memory.dmp

Filesize
5.0MB

Download
memory/2620-29-0x0000000001290000-0x0000000001797000-memory.dmp

Filesize
5.0MB

Download
memory/2620-30-0x0000000001290000-0x0000000001797000-memory.dmp

Filesize
5.0MB

Download
memory/2620-252-0x00000000003B0000-0x00000000008B7000-memory.dmp

Filesize
5.0MB

Download
memory/2620-253-0x00000000003B0000-0x00000000008B7000-memory.dmp

Filesize
5.0MB

Download
memory/2620-254-0x0000000001290000-0x0000000001797000-memory.dmp

Filesize
5.0MB

Download
memory/2620-256-0x00000000003B0000-0x00000000008B7000-memory.dmp

Filesize
5.0MB

Download
memory/2620-257-0x00000000003B0000-0x00000000008B7000-memory.dmp

Filesize
5.0MB

Download
memory/2620-32-0x00000000003B0000-0x00000000008B7000-memory.dmp

Filesize
5.0MB

Download
memory/2620-24-0x00000000003B0000-0x00000000008B7000-memory.dmp

Filesize
5.0MB

Download
memory/2620-261-0x00000000003B0000-0x00000000008B7000-memory.dmp

Filesize
5.0MB

Download
memory/2620-263-0x00000000003B0000-0x00000000008B7000-memory.dmp

Filesize
5.0MB

Download
memory/2620-265-0x00000000003B0000-0x00000000008B7000-memory.dmp

Filesize
5.0MB

Download
memory/2620-267-0x00000000003B0000-0x00000000008B7000-memory.dmp

Filesize
5.0MB

Download
memory/2620-269-0x00000000003B0000-0x00000000008B7000-memory.dmp

Filesize
5.0MB

Download
memory/2620-272-0x00000000003B0000-0x00000000008B7000-memory.dmp

Filesize
5.0MB

Download
memory/2620-274-0x00000000003B0000-0x00000000008B7000-memory.dmp

Filesize
5.0MB

Download
memory/2620-276-0x00000000003B0000-0x00000000008B7000-memory.dmp

Filesize
5.0MB

Download
memory/2620-278-0x00000000003B0000-0x00000000008B7000-memory.dmp

Filesize
5.0MB

Download
memory/2620-280-0x00000000003B0000-0x00000000008B7000-memory.dmp

Filesize
5.0MB

Download
memory/2620-282-0x00000000003B0000-0x00000000008B7000-memory.dmp

Filesize
5.0MB

Download