cryptbot | d2638877ee593334ebe913b61a62a9cb80c75493f764c416959d34fe8a99897a

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2024 11:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1763bb2adcedfe5bc524624aa73dc140_JaffaCakes118.exe
Size

4.3MB
MD5

1763bb2adcedfe5bc524624aa73dc140
SHA1

2df89148a27b588a9f1a99a99e17312c43c41340
SHA256

d2638877ee593334ebe913b61a62a9cb80c75493f764c416959d34fe8a99897a
SHA512

92d4dc3b1dcb6793ac306bad5da80938f6d995da528a5432f7cb7655450ce035fe6d35f8d702ae46522b1f4bf127f671eb936e0f6fa28e4478c12260ff7d5337
SSDEEP

98304:7fdYYywRBzkQ8LepeMMsKcjetxUGFaj2S7+aFun114T:bdfBzh8L6CsCjFAlFu1e

Score

10^/10

cryptbot discovery evasion spyware stealer

Malware Config

Extracted

Family

cryptbot

bibinene03.top

moraass05.top

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 20 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3696-30-0x0000000000E10000-0x000000000131B000-memory.dmp	family_cryptbot
behavioral2/memory/3696-31-0x0000000000E10000-0x000000000131B000-memory.dmp	family_cryptbot
behavioral2/memory/3696-139-0x0000000000E10000-0x000000000131B000-memory.dmp	family_cryptbot
behavioral2/memory/3696-246-0x0000000000E10000-0x000000000131B000-memory.dmp	family_cryptbot
behavioral2/memory/3696-251-0x0000000000E10000-0x000000000131B000-memory.dmp	family_cryptbot
behavioral2/memory/3696-252-0x0000000000E10000-0x000000000131B000-memory.dmp	family_cryptbot
behavioral2/memory/3696-253-0x0000000000E10000-0x000000000131B000-memory.dmp	family_cryptbot
behavioral2/memory/3696-256-0x0000000000E10000-0x000000000131B000-memory.dmp	family_cryptbot
behavioral2/memory/3696-258-0x0000000000E10000-0x000000000131B000-memory.dmp	family_cryptbot
behavioral2/memory/3696-261-0x0000000000E10000-0x000000000131B000-memory.dmp	family_cryptbot
behavioral2/memory/3696-264-0x0000000000E10000-0x000000000131B000-memory.dmp	family_cryptbot
behavioral2/memory/3696-267-0x0000000000E10000-0x000000000131B000-memory.dmp	family_cryptbot
behavioral2/memory/3696-270-0x0000000000E10000-0x000000000131B000-memory.dmp	family_cryptbot
behavioral2/memory/3696-272-0x0000000000E10000-0x000000000131B000-memory.dmp	family_cryptbot
behavioral2/memory/3696-275-0x0000000000E10000-0x000000000131B000-memory.dmp	family_cryptbot
behavioral2/memory/3696-278-0x0000000000E10000-0x000000000131B000-memory.dmp	family_cryptbot
behavioral2/memory/3696-283-0x0000000000E10000-0x000000000131B000-memory.dmp	family_cryptbot
behavioral2/memory/3696-286-0x0000000000E10000-0x000000000131B000-memory.dmp	family_cryptbot
behavioral2/memory/3696-289-0x0000000000E10000-0x000000000131B000-memory.dmp	family_cryptbot
behavioral2/memory/3696-293-0x0000000000E10000-0x000000000131B000-memory.dmp	family_cryptbot

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

1.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1.exe
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

1.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1.exe
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1.exe
Executes dropped EXE 1 IoCs

Processes:

1.exe

pid process

3696 1.exe
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

1.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Software\Wine 1.exe
Loads dropped DLL 3 IoCs

Processes:

1763bb2adcedfe5bc524624aa73dc140_JaffaCakes118.exe

pid process

4328 1763bb2adcedfe5bc524624aa73dc140_JaffaCakes118.exe
4328 1763bb2adcedfe5bc524624aa73dc140_JaffaCakes118.exe
4328 1763bb2adcedfe5bc524624aa73dc140_JaffaCakes118.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

1.exe

pid process

3696 1.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1.exe

pid	process
3696	1.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Software\Wine	1.exe

pid	process
4328	1763bb2adcedfe5bc524624aa73dc140_JaffaCakes118.exe
4328	1763bb2adcedfe5bc524624aa73dc140_JaffaCakes118.exe
4328	1763bb2adcedfe5bc524624aa73dc140_JaffaCakes118.exe

pid	process
3696	1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	1.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

1.exe

pid process

3696 1.exe
3696 1.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

1.exe

pid process

3696 1.exe
3696 1.exe

pid	process
3696	1.exe
3696	1.exe

pid	process
3696	1.exe
3696	1.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

1763bb2adcedfe5bc524624aa73dc140_JaffaCakes118.exe

description	pid	process	target process
PID 4328 wrote to memory of 3696	4328	1763bb2adcedfe5bc524624aa73dc140_JaffaCakes118.exe	1.exe
PID 4328 wrote to memory of 3696	4328	1763bb2adcedfe5bc524624aa73dc140_JaffaCakes118.exe	1.exe
PID 4328 wrote to memory of 3696	4328	1763bb2adcedfe5bc524624aa73dc140_JaffaCakes118.exe	1.exe

C:\Users\Admin\AppData\Local\Temp\1763bb2adcedfe5bc524624aa73dc140_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1763bb2adcedfe5bc524624aa73dc140_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4328

C:\Users\Admin\AppData\Local\Temp\sib4548.tmp\0\1.exe
"C:\Users\Admin\AppData\Local\Temp\sib4548.tmp\0\1.exe" /s
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:3696

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cull2jGw\4rOZ4TqhokZ.zip
Filesize
42KB

MD5
075bebd4c55707e461a3a3aca36d6fbe

SHA1
a52b0d6fe71e4544f762dd585602ad38d7c1ed3e

SHA256
bdc8f0fc67b93bbe59921b91f2e8510a4e8b01b96fcff32f78f53e3c4d273b00

SHA512
e9f8ed8df66faa939e2826b0cf0842abb31439be3374a6adf06cfee5d791ded5d8c96af08098862c7f7547de2007fbb4dc2ba618f83d5fccdb2e8953daa20ded

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cull2jGw\_Files\_Information.txt
Filesize
7KB

MD5
7f0d498a23b8036bd3968812359480db

SHA1
dcab3fcbeed7c6103d096e7ac25b52ea40c58508

SHA256
aac9c0d6f39925a3f476556cafafc05e3b50505a55343e44fa286853e29fae9c

SHA512
353cfba2880cbd28d6b63d241d0986da4c232aae6c50f586511ca0bbf22317efcd12fe90fce06bc083596c57311d7d3cd2476f300f8591ef99e0d3bf78ffdde8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cull2jGw\_Files\_Screen_Desktop.jpeg
Filesize
48KB

MD5
5046c4434a73094091bcfebd5524a28b

SHA1
f2de843e873e48db769841ac7df25d743984e49b

SHA256
ca5a8ab975e95f2a8ee10c59c0d1cdb19228a44c6eaf64831c3d4bd63fc8790f

SHA512
2c8a67e31652a6036156534b3a1bb385da01d3313e0835a3be1db7007cff2eadc7dcdc8349e1337bc0bb3567d86d7bceafd0a4b787ba54089e5530c19616ca83

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cull2jGw\files_\system_info.txt
Filesize
1KB

MD5
d1275b13fd0ee33a3332434d208a57a6

SHA1
ea8d76da08ff55c2ed526fb869f4a9b830ad2bc4

SHA256
be6088d1c66d4284d369c2400186fd2ef7bb208d1fac6436d378129e79dfcdac

SHA512
90faaed9a27f5b721082bc4e1646bcac4a53b0ddc258efccab21a02c4dc84e3beef2a82f974897e7546c21b6cffeb7f03b97c37574d8c7723d4a2d4cdfcb8631

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cull2jGw\files_\system_info.txt
Filesize
7KB

MD5
d5b609972d7a1de7ed1c2b821d972edb

SHA1
adf891cfa1f0ced4512d38e1e4b5b96917d3db8e

SHA256
dad6344e1cfcdd974c87b947bd65206be59140581a2a1e7df336d6eea7b77487

SHA512
2c00e4096a137d407defa75200781062da4f3e2d0008fbdddeecdf30c726cbbcce3e2949f0d162c168827cea3fb079361ebdf1c950f70e72391d68bc930f5988

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cull2jGw\qWQDi6U0jh3K.zip
Filesize
42KB

MD5
85358d5f084a3c1d132271cb1768ff6a

SHA1
7a7f601582de3f016463dffcb7823c3ea4861905

SHA256
3447311fb7d00aba71b3984d4fb2ed214577d0d551ef4d9d0c7f47c0e47dd9c1

SHA512
c220d62f151379690d0f296af0bb4579dadc27bcc719fe2fadebcb47dc878f251c4d6772fb35b80c67187e6da0c195f5a331c15103980e91d16816fa441d5037

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso449B.tmp\Sibuia.dll
Filesize
524KB

MD5
6a3c3c97e92a5949f88311e80268bbb5

SHA1
48c11e3f694b468479bc2c978749d27b5d03faa2

SHA256
7938db73242aafbe80915e4ca886d38be9b7e872b93bdae1e8ee6cf4a005b7d9

SHA512
6141886a889825ccdfa59a419f7670a34ef240c4f90a83bc17223c415f2fbd983280e98e67485710e449746b5bf3284907537bef6ab698a48954dd4910ddf693

Download Submit
C:\Users\Admin\AppData\Local\Temp\sib4548.tmp\0\1.exe
Filesize
2.1MB

MD5
ac7e35bcbfd470a51f449556aa1fbe9e

SHA1
7dd5876685e9ca21f8ff5098242ead93b8423d36

SHA256
637b36fdc2cb3c6b930fd6ed725211a6f71d4be69f51d78330d6010305b255ac

SHA512
4ed25e226970b4fc12f08a605a7066291929499926c920731c34be476947d987f659f61869daa08c0bf9dfdddcc78f449b2477f4f792eef3ea022e32a2732d53

Download Submit
C:\Users\Admin\AppData\Local\Temp\sib4548.tmp\SibClr.dll
Filesize
51KB

MD5
5ea6d2ffeb1be3fc0571961d0c4c2b5f

SHA1
902dfe9ae735c83fb0cb46b3e110bbf2aa80209e

SHA256
508336b6a7c3226738e74f6ce969e828da904ad9f7610b9112f883a316ee9222

SHA512
e81657087f451a37f06a07bf84175117fdaf75d5d8b84cbdc49497fcf88f96e259074518ea3037680d27c9eaeebd7a8df496297593fead88d7edea202a572585

Download Submit
memory/3696-30-0x0000000000E10000-0x000000000131B000-memory.dmp

Filesize
5.0MB

Download
memory/3696-252-0x0000000000E10000-0x000000000131B000-memory.dmp

Filesize
5.0MB

Download
memory/3696-29-0x0000000000E11000-0x0000000000E6C000-memory.dmp

Filesize
364KB

Download
memory/3696-28-0x0000000005690000-0x0000000005691000-memory.dmp

Filesize
4KB

Download
memory/3696-27-0x0000000005680000-0x0000000005681000-memory.dmp

Filesize
4KB

Download
memory/3696-26-0x0000000005670000-0x0000000005671000-memory.dmp

Filesize
4KB

Download
memory/3696-25-0x0000000005660000-0x0000000005661000-memory.dmp

Filesize
4KB

Download
memory/3696-31-0x0000000000E10000-0x000000000131B000-memory.dmp

Filesize
5.0MB

Download
memory/3696-23-0x0000000000E10000-0x000000000131B000-memory.dmp

Filesize
5.0MB

Download
memory/3696-139-0x0000000000E10000-0x000000000131B000-memory.dmp

Filesize
5.0MB

Download
memory/3696-293-0x0000000000E10000-0x000000000131B000-memory.dmp

Filesize
5.0MB

Download
memory/3696-289-0x0000000000E10000-0x000000000131B000-memory.dmp

Filesize
5.0MB

Download
memory/3696-286-0x0000000000E10000-0x000000000131B000-memory.dmp

Filesize
5.0MB

Download
memory/3696-246-0x0000000000E10000-0x000000000131B000-memory.dmp

Filesize
5.0MB

Download
memory/3696-283-0x0000000000E10000-0x000000000131B000-memory.dmp

Filesize
5.0MB

Download
memory/3696-278-0x0000000000E10000-0x000000000131B000-memory.dmp

Filesize
5.0MB

Download
memory/3696-251-0x0000000000E10000-0x000000000131B000-memory.dmp

Filesize
5.0MB

Download
memory/3696-24-0x0000000077834000-0x0000000077836000-memory.dmp

Filesize
8KB

Download
memory/3696-253-0x0000000000E10000-0x000000000131B000-memory.dmp

Filesize
5.0MB

Download
memory/3696-275-0x0000000000E10000-0x000000000131B000-memory.dmp

Filesize
5.0MB

Download
memory/3696-256-0x0000000000E10000-0x000000000131B000-memory.dmp

Filesize
5.0MB

Download
memory/3696-258-0x0000000000E10000-0x000000000131B000-memory.dmp

Filesize
5.0MB

Download
memory/3696-261-0x0000000000E10000-0x000000000131B000-memory.dmp

Filesize
5.0MB

Download
memory/3696-264-0x0000000000E10000-0x000000000131B000-memory.dmp

Filesize
5.0MB

Download
memory/3696-267-0x0000000000E10000-0x000000000131B000-memory.dmp

Filesize
5.0MB

Download
memory/3696-270-0x0000000000E10000-0x000000000131B000-memory.dmp

Filesize
5.0MB

Download
memory/3696-272-0x0000000000E10000-0x000000000131B000-memory.dmp

Filesize
5.0MB

Download
memory/4328-14-0x000000000EBA0000-0x000000000EBB2000-memory.dmp

Filesize
72KB

Download
memory/4328-249-0x0000000074010000-0x00000000747C0000-memory.dmp

Filesize
7.7MB

Download
memory/4328-248-0x000000007401E000-0x000000007401F000-memory.dmp

Filesize
4KB

Download
memory/4328-15-0x0000000074010000-0x00000000747C0000-memory.dmp

Filesize
7.7MB

Download
memory/4328-10-0x000000007401E000-0x000000007401F000-memory.dmp

Filesize
4KB

Download
memory/4328-16-0x0000000010D20000-0x0000000010DDA000-memory.dmp

Filesize
744KB

Download
memory/4328-22-0x0000000074010000-0x00000000747C0000-memory.dmp

Filesize
7.7MB

Download