cryptbot | 8860956c8e44c46a67a4325034d4c612aae7721c928668f5148e4a1bc5bf8779

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 07:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

28fc393e1c89bb2945827aebf566fa31_JaffaCakes118.exe
Size

4.1MB
MD5

28fc393e1c89bb2945827aebf566fa31
SHA1

851fd5cb4e98a5fc9e978d6d05287715eb74a9e8
SHA256

8860956c8e44c46a67a4325034d4c612aae7721c928668f5148e4a1bc5bf8779
SHA512

a58f626e831f4f1e906fad432217ac271a7818ae80f08713198b57103ce0fcd1c0a46ac6c961bc2408394ce42271fec10dd4c620dc0c19504068db3a1aa14f2e
SSDEEP

98304:ms6TTJArKDxV4bMCkzJLnaeMj86mcyUrKamVAtMfqc:m1J6KEgnzJWhB/ybhN

Score

10^/10

cryptbot discovery evasion spyware stealer

Malware Config

Extracted

Family

cryptbot

bube01.info

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Setup.exeSetupX.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Setup.exe
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ SetupX.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SetupX.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Setup.exeSetupX.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SetupX.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SetupX.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SetupX.exeSetup.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	SetupX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Setup.exe

Executes dropped EXE 2 IoCs

Processes:

Setup.exeSetupX.exe

pid process

232 Setup.exe
1404 SetupX.exe

pid	process
232	Setup.exe
1404	SetupX.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

SetupX.exeSetup.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine	SetupX.exe
Key opened	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine	Setup.exe

Loads dropped DLL 1 IoCs

Processes:

28fc393e1c89bb2945827aebf566fa31_JaffaCakes118.exe

pid process

3228 28fc393e1c89bb2945827aebf566fa31_JaffaCakes118.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

26 bitbucket.org
16 iplogger.org
17 iplogger.org
25 bitbucket.org
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

Setup.exeSetupX.exe

pid process

232 Setup.exe
1404 SetupX.exe

pid	process
3228	28fc393e1c89bb2945827aebf566fa31_JaffaCakes118.exe

flow	ioc
26	bitbucket.org
16	iplogger.org
17	iplogger.org
25	bitbucket.org

flow	ioc
1	ip-api.com

pid	process
232	Setup.exe
1404	SetupX.exe

Drops file in Program Files directory 6 IoCs

Processes:

28fc393e1c89bb2945827aebf566fa31_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files (x86)\Busa\registration_info.php	28fc393e1c89bb2945827aebf566fa31_JaffaCakes118.exe
File created	C:\Program Files (x86)\Busa\Setup.exe	28fc393e1c89bb2945827aebf566fa31_JaffaCakes118.exe
File created	C:\Program Files (x86)\Busa\SetupX.exe	28fc393e1c89bb2945827aebf566fa31_JaffaCakes118.exe
File created	C:\Program Files (x86)\Busa\database_access.php	28fc393e1c89bb2945827aebf566fa31_JaffaCakes118.exe
File created	C:\Program Files (x86)\Busa\order.php	28fc393e1c89bb2945827aebf566fa31_JaffaCakes118.exe
File created	C:\Program Files (x86)\Busa\product.php	28fc393e1c89bb2945827aebf566fa31_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Setup.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Setup.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4300 timeout.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Setup.exeSetupX.exe

pid process

232 Setup.exe
232 Setup.exe
1404 SetupX.exe
1404 SetupX.exe
Suspicious use of FindShellTrayWindow 12 IoCs

Processes:

Setup.exe

pid process

232 Setup.exe
232 Setup.exe
232 Setup.exe
232 Setup.exe
232 Setup.exe
232 Setup.exe
232 Setup.exe
232 Setup.exe
232 Setup.exe
232 Setup.exe
232 Setup.exe
232 Setup.exe

pid	process
4300	timeout.exe

pid	process
232	Setup.exe
232	Setup.exe
1404	SetupX.exe
1404	SetupX.exe

pid	process
232	Setup.exe
232	Setup.exe
232	Setup.exe
232	Setup.exe
232	Setup.exe
232	Setup.exe
232	Setup.exe
232	Setup.exe
232	Setup.exe
232	Setup.exe
232	Setup.exe
232	Setup.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

28fc393e1c89bb2945827aebf566fa31_JaffaCakes118.exeSetup.execmd.exe

description	pid	process	target process
PID 3228 wrote to memory of 232	3228	28fc393e1c89bb2945827aebf566fa31_JaffaCakes118.exe	Setup.exe
PID 3228 wrote to memory of 232	3228	28fc393e1c89bb2945827aebf566fa31_JaffaCakes118.exe	Setup.exe
PID 3228 wrote to memory of 232	3228	28fc393e1c89bb2945827aebf566fa31_JaffaCakes118.exe	Setup.exe
PID 3228 wrote to memory of 1404	3228	28fc393e1c89bb2945827aebf566fa31_JaffaCakes118.exe	SetupX.exe
PID 3228 wrote to memory of 1404	3228	28fc393e1c89bb2945827aebf566fa31_JaffaCakes118.exe	SetupX.exe
PID 3228 wrote to memory of 1404	3228	28fc393e1c89bb2945827aebf566fa31_JaffaCakes118.exe	SetupX.exe
PID 232 wrote to memory of 1280	232	Setup.exe	cmd.exe
PID 232 wrote to memory of 1280	232	Setup.exe	cmd.exe
PID 232 wrote to memory of 1280	232	Setup.exe	cmd.exe
PID 1280 wrote to memory of 4300	1280	cmd.exe	timeout.exe
PID 1280 wrote to memory of 4300	1280	cmd.exe	timeout.exe
PID 1280 wrote to memory of 4300	1280	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\28fc393e1c89bb2945827aebf566fa31_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\28fc393e1c89bb2945827aebf566fa31_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3228

C:\Program Files (x86)\Busa\Setup.exe
"C:\Program Files (x86)\Busa\Setup.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:232

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\C8B2prEbJ0Z4MKVi & timeout 2 & del /f /q "C:\Program Files (x86)\Busa\Setup.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1280

C:\Windows\SysWOW64\timeout.exe
timeout 2
4⤵
- Delays execution with timeout.exe
PID:4300

C:\Program Files (x86)\Busa\SetupX.exe
"C:\Program Files (x86)\Busa\SetupX.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1404

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Busa\Setup.exe
Filesize
2.2MB

MD5
3e2939633756d5eafd71201a32b971ed

SHA1
1c9b05c647de8ba96ede7cd9054b13e8b6be7725

SHA256
c955bf4ec24e5b286fcc12fb9954d08f6a4bf323b5133ec268b37f68d01b8e6a

SHA512
96e06d5972bd6ad8d836a18155c63f2022a4c626b5229c84755bc864ada567bfb5e4e3a4d6f4c63826c5ae3ceec6932f6a9b5f24e7649eb5424dbf8a85a5a954

Download Submit
C:\Program Files (x86)\Busa\SetupX.exe
Filesize
2.0MB

MD5
a4900d9fe88f8ac892c383486088288c

SHA1
28c089bf25992b270a4e7039bc880ba520186976

SHA256
19e5e1df78d2545c13f25dfa94c33011822693461bba6c565d585a55b72343da

SHA512
2c3c17183ce2675e2eb729b7e8cd4a879f45c81dea5dbc918ad7a3f14ee81b0fc4872ed9ad23e0700412ed192750a0bc9910a9948d0103b5b592ad644d271711

Download Submit
C:\ProgramData\C8B2prEbJ0Z4MKVi\47283761.txt
Filesize
156B

MD5
b5089e0c5a3d5377e9bd19c0557ef04e

SHA1
9402e326be3d240e234c06892b15c24e93c93eb8

SHA256
d77789b2c49759c882f4fdd6f53e665b0d012f8f0949d0150eaba47fbf2a0eb5

SHA512
942349ccb99854f274ef1e20b623660588e15bd0d25bfc817fe9b2d010db656af340652e0e67b41edbf0cf259d55ab880d6b50acb1d7e8ab394f1393f7956c13

Download Submit
C:\ProgramData\C8B2prEbJ0Z4MKVi\Files\Files\Desktop\DISCON~1.TXT
Filesize
645KB

MD5
d16f66acd2303b14049d0f4e1cce28c3

SHA1
0b475e7882d1f5a5564b92ee220cf1ff1d976e70

SHA256
b1bed47f1dcee099d374eb63f9df7cbbdf52a213cc00fe4809ca5b7a96566495

SHA512
1e3d31db74a19b42145a2b86640d524bcf1786a3c6e4d0f88eac72d2b48ab52d09ab5c8475c038fea7ab1d5cae114e2e1975ae319d43622d2584ad7391419081

Download Submit
C:\ProgramData\C8B2prEbJ0Z4MKVi\Files\_Info.txt
Filesize
7KB

MD5
ee651efa6bb6f25d787c154f4f2d1d21

SHA1
04e84a6b718beb6cde9f34db7a02c57b52db230c

SHA256
4e645f531e05e679856ff744076eeaf834bc4f2c7a73f609e85f8145bd77c3ac

SHA512
4ba39b68237ac12bfd6697d89031c2565477b0b05ba8104b11a25be3f90de3809d46e8426997762ad6d7fd0f6ffec5e4179ceaa0550267db854fb6ea68e2e5a5

Download Submit
C:\ProgramData\C8B2prEbJ0Z4MKVi\Files\_Info.txt
Filesize
5KB

MD5
3ef4a2a22897d547aeecc6d39f735d82

SHA1
4e117dfdf3c1f4880f712a5898579d09208d5ced

SHA256
5ecf718b271e42cdbb144b6a4de3c82f0c314213eee417d8e4f6b098c55797f1

SHA512
04ffca3cd33f3129bf7939bccb73f082d39dcf5be6459c2b892ee537bff43756e57c921b7f5087ecebeca5ba02c515e90979d8271ca137189f2a90d88738f4bc

Download Submit
C:\ProgramData\C8B2prEbJ0Z4MKVi\Files\_Screen.jpg
Filesize
55KB

MD5
ec869b0d819853d98973e43eda6f96d2

SHA1
9c7a4c1beb668fbc9d5b25c49b5d77156e1c96d2

SHA256
28c2e84fb8665a644b099873f6bc2d9ec5c15b8b34531eae439d95e2b7caed5e

SHA512
40c8ae8e06960612dd235211caae2d7fa002894c434c75981c42d95e5e4640abc6fdc70448d3da40e20bc866ace8c1fd2657087e4f30bc441a67751f03ab76d6

Download Submit
C:\ProgramData\C8B2prEbJ0Z4MKVi\MOZ_CO~1.DB
Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\ProgramData\C8B2prEbJ0Z4MKVi\lOt7XXmwxAJR.zip
Filesize
695KB

MD5
70ff4f7929c5969b4181d02284ba24ef

SHA1
246a5aec3666969f90781787b350bf5328509415

SHA256
f103b25d5a43c5a3257b3a6222dd8df524b20732ba59434edfbaa28bd6cb6733

SHA512
9d9e047f77d9a983dbdcc405338c4ee512c6a28fdee70957d54d52710db411b3865dd2dc66e9b632a9e6700da701a85362012861f9571269d1e60687f33b1c5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy4ECD.tmp\UAC.dll
Filesize
14KB

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
C:\Users\Admin\AppData\Roaming\rfdertgvfd.exe
Filesize
14KB

MD5
bb83a1a215ce02e755ae96599f741e90

SHA1
b47fddd4a2da8e73465c6f71bdddc801267ffde7

SHA256
c3e45e43b1447f38b7f1ef33ae488c73982b8830859dc826b4a647a32dbf9813

SHA512
6c7b71a2791fb3203d3d7b994943f49087ff4917ad19ec58db285631791a8dcd1e96f641ed5932799b863f15816d1ed301d5fe66e9ff784e6f592b67b9cb7c78

Download Submit
memory/232-21-0x0000000005180000-0x0000000005181000-memory.dmp

Filesize
4KB

Download
memory/232-186-0x00000000006E0000-0x0000000000C28000-memory.dmp

Filesize
5.3MB

Download
memory/232-33-0x00000000006E0000-0x0000000000C28000-memory.dmp

Filesize
5.3MB

Download
memory/232-22-0x00000000051A0000-0x00000000051A1000-memory.dmp

Filesize
4KB

Download
memory/232-23-0x00000000051B0000-0x00000000051B1000-memory.dmp

Filesize
4KB

Download
memory/232-38-0x0000000005170000-0x0000000005171000-memory.dmp

Filesize
4KB

Download
memory/232-43-0x00000000051D0000-0x00000000051D1000-memory.dmp

Filesize
4KB

Download
memory/232-44-0x00000000051C0000-0x00000000051C1000-memory.dmp

Filesize
4KB

Download
memory/232-25-0x0000000005150000-0x0000000005151000-memory.dmp

Filesize
4KB

Download
memory/232-27-0x00000000006E1000-0x0000000000740000-memory.dmp

Filesize
380KB

Download
memory/232-20-0x0000000077C34000-0x0000000077C36000-memory.dmp

Filesize
8KB

Download
memory/232-251-0x00000000006E0000-0x0000000000C28000-memory.dmp

Filesize
5.3MB

Download
memory/232-183-0x00000000006E0000-0x0000000000C28000-memory.dmp

Filesize
5.3MB

Download
memory/232-181-0x00000000006E0000-0x0000000000C28000-memory.dmp

Filesize
5.3MB

Download
memory/232-248-0x00000000006E0000-0x0000000000C28000-memory.dmp

Filesize
5.3MB

Download
memory/232-36-0x00000000006E0000-0x0000000000C28000-memory.dmp

Filesize
5.3MB

Download
memory/232-14-0x00000000006E0000-0x0000000000C28000-memory.dmp

Filesize
5.3MB

Download
memory/232-245-0x00000000006E0000-0x0000000000C28000-memory.dmp

Filesize
5.3MB

Download
memory/232-188-0x00000000006E0000-0x0000000000C28000-memory.dmp

Filesize
5.3MB

Download
memory/232-242-0x00000000006E0000-0x0000000000C28000-memory.dmp

Filesize
5.3MB

Download
memory/232-239-0x00000000006E0000-0x0000000000C28000-memory.dmp

Filesize
5.3MB

Download
memory/232-197-0x00000000006E0000-0x0000000000C28000-memory.dmp

Filesize
5.3MB

Download
memory/232-236-0x00000000006E0000-0x0000000000C28000-memory.dmp

Filesize
5.3MB

Download
memory/232-234-0x00000000006E0000-0x0000000000C28000-memory.dmp

Filesize
5.3MB

Download
memory/232-202-0x00000000006E0000-0x0000000000C28000-memory.dmp

Filesize
5.3MB

Download
memory/232-231-0x00000000006E0000-0x0000000000C28000-memory.dmp

Filesize
5.3MB

Download
memory/232-206-0x00000000006E0000-0x0000000000C28000-memory.dmp

Filesize
5.3MB

Download
memory/232-228-0x00000000006E0000-0x0000000000C28000-memory.dmp

Filesize
5.3MB

Download
memory/232-211-0x00000000006E0000-0x0000000000C28000-memory.dmp

Filesize
5.3MB

Download
memory/1404-40-0x0000000009F80000-0x0000000009F81000-memory.dmp

Filesize
4KB

Download
memory/1404-212-0x0000000000400000-0x0000000000918000-memory.dmp

Filesize
5.1MB

Download
memory/1404-225-0x0000000000400000-0x0000000000918000-memory.dmp

Filesize
5.1MB

Download
memory/1404-226-0x0000000009FB0000-0x0000000009FB1000-memory.dmp

Filesize
4KB

Download
memory/1404-207-0x0000000000400000-0x0000000000918000-memory.dmp

Filesize
5.1MB

Download
memory/1404-203-0x0000000000400000-0x0000000000918000-memory.dmp

Filesize
5.1MB

Download
memory/1404-198-0x0000000000400000-0x0000000000918000-memory.dmp

Filesize
5.1MB

Download
memory/1404-199-0x0000000009E30000-0x0000000009E32000-memory.dmp

Filesize
8KB

Download
memory/1404-192-0x0000000009E10000-0x0000000009E11000-memory.dmp

Filesize
4KB

Download
memory/1404-190-0x0000000000400000-0x0000000000918000-memory.dmp

Filesize
5.1MB

Download
memory/1404-189-0x0000000000400000-0x0000000000918000-memory.dmp

Filesize
5.1MB

Download
memory/1404-184-0x0000000000400000-0x0000000000918000-memory.dmp

Filesize
5.1MB

Download
memory/1404-182-0x0000000000400000-0x0000000000918000-memory.dmp

Filesize
5.1MB

Download
memory/1404-169-0x0000000009FF0000-0x0000000009FF2000-memory.dmp

Filesize
8KB

Download
memory/1404-39-0x0000000009FA0000-0x0000000009FA1000-memory.dmp

Filesize
4KB

Download
memory/1404-37-0x0000000000400000-0x0000000000918000-memory.dmp

Filesize
5.1MB

Download
memory/1404-19-0x0000000000400000-0x0000000000918000-memory.dmp

Filesize
5.1MB

Download