cryptbot | d9f01436c890d26da55d5caa1999e73ef71fab82310ee65ea7d038a7e9ad5374

Analysis

max time kernel
146s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2024 03:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

328ebad3b9024940b56a758598dd9811_JaffaCakes118.exe
Size

4.3MB
MD5

328ebad3b9024940b56a758598dd9811
SHA1

915ad091b5d250ff94aa2aec146dc5214558b0d8
SHA256

d9f01436c890d26da55d5caa1999e73ef71fab82310ee65ea7d038a7e9ad5374
SHA512

2975063ec08f72a5d8747c84cb32efba335263f35f21daa137839262f82197b79658b450dec676a3a6887c229929210823fedc56630cea2137e2b9728bb405a1
SSDEEP

98304:F8FVXoBFq2fxnpNjMuSEO+RHh2qnRCZAgB1z2:0XBipxSI8IRczTz2

Score

10^/10

cryptbot discovery evasion spyware stealer

Malware Config

Extracted

Family

cryptbot

rifat05.info

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

328ebad3b9024940b56a758598dd9811_JaffaCakes118.exePiqqu.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 328ebad3b9024940b56a758598dd9811_JaffaCakes118.exe
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Piqqu.exe
Blocklisted process makes network request 3 IoCs

Processes:

WScript.exe

flow pid process

35 3008 WScript.exe
37 3008 WScript.exe
39 3008 WScript.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	328ebad3b9024940b56a758598dd9811_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Piqqu.exe

flow	pid	process
35	3008	WScript.exe
37	3008	WScript.exe
39	3008	WScript.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

328ebad3b9024940b56a758598dd9811_JaffaCakes118.exePiqqu.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	328ebad3b9024940b56a758598dd9811_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Piqqu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Piqqu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	328ebad3b9024940b56a758598dd9811_JaffaCakes118.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

328ebad3b9024940b56a758598dd9811_JaffaCakes118.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation 328ebad3b9024940b56a758598dd9811_JaffaCakes118.exe
Executes dropped EXE 1 IoCs

Processes:

Piqqu.exe

pid process

2236 Piqqu.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	328ebad3b9024940b56a758598dd9811_JaffaCakes118.exe

pid	process
2236	Piqqu.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

328ebad3b9024940b56a758598dd9811_JaffaCakes118.exePiqqu.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Wine	328ebad3b9024940b56a758598dd9811_JaffaCakes118.exe
Key opened	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Wine	Piqqu.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

34 iplogger.org
35 iplogger.org
43 iplogger.org
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

29 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

328ebad3b9024940b56a758598dd9811_JaffaCakes118.exePiqqu.exe

pid process

2612 328ebad3b9024940b56a758598dd9811_JaffaCakes118.exe
2236 Piqqu.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
34	iplogger.org
35	iplogger.org
43	iplogger.org

flow	ioc
29	ip-api.com

pid	process
2612	328ebad3b9024940b56a758598dd9811_JaffaCakes118.exe
2236	Piqqu.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Piqqu.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Piqqu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Piqqu.exe

Modifies registry class 1 IoCs

Processes:

328ebad3b9024940b56a758598dd9811_JaffaCakes118.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings 328ebad3b9024940b56a758598dd9811_JaffaCakes118.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

328ebad3b9024940b56a758598dd9811_JaffaCakes118.exePiqqu.exe

pid process

2612 328ebad3b9024940b56a758598dd9811_JaffaCakes118.exe
2612 328ebad3b9024940b56a758598dd9811_JaffaCakes118.exe
2236 Piqqu.exe
2236 Piqqu.exe
Suspicious use of FindShellTrayWindow 12 IoCs

Processes:

Piqqu.exe

pid process

2236 Piqqu.exe
2236 Piqqu.exe
2236 Piqqu.exe
2236 Piqqu.exe
2236 Piqqu.exe
2236 Piqqu.exe
2236 Piqqu.exe
2236 Piqqu.exe
2236 Piqqu.exe
2236 Piqqu.exe
2236 Piqqu.exe
2236 Piqqu.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	328ebad3b9024940b56a758598dd9811_JaffaCakes118.exe

pid	process
2612	328ebad3b9024940b56a758598dd9811_JaffaCakes118.exe
2612	328ebad3b9024940b56a758598dd9811_JaffaCakes118.exe
2236	Piqqu.exe
2236	Piqqu.exe

pid	process
2236	Piqqu.exe
2236	Piqqu.exe
2236	Piqqu.exe
2236	Piqqu.exe
2236	Piqqu.exe
2236	Piqqu.exe
2236	Piqqu.exe
2236	Piqqu.exe
2236	Piqqu.exe
2236	Piqqu.exe
2236	Piqqu.exe
2236	Piqqu.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

328ebad3b9024940b56a758598dd9811_JaffaCakes118.exe

description	pid	process	target process
PID 2612 wrote to memory of 2236	2612	328ebad3b9024940b56a758598dd9811_JaffaCakes118.exe	Piqqu.exe
PID 2612 wrote to memory of 2236	2612	328ebad3b9024940b56a758598dd9811_JaffaCakes118.exe	Piqqu.exe
PID 2612 wrote to memory of 2236	2612	328ebad3b9024940b56a758598dd9811_JaffaCakes118.exe	Piqqu.exe
PID 2612 wrote to memory of 3008	2612	328ebad3b9024940b56a758598dd9811_JaffaCakes118.exe	WScript.exe
PID 2612 wrote to memory of 3008	2612	328ebad3b9024940b56a758598dd9811_JaffaCakes118.exe	WScript.exe
PID 2612 wrote to memory of 3008	2612	328ebad3b9024940b56a758598dd9811_JaffaCakes118.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\328ebad3b9024940b56a758598dd9811_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\328ebad3b9024940b56a758598dd9811_JaffaCakes118.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2612

C:\ProgramData\Imagine\Piqqu.exe
C:\ProgramData\Imagine\Piqqu.exe
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2236

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ProgramData\ipras.vbs"
2⤵
- Blocklisted process makes network request
PID:3008

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\6QgoHEYqwI\172773668.txt
Filesize
156B

MD5
b5089e0c5a3d5377e9bd19c0557ef04e

SHA1
9402e326be3d240e234c06892b15c24e93c93eb8

SHA256
d77789b2c49759c882f4fdd6f53e665b0d012f8f0949d0150eaba47fbf2a0eb5

SHA512
942349ccb99854f274ef1e20b623660588e15bd0d25bfc817fe9b2d010db656af340652e0e67b41edbf0cf259d55ab880d6b50acb1d7e8ab394f1393f7956c13

Download Submit
C:\ProgramData\6QgoHEYqwI\Files\Browsers\_FilePasswords.txt
Filesize
3B

MD5
ecaa88f7fa0bf610a5a26cf545dcd3aa

SHA1
57218c316b6921e2cd61027a2387edc31a2d9471

SHA256
f1945cd6c19e56b3c1c78943ef5ec18116907a4ca1efc40a57d48ab1db7adfc5

SHA512
37c783b80b1d458b89e712c2dfe2777050eff0aefc9f6d8beedee77807d9aeb2e27d14815cf4f0229b1d36c186bb5f2b5ef55e632b108cc41e9fb964c39b42a5

Download Submit
C:\ProgramData\6QgoHEYqwI\Files\_Info.txt
Filesize
7KB

MD5
0081f6df52ec17b52c0fb8448ce90c09

SHA1
54bb710085c31a0ca2bd391534a8815c034aa734

SHA256
9fcf3cd48dba20d83c444eb0066d9d81edc5dd3e0388611d23853b024bce6584

SHA512
4597783cf4eea0d8d7396b280f7c13249fb472cf32d54218ad21e4a5568d84a20ea9ce0f9f2506b701bd91708af82f3d4dc0a6251e08c2fc89295ef8ad871094

Download Submit
C:\ProgramData\6QgoHEYqwI\hcfB7jjRH5Yf.zip
Filesize
50KB

MD5
6cdf996c5403c37d354c7fe00c0f6881

SHA1
de59895043e7bf0600a24b7d020e8faf96177f05

SHA256
bdfd7ae33c5b791e8bf4626afe467d62d3d6effa4d6a1f4fa80236119caef3ac

SHA512
460e15d6196ca25a06ad314ca8a07d7c3afa640144b4cacd3dad0a0f59dd589779d09dd046c4a636fa6e5da5a586550802f0d5493085edf594d668534a9c9db3

Download Submit
C:\ProgramData\Imagine\Piqqu.exe
Filesize
2.2MB

MD5
f3717401099468a51ea49a7b2dda9011

SHA1
8a356d95eaf6a168890486d6061a231280eba547

SHA256
81db3923268165f06426206501bd2a243069c073b20bd197a7ae5641ad8f0873

SHA512
446690a2685317c052d8de8ec58fd392dca55c89c189d5c231e864b05f2adf58e1845ad063fce32072890857c42e58469051642ca7e900bf1e93b07c996bd03c

Download Submit
C:\ProgramData\ipras.vbs
Filesize
126B

MD5
c6362e3c5585f24a9e9a2712c00c52ff

SHA1
9259b9609313386f004328d2c306820eae01a587

SHA256
184ca5b2737175e0828f3546d483778c95e23720f1375deac0090c2fe415e208

SHA512
59ac94fdb6f41d6dc5cbea1855897759f35032ac922b936a0b39a21b6aafb0c862c5d419afa31c0b81f106f2ce06b2909cdb5fb713534fbe36202c5a4fedfeaa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1B1495DD322A24490E2BF2FAABAE1C61
Filesize
299B

MD5
5ae8478af8dd6eec7ad4edf162dd3df1

SHA1
55670b9fd39da59a9d7d0bb0aecb52324cbacc5a

SHA256
fe42ac92eae3b2850370b73c3691ccf394c23ab6133de39f1697a6ebac4bedca

SHA512
a5ed33ecec5eecf5437c14eba7c65c84b6f8b08a42df7f18c8123ee37f6743b0cf8116f4359efa82338b244b28938a6e0c8895fcd7f7563bf5777b7d8ee86296

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize
192B

MD5
db6bbb993920e59d8849df11641cc7ad

SHA1
9d6d6ebb034ef3a0c6a77284aaebbb8fbedee59d

SHA256
93776514ae6cf58f3c8fb01b0496044b43ff0a87fee5e1f6507c4d773e4c8f66

SHA512
a863af7e6ad7656e8bab583e6554a57d8895f7aac70db2f80a89c70402437dea63aef6e7613faec4f375ac6135712b926477af695ff5975a93439a6cc1ff366a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1B1495DD322A24490E2BF2FAABAE1C61
Filesize
192B

MD5
676be67347ee3f54925ce5f074c4ac23

SHA1
7fc94f687c9cbc5ed5a3d085605d5ab46881b058

SHA256
dd8266e299f6f765727f2270128d490d2b6e3792f0730570c32275b9e31dfb6a

SHA512
5ec93d47c9131fe969fe5e7942e2efb7e68db38d343b65bfdb1b5961aefd468008b4a6517cfe7b65df2bb042aae94a0166bebbf8b34e968aa217d3e7d4dec3d5

Download Submit
memory/2236-280-0x0000000000C40000-0x000000000118C000-memory.dmp

Filesize
5.3MB

Download
memory/2236-306-0x0000000000C40000-0x000000000118C000-memory.dmp

Filesize
5.3MB

Download
memory/2236-392-0x0000000000C40000-0x000000000118C000-memory.dmp

Filesize
5.3MB

Download
memory/2236-389-0x0000000000C40000-0x000000000118C000-memory.dmp

Filesize
5.3MB

Download
memory/2236-385-0x0000000000C40000-0x000000000118C000-memory.dmp

Filesize
5.3MB

Download
memory/2236-381-0x0000000000C40000-0x000000000118C000-memory.dmp

Filesize
5.3MB

Download
memory/2236-377-0x0000000000C40000-0x000000000118C000-memory.dmp

Filesize
5.3MB

Download
memory/2236-372-0x0000000000C40000-0x000000000118C000-memory.dmp

Filesize
5.3MB

Download
memory/2236-21-0x0000000000C40000-0x000000000118C000-memory.dmp

Filesize
5.3MB

Download
memory/2236-369-0x0000000000C40000-0x000000000118C000-memory.dmp

Filesize
5.3MB

Download
memory/2236-365-0x0000000000C40000-0x000000000118C000-memory.dmp

Filesize
5.3MB

Download
memory/2236-91-0x0000000000C41000-0x0000000000CA3000-memory.dmp

Filesize
392KB

Download
memory/2236-84-0x00000000055D0000-0x00000000055D1000-memory.dmp

Filesize
4KB

Download
memory/2236-83-0x0000000005630000-0x0000000005631000-memory.dmp

Filesize
4KB

Download
memory/2236-82-0x0000000005610000-0x0000000005611000-memory.dmp

Filesize
4KB

Download
memory/2236-139-0x0000000000C40000-0x000000000118C000-memory.dmp

Filesize
5.3MB

Download
memory/2236-144-0x0000000000C40000-0x000000000118C000-memory.dmp

Filesize
5.3MB

Download
memory/2236-145-0x0000000000C40000-0x000000000118C000-memory.dmp

Filesize
5.3MB

Download
memory/2236-361-0x0000000000C40000-0x000000000118C000-memory.dmp

Filesize
5.3MB

Download
memory/2236-150-0x0000000000C40000-0x000000000118C000-memory.dmp

Filesize
5.3MB

Download
memory/2236-357-0x0000000000C40000-0x000000000118C000-memory.dmp

Filesize
5.3MB

Download
memory/2236-353-0x0000000000C40000-0x000000000118C000-memory.dmp

Filesize
5.3MB

Download
memory/2236-350-0x0000000000C40000-0x000000000118C000-memory.dmp

Filesize
5.3MB

Download
memory/2236-348-0x0000000000C40000-0x000000000118C000-memory.dmp

Filesize
5.3MB

Download
memory/2236-347-0x0000000000C40000-0x000000000118C000-memory.dmp

Filesize
5.3MB

Download
memory/2236-344-0x0000000000C40000-0x000000000118C000-memory.dmp

Filesize
5.3MB

Download
memory/2612-8-0x0000000000401000-0x000000000045D000-memory.dmp

Filesize
368KB

Download
memory/2612-149-0x0000000000400000-0x0000000000B57000-memory.dmp

Filesize
7.3MB

Download
memory/2612-303-0x0000000000400000-0x0000000000B57000-memory.dmp

Filesize
7.3MB

Download
memory/2612-5-0x000000000A2A0000-0x000000000A2A1000-memory.dmp

Filesize
4KB

Download
memory/2612-6-0x000000000A2C0000-0x000000000A2C1000-memory.dmp

Filesize
4KB

Download
memory/2612-11-0x0000000000400000-0x0000000000B57000-memory.dmp

Filesize
7.3MB

Download
memory/2612-7-0x000000000A290000-0x000000000A291000-memory.dmp

Filesize
4KB

Download
memory/2612-302-0x0000000000400000-0x0000000000B57000-memory.dmp

Filesize
7.3MB

Download
memory/2612-1-0x0000000077BA4000-0x0000000077BA6000-memory.dmp

Filesize
8KB

Download
memory/2612-346-0x0000000000400000-0x0000000000B57000-memory.dmp

Filesize
7.3MB

Download
memory/2612-4-0x000000000A2E0000-0x000000000A2E1000-memory.dmp

Filesize
4KB

Download
memory/2612-0-0x0000000000400000-0x0000000000B57000-memory.dmp

Filesize
7.3MB

Download
memory/2612-278-0x0000000000400000-0x0000000000B57000-memory.dmp

Filesize
7.3MB

Download
memory/2612-352-0x0000000000400000-0x0000000000B57000-memory.dmp

Filesize
7.3MB

Download
memory/2612-3-0x000000000A230000-0x000000000A231000-memory.dmp

Filesize
4KB

Download
memory/2612-2-0x000000000A2B0000-0x000000000A2B1000-memory.dmp

Filesize
4KB

Download
memory/2612-356-0x0000000000400000-0x0000000000B57000-memory.dmp

Filesize
7.3MB

Download
memory/2612-305-0x0000000000400000-0x0000000000B57000-memory.dmp

Filesize
7.3MB

Download
memory/2612-360-0x0000000000400000-0x0000000000B57000-memory.dmp

Filesize
7.3MB

Download
memory/2612-363-0x0000000000400000-0x0000000000B57000-memory.dmp

Filesize
7.3MB

Download
memory/2612-60-0x0000000000400000-0x0000000000B57000-memory.dmp

Filesize
7.3MB

Download
memory/2612-367-0x0000000000400000-0x0000000000B57000-memory.dmp

Filesize
7.3MB

Download
memory/2612-9-0x0000000000400000-0x0000000000B57000-memory.dmp

Filesize
7.3MB

Download
memory/2612-20-0x0000000000400000-0x0000000000B57000-memory.dmp

Filesize
7.3MB

Download
memory/2612-371-0x0000000000400000-0x0000000000B57000-memory.dmp

Filesize
7.3MB

Download
memory/2612-376-0x0000000000400000-0x0000000000B57000-memory.dmp

Filesize
7.3MB

Download
memory/2612-10-0x0000000000400000-0x0000000000B57000-memory.dmp

Filesize
7.3MB

Download
memory/2612-15-0x0000000000400000-0x0000000000B57000-memory.dmp

Filesize
7.3MB

Download
memory/2612-380-0x0000000000400000-0x0000000000B57000-memory.dmp

Filesize
7.3MB

Download
memory/2612-384-0x0000000000400000-0x0000000000B57000-memory.dmp

Filesize
7.3MB

Download
memory/2612-14-0x0000000000400000-0x0000000000B57000-memory.dmp

Filesize
7.3MB

Download
memory/2612-387-0x0000000000400000-0x0000000000B57000-memory.dmp

Filesize
7.3MB

Download
memory/2612-13-0x0000000000400000-0x0000000000B57000-memory.dmp

Filesize
7.3MB

Download
memory/2612-391-0x0000000000400000-0x0000000000B57000-memory.dmp

Filesize
7.3MB

Download
memory/2612-12-0x0000000000400000-0x0000000000B57000-memory.dmp

Filesize
7.3MB

Download