cryptbot | f05dc2ebf5bebbe40f1698489b873adcbefa41c98afe544fa04fd1ded91c9189

Analysis

max time kernel
145s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14-05-2024 13:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exe
Size

2.2MB
MD5

41af7998ebb519e0a0ca9635a865be5d
SHA1

68a7613a8d4483efb67f3794c245420e0daf2f95
SHA256

f05dc2ebf5bebbe40f1698489b873adcbefa41c98afe544fa04fd1ded91c9189
SHA512

31af03c31f0568ae57aab30c3d320a5505f3106ffd02c19b9bb5c740f76af332b27d929fca715029bfd49f2a0f404643616f0f88ab4f115693949688112ac5bb
SSDEEP

49152:OULOXCsxeOrcY1kC2Palwy7FoSzWXxplecp6Qqst5J:hqyszw0kC2zyFkX4cp6ct3

Score

10^/10

cryptbot discovery evasion spyware stealer

Malware Config

Extracted

Family

cryptbot

cede04.info

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exe
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Wine 41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exe

pid process

2064 41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Wine	41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exe

flow	ioc
7	ip-api.com

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

5056 timeout.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exe

pid process

2064 41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exe
2064 41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exe

pid	process
5056	timeout.exe

Suspicious use of FindShellTrayWindow 12 IoCs

Processes:

41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exe

pid	process
2064	41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exe
2064	41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exe
2064	41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exe
2064	41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exe
2064	41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exe
2064	41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exe
2064	41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exe
2064	41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exe
2064	41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exe
2064	41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exe
2064	41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exe
2064	41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.execmd.exe

description	pid	process	target process
PID 2064 wrote to memory of 404	2064	41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exe	cmd.exe
PID 2064 wrote to memory of 404	2064	41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exe	cmd.exe
PID 2064 wrote to memory of 404	2064	41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exe	cmd.exe
PID 404 wrote to memory of 5056	404	cmd.exe	timeout.exe
PID 404 wrote to memory of 5056	404	cmd.exe	timeout.exe
PID 404 wrote to memory of 5056	404	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2064

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\WBY65aI4SgZ & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\41af7998ebb519e0a0ca9635a865be5d_JaffaCakes118.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:404

C:\Windows\SysWOW64\timeout.exe
timeout 2
3⤵
- Delays execution with timeout.exe
PID:5056

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\WBY65aI4SgZ\47283761.txt
Filesize
156B

MD5
b5089e0c5a3d5377e9bd19c0557ef04e

SHA1
9402e326be3d240e234c06892b15c24e93c93eb8

SHA256
d77789b2c49759c882f4fdd6f53e665b0d012f8f0949d0150eaba47fbf2a0eb5

SHA512
942349ccb99854f274ef1e20b623660588e15bd0d25bfc817fe9b2d010db656af340652e0e67b41edbf0cf259d55ab880d6b50acb1d7e8ab394f1393f7956c13

Download Submit
C:\ProgramData\WBY65aI4SgZ\Files\_Info.txt
Filesize
8KB

MD5
bd4b1bb17032dd8057d39bd7b2b4fe0f

SHA1
f96961df0eee3798c7193c45588c097865663ca9

SHA256
14511422960efadd68daddc4ee5fbe0970dc416d85150df8c5669a18e5a023f6

SHA512
3cf9bf70ad83ed7c32cb98d2eabb8a5e7b16617759ee397f7218ff1bebaf2ba4ba5e4708c0f82d84c707bdb25bc4c003b02ffc9db6a9dc2d061cfce0c4f463df

Download Submit
C:\ProgramData\WBY65aI4SgZ\Files\_Screen.jpg
Filesize
49KB

MD5
dc204352a46ce5be39ac23b2935cf278

SHA1
7522c6ecb18f4562d252beea87bb0e2543eff310

SHA256
1004fdbd84d6d5fb9b7190fcd719de63886395d08c835a7d47381a61084ca1d1

SHA512
452ce1aab40fc8b34ec0feb60a0d7e0ce2508be553b89f2fe98287c11c951b2fd1e6f551528440e49b587ce5caaa5109ff25282d419050bbe73ad9555b6a758a

Download Submit
C:\ProgramData\WBY65aI4SgZ\MOZ_CO~1.DB
Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\ProgramData\WBY65aI4SgZ\kkAgwPhukIfNwhq.zip
Filesize
44KB

MD5
8a090084f25e06b71123e65ca16dfe46

SHA1
357955674ab7d42270c360bad8c1006e540bfd10

SHA256
a26832249643499e3a14cb5c68adf391ea11c9d301f537919fd4c8514af0bdfe

SHA512
7c7a60dcd170dd9d38530af409980932c4b8a22798162f5658ee128ade7f66190657d2bec0dbd0ec3d1c62cab61c32b50c1ac9a567e891b1788733a86142a06e

Download Submit
memory/2064-156-0x00000000009A0000-0x0000000000EBB000-memory.dmp

Filesize
5.1MB

Download
memory/2064-164-0x00000000009A0000-0x0000000000EBB000-memory.dmp

Filesize
5.1MB

Download
memory/2064-16-0x00000000009A0000-0x0000000000EBB000-memory.dmp

Filesize
5.1MB

Download
memory/2064-17-0x00000000009A0000-0x0000000000EBB000-memory.dmp

Filesize
5.1MB

Download
memory/2064-20-0x00000000009A0000-0x0000000000EBB000-memory.dmp

Filesize
5.1MB

Download
memory/2064-10-0x00000000053E0000-0x00000000053E1000-memory.dmp

Filesize
4KB

Download
memory/2064-11-0x0000000005400000-0x0000000005401000-memory.dmp

Filesize
4KB

Download
memory/2064-145-0x00000000009A0000-0x0000000000EBB000-memory.dmp

Filesize
5.1MB

Download
memory/2064-152-0x00000000009A0000-0x0000000000EBB000-memory.dmp

Filesize
5.1MB

Download
memory/2064-154-0x00000000009A0000-0x0000000000EBB000-memory.dmp

Filesize
5.1MB

Download
memory/2064-12-0x00000000053A0000-0x00000000053A1000-memory.dmp

Filesize
4KB

Download
memory/2064-0-0x00000000009A0000-0x0000000000EBB000-memory.dmp

Filesize
5.1MB

Download
memory/2064-157-0x00000000009A0000-0x0000000000EBB000-memory.dmp

Filesize
5.1MB

Download
memory/2064-159-0x00000000009A0000-0x0000000000EBB000-memory.dmp

Filesize
5.1MB

Download
memory/2064-161-0x00000000009A0000-0x0000000000EBB000-memory.dmp

Filesize
5.1MB

Download
memory/2064-9-0x00000000053D0000-0x00000000053D1000-memory.dmp

Filesize
4KB

Download
memory/2064-166-0x00000000009A0000-0x0000000000EBB000-memory.dmp

Filesize
5.1MB

Download
memory/2064-169-0x00000000009A0000-0x0000000000EBB000-memory.dmp

Filesize
5.1MB

Download
memory/2064-172-0x00000000009A0000-0x0000000000EBB000-memory.dmp

Filesize
5.1MB

Download
memory/2064-175-0x00000000009A0000-0x0000000000EBB000-memory.dmp

Filesize
5.1MB

Download
memory/2064-179-0x00000000009A0000-0x0000000000EBB000-memory.dmp

Filesize
5.1MB

Download
memory/2064-182-0x00000000009A0000-0x0000000000EBB000-memory.dmp

Filesize
5.1MB

Download
memory/2064-184-0x00000000009A0000-0x0000000000EBB000-memory.dmp

Filesize
5.1MB

Download
memory/2064-187-0x00000000009A0000-0x0000000000EBB000-memory.dmp

Filesize
5.1MB

Download
memory/2064-190-0x00000000009A0000-0x0000000000EBB000-memory.dmp

Filesize
5.1MB

Download
memory/2064-193-0x00000000009A0000-0x0000000000EBB000-memory.dmp

Filesize
5.1MB

Download
memory/2064-194-0x00000000009A0000-0x0000000000EBB000-memory.dmp

Filesize
5.1MB

Download
memory/2064-13-0x00000000009A1000-0x0000000000A00000-memory.dmp

Filesize
380KB

Download
memory/2064-1-0x0000000077794000-0x0000000077796000-memory.dmp

Filesize
8KB

Download