cryptbot | b7da21f054890cf9ae78bfbe8b8ca38f295d6eb4d1544e2e0ea891a87d8b150a

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
16-05-2024 05:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

498a7e8e52d0ff1d46fa1d637ea4b936_JaffaCakes118.exe
Size

2.1MB
MD5

498a7e8e52d0ff1d46fa1d637ea4b936
SHA1

87d4e01725044b284712911718dc45556eb68eab
SHA256

b7da21f054890cf9ae78bfbe8b8ca38f295d6eb4d1544e2e0ea891a87d8b150a
SHA512

2052e370bc56b284e53cfcd79dcff5cbeb420c561c2e0549dde2133d2a7a9adb54b8b0c9bfc4a00683e1057e6a1afe693cfe63550200181e0074295c6cffab14
SSDEEP

49152:hFGdMIU3Ww7VmaoR/rzPgi8GTNkpI1UCLjUkU6:VIU3h7VlcveGCoUCLNU

Score

10^/10

cryptbot discovery evasion spyware stealer

Malware Config

Extracted

Family

cryptbot

bibinene03.top

moraass05.top

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 22 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2116-8-0x0000000000B10000-0x0000000001013000-memory.dmp	family_cryptbot
behavioral1/memory/2116-9-0x0000000000B10000-0x0000000001013000-memory.dmp	family_cryptbot
behavioral1/memory/2116-118-0x0000000000B10000-0x0000000001013000-memory.dmp	family_cryptbot
behavioral1/memory/2116-227-0x0000000000B10000-0x0000000001013000-memory.dmp	family_cryptbot
behavioral1/memory/2116-229-0x0000000000B10000-0x0000000001013000-memory.dmp	family_cryptbot
behavioral1/memory/2116-230-0x0000000000B10000-0x0000000001013000-memory.dmp	family_cryptbot
behavioral1/memory/2116-232-0x0000000000B10000-0x0000000001013000-memory.dmp	family_cryptbot
behavioral1/memory/2116-233-0x0000000000B10000-0x0000000001013000-memory.dmp	family_cryptbot
behavioral1/memory/2116-234-0x0000000000B10000-0x0000000001013000-memory.dmp	family_cryptbot
behavioral1/memory/2116-236-0x0000000000B10000-0x0000000001013000-memory.dmp	family_cryptbot
behavioral1/memory/2116-237-0x0000000000B10000-0x0000000001013000-memory.dmp	family_cryptbot
behavioral1/memory/2116-240-0x0000000000B10000-0x0000000001013000-memory.dmp	family_cryptbot
behavioral1/memory/2116-242-0x0000000000B10000-0x0000000001013000-memory.dmp	family_cryptbot
behavioral1/memory/2116-245-0x0000000000B10000-0x0000000001013000-memory.dmp	family_cryptbot
behavioral1/memory/2116-247-0x0000000000B10000-0x0000000001013000-memory.dmp	family_cryptbot
behavioral1/memory/2116-249-0x0000000000B10000-0x0000000001013000-memory.dmp	family_cryptbot
behavioral1/memory/2116-251-0x0000000000B10000-0x0000000001013000-memory.dmp	family_cryptbot
behavioral1/memory/2116-254-0x0000000000B10000-0x0000000001013000-memory.dmp	family_cryptbot
behavioral1/memory/2116-256-0x0000000000B10000-0x0000000001013000-memory.dmp	family_cryptbot
behavioral1/memory/2116-258-0x0000000000B10000-0x0000000001013000-memory.dmp	family_cryptbot
behavioral1/memory/2116-260-0x0000000000B10000-0x0000000001013000-memory.dmp	family_cryptbot
behavioral1/memory/2116-263-0x0000000000B10000-0x0000000001013000-memory.dmp	family_cryptbot

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

498a7e8e52d0ff1d46fa1d637ea4b936_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 498a7e8e52d0ff1d46fa1d637ea4b936_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	498a7e8e52d0ff1d46fa1d637ea4b936_JaffaCakes118.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

498a7e8e52d0ff1d46fa1d637ea4b936_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	498a7e8e52d0ff1d46fa1d637ea4b936_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	498a7e8e52d0ff1d46fa1d637ea4b936_JaffaCakes118.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

498a7e8e52d0ff1d46fa1d637ea4b936_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine 498a7e8e52d0ff1d46fa1d637ea4b936_JaffaCakes118.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

498a7e8e52d0ff1d46fa1d637ea4b936_JaffaCakes118.exe

pid process

2116 498a7e8e52d0ff1d46fa1d637ea4b936_JaffaCakes118.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine	498a7e8e52d0ff1d46fa1d637ea4b936_JaffaCakes118.exe

pid	process
2116	498a7e8e52d0ff1d46fa1d637ea4b936_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

498a7e8e52d0ff1d46fa1d637ea4b936_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	498a7e8e52d0ff1d46fa1d637ea4b936_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	498a7e8e52d0ff1d46fa1d637ea4b936_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

498a7e8e52d0ff1d46fa1d637ea4b936_JaffaCakes118.exe

pid process

2116 498a7e8e52d0ff1d46fa1d637ea4b936_JaffaCakes118.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

498a7e8e52d0ff1d46fa1d637ea4b936_JaffaCakes118.exe

pid process

2116 498a7e8e52d0ff1d46fa1d637ea4b936_JaffaCakes118.exe
2116 498a7e8e52d0ff1d46fa1d637ea4b936_JaffaCakes118.exe

pid	process
2116	498a7e8e52d0ff1d46fa1d637ea4b936_JaffaCakes118.exe

pid	process
2116	498a7e8e52d0ff1d46fa1d637ea4b936_JaffaCakes118.exe
2116	498a7e8e52d0ff1d46fa1d637ea4b936_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\498a7e8e52d0ff1d46fa1d637ea4b936_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\498a7e8e52d0ff1d46fa1d637ea4b936_JaffaCakes118.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2116

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lurALjZ\_Files\_Information.txt
Filesize
562B

MD5
5b1a9f2ca05b1022b0d61b4530238844

SHA1
35b6d6dd38e7544cccc1c11279f00fcb5e8ad114

SHA256
2d1fb2f371ffbffab5f7614e9fa36a38d0bc335b068c4b6b1ea62410ed0aa0d3

SHA512
8852c5c7743ae84b00ab1d704e914e0bfef36e8c58352c4d7fb501efa46e36623ece691c6978915c1b4af88bee3dbe1ad33220ef135b8dbcfb6d905ef1f0a25c

Download Submit
C:\Users\Admin\AppData\Local\Temp\lurALjZ\_Files\_Information.txt
Filesize
8KB

MD5
22f33cf837d7d1ddab53074c7109e677

SHA1
06ff5a35908bee0a631d4bed8b4df031d6a0daef

SHA256
e83e063113b3e4a87a186b2e354eef28132173610d2f49076cb679945170612e

SHA512
3b7f33c0b92b6c641cefb1f32ec0702fdf1c6c713092b3059648f2a6173e4d01a730057f1f2cf76d04f907107e34637e3c6594b9317db10e22669481657b3dea

Download Submit
C:\Users\Admin\AppData\Local\Temp\lurALjZ\_Files\_Screen_Desktop.jpeg
Filesize
45KB

MD5
0e075967009eda30f2e82ea223c3e6f3

SHA1
07b6a86891d4aeb3401b47035c12d94cf0219d40

SHA256
c71448bedf94f3fa661d618852dee18c1df36a35d1e58a978a1cfff7a0b2c46e

SHA512
008825a5092c63cc4423f81015b8ea2aeef70d99d41c3074d95b538d77496b35d4b0b0a3cb0c8c9e34dbe1e7593ae59f72dcdb39117a8b815ff544dc8cb574e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\lurALjZ\files_\system_info.txt
Filesize
8KB

MD5
89e4f7b7d7cb9a4c705f3061a29c22c9

SHA1
637c8fc1cee7758ddc3aa016a11acf091a4323e7

SHA256
2eeb6a1a2e6ac52f357f1841070c557b71f3499060172868a65eed12d204b795

SHA512
ff0d33db6a6a8f3776d167e1ceb64f7ce636e3f2e66eba718d7f29d9c12a093b7450fcc3384fcdc408422f838d1443a67613213c8de58eef87c285e2774f00b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\lurALjZ\rvcM68hbliSV.zip
Filesize
38KB

MD5
2e22a0a8b8db2a3e72f8d3410b7d9209

SHA1
b750a789337753289f2764c57d595da735ebc46b

SHA256
f523cccb7d66a791f02bb6b9934351b16ba73534b77fe19e8593db19b21d168b

SHA512
3bf2c2c085ea976826e5432db197a28879813048a781bcb661d8e41cc6a6581a97951055e460665eed891df4060c1e2d220eca7670f16fcb70fcbd736e8e7a98

Download Submit
memory/2116-229-0x0000000000B10000-0x0000000001013000-memory.dmp

Filesize
5.0MB

Download
memory/2116-234-0x0000000000B10000-0x0000000001013000-memory.dmp

Filesize
5.0MB

Download
memory/2116-7-0x0000000000B11000-0x0000000000B6C000-memory.dmp

Filesize
364KB

Download
memory/2116-8-0x0000000000B10000-0x0000000001013000-memory.dmp

Filesize
5.0MB

Download
memory/2116-9-0x0000000000B10000-0x0000000001013000-memory.dmp

Filesize
5.0MB

Download
memory/2116-5-0x0000000002930000-0x0000000002931000-memory.dmp

Filesize
4KB

Download
memory/2116-3-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download
memory/2116-118-0x0000000000B10000-0x0000000001013000-memory.dmp

Filesize
5.0MB

Download
memory/2116-4-0x0000000002880000-0x0000000002881000-memory.dmp

Filesize
4KB

Download
memory/2116-2-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download
memory/2116-227-0x0000000000B10000-0x0000000001013000-memory.dmp

Filesize
5.0MB

Download
memory/2116-0-0x0000000000B10000-0x0000000001013000-memory.dmp

Filesize
5.0MB

Download
memory/2116-230-0x0000000000B10000-0x0000000001013000-memory.dmp

Filesize
5.0MB

Download
memory/2116-232-0x0000000000B10000-0x0000000001013000-memory.dmp

Filesize
5.0MB

Download
memory/2116-233-0x0000000000B10000-0x0000000001013000-memory.dmp

Filesize
5.0MB

Download
memory/2116-6-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/2116-1-0x0000000077200000-0x0000000077202000-memory.dmp

Filesize
8KB

Download
memory/2116-236-0x0000000000B10000-0x0000000001013000-memory.dmp

Filesize
5.0MB

Download
memory/2116-237-0x0000000000B10000-0x0000000001013000-memory.dmp

Filesize
5.0MB

Download
memory/2116-240-0x0000000000B10000-0x0000000001013000-memory.dmp

Filesize
5.0MB

Download
memory/2116-242-0x0000000000B10000-0x0000000001013000-memory.dmp

Filesize
5.0MB

Download
memory/2116-245-0x0000000000B10000-0x0000000001013000-memory.dmp

Filesize
5.0MB

Download
memory/2116-247-0x0000000000B10000-0x0000000001013000-memory.dmp

Filesize
5.0MB

Download
memory/2116-249-0x0000000000B10000-0x0000000001013000-memory.dmp

Filesize
5.0MB

Download
memory/2116-251-0x0000000000B10000-0x0000000001013000-memory.dmp

Filesize
5.0MB

Download
memory/2116-254-0x0000000000B10000-0x0000000001013000-memory.dmp

Filesize
5.0MB

Download
memory/2116-256-0x0000000000B10000-0x0000000001013000-memory.dmp

Filesize
5.0MB

Download
memory/2116-258-0x0000000000B10000-0x0000000001013000-memory.dmp

Filesize
5.0MB

Download
memory/2116-260-0x0000000000B10000-0x0000000001013000-memory.dmp

Filesize
5.0MB

Download
memory/2116-263-0x0000000000B10000-0x0000000001013000-memory.dmp

Filesize
5.0MB

Download