cryptbot | b7da21f054890cf9ae78bfbe8b8ca38f295d6eb4d1544e2e0ea891a87d8b150a

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16-05-2024 05:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

498a7e8e52d0ff1d46fa1d637ea4b936_JaffaCakes118.exe
Size

2.1MB
MD5

498a7e8e52d0ff1d46fa1d637ea4b936
SHA1

87d4e01725044b284712911718dc45556eb68eab
SHA256

b7da21f054890cf9ae78bfbe8b8ca38f295d6eb4d1544e2e0ea891a87d8b150a
SHA512

2052e370bc56b284e53cfcd79dcff5cbeb420c561c2e0549dde2133d2a7a9adb54b8b0c9bfc4a00683e1057e6a1afe693cfe63550200181e0074295c6cffab14
SSDEEP

49152:hFGdMIU3Ww7VmaoR/rzPgi8GTNkpI1UCLjUkU6:VIU3h7VlcveGCoUCLNU

Score

10^/10

cryptbot discovery evasion spyware stealer

Malware Config

Extracted

Family

cryptbot

bibinene03.top

moraass05.top

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 19 IoCs

Processes:

resource	yara_rule
behavioral2/memory/920-6-0x0000000000C20000-0x0000000001123000-memory.dmp	family_cryptbot
behavioral2/memory/920-7-0x0000000000C20000-0x0000000001123000-memory.dmp	family_cryptbot
behavioral2/memory/920-82-0x0000000000C20000-0x0000000001123000-memory.dmp	family_cryptbot
behavioral2/memory/920-228-0x0000000000C20000-0x0000000001123000-memory.dmp	family_cryptbot
behavioral2/memory/920-230-0x0000000000C20000-0x0000000001123000-memory.dmp	family_cryptbot
behavioral2/memory/920-232-0x0000000000C20000-0x0000000001123000-memory.dmp	family_cryptbot
behavioral2/memory/920-234-0x0000000000C20000-0x0000000001123000-memory.dmp	family_cryptbot
behavioral2/memory/920-236-0x0000000000C20000-0x0000000001123000-memory.dmp	family_cryptbot
behavioral2/memory/920-239-0x0000000000C20000-0x0000000001123000-memory.dmp	family_cryptbot
behavioral2/memory/920-242-0x0000000000C20000-0x0000000001123000-memory.dmp	family_cryptbot
behavioral2/memory/920-246-0x0000000000C20000-0x0000000001123000-memory.dmp	family_cryptbot
behavioral2/memory/920-249-0x0000000000C20000-0x0000000001123000-memory.dmp	family_cryptbot
behavioral2/memory/920-252-0x0000000000C20000-0x0000000001123000-memory.dmp	family_cryptbot
behavioral2/memory/920-255-0x0000000000C20000-0x0000000001123000-memory.dmp	family_cryptbot
behavioral2/memory/920-257-0x0000000000C20000-0x0000000001123000-memory.dmp	family_cryptbot
behavioral2/memory/920-263-0x0000000000C20000-0x0000000001123000-memory.dmp	family_cryptbot
behavioral2/memory/920-267-0x0000000000C20000-0x0000000001123000-memory.dmp	family_cryptbot
behavioral2/memory/920-269-0x0000000000C20000-0x0000000001123000-memory.dmp	family_cryptbot
behavioral2/memory/920-272-0x0000000000C20000-0x0000000001123000-memory.dmp	family_cryptbot

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

498a7e8e52d0ff1d46fa1d637ea4b936_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 498a7e8e52d0ff1d46fa1d637ea4b936_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	498a7e8e52d0ff1d46fa1d637ea4b936_JaffaCakes118.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

498a7e8e52d0ff1d46fa1d637ea4b936_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	498a7e8e52d0ff1d46fa1d637ea4b936_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	498a7e8e52d0ff1d46fa1d637ea4b936_JaffaCakes118.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

498a7e8e52d0ff1d46fa1d637ea4b936_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Wine 498a7e8e52d0ff1d46fa1d637ea4b936_JaffaCakes118.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

498a7e8e52d0ff1d46fa1d637ea4b936_JaffaCakes118.exe

pid process

920 498a7e8e52d0ff1d46fa1d637ea4b936_JaffaCakes118.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Wine	498a7e8e52d0ff1d46fa1d637ea4b936_JaffaCakes118.exe

pid	process
920	498a7e8e52d0ff1d46fa1d637ea4b936_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

498a7e8e52d0ff1d46fa1d637ea4b936_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	498a7e8e52d0ff1d46fa1d637ea4b936_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	498a7e8e52d0ff1d46fa1d637ea4b936_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

498a7e8e52d0ff1d46fa1d637ea4b936_JaffaCakes118.exe

pid process

920 498a7e8e52d0ff1d46fa1d637ea4b936_JaffaCakes118.exe
920 498a7e8e52d0ff1d46fa1d637ea4b936_JaffaCakes118.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

498a7e8e52d0ff1d46fa1d637ea4b936_JaffaCakes118.exe

pid process

920 498a7e8e52d0ff1d46fa1d637ea4b936_JaffaCakes118.exe
920 498a7e8e52d0ff1d46fa1d637ea4b936_JaffaCakes118.exe

pid	process
920	498a7e8e52d0ff1d46fa1d637ea4b936_JaffaCakes118.exe
920	498a7e8e52d0ff1d46fa1d637ea4b936_JaffaCakes118.exe

pid	process
920	498a7e8e52d0ff1d46fa1d637ea4b936_JaffaCakes118.exe
920	498a7e8e52d0ff1d46fa1d637ea4b936_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\498a7e8e52d0ff1d46fa1d637ea4b936_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\498a7e8e52d0ff1d46fa1d637ea4b936_JaffaCakes118.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:920

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\YizkxK021t\_Files\_Files\DisconnectResolve.txt
Filesize
211KB

MD5
a1a8bcec5d4d03ae98a092547a227e42

SHA1
ce7d9144290d66487d97e835974473f7adc16c3d

SHA256
d2d3aef4fdb44221b2a7aa7dab2e9a2821f1d0997f8394aca162e971f47fa185

SHA512
44ac6fc364bdcbe66655d74bdb3df15ec97da0c9371165f2c4f662e2f23d6955a8926468e0d6f330a37a23ba9f75aa2b1d89f604f06ff2313bbd0a2c4998af70

Download Submit
C:\Users\Admin\AppData\Local\Temp\YizkxK021t\_Files\_Information.txt
Filesize
5KB

MD5
e9cc17ab6ddaea059b9fd2e6e621ecb2

SHA1
2d6b8ccfd115f0d4ddb67a3b1a28f68ee870eb21

SHA256
b9b34efd167b2de9a8a204b67309e5701b43274092c53656203dc96bd68f93ed

SHA512
6718bf8c7cbd2a824a8540a3ed94ec7eb897b92fb2038774973f2cb1ef82ba2d45ba0b5604d3a45f7760eebbfe26510a847401c69863fb21f9a8a63a5f9bc7b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\YizkxK021t\_Files\_Screen_Desktop.jpeg
Filesize
49KB

MD5
fb45efb04346950cc2967bf2029037c1

SHA1
702612c3b2bea35c57e1217c0cc30ad02e41c814

SHA256
8e80ad90a92702dd53e3e4b8b4ea33b5f60f9ce6295f70933926975d9be84ada

SHA512
09bbbc932ca304c10762ce716db7f05c13d5770cd321dccb9a94b38a4bb11e1635b33ac8e4ea5957af8e205b138384ed465d8da044a77f9131164045dd593911

Download Submit
C:\Users\Admin\AppData\Local\Temp\YizkxK021t\files_\system_info.txt
Filesize
1KB

MD5
cf7ac40afde00cecdf97e373c357e572

SHA1
74668251a923884f20df870e684d28778db57b5d

SHA256
f2691a2ea2aeaf17fe4e683d43fe0a31078fa462773888edd97597b526a93cbc

SHA512
5c572a0a3a7be82a46c96392aea2a35ccb5e4153c3d6dfbe699521e969c357372129c2c3bff9d00cbfc1bd349f3c8f2ce31ed920f3aba570b8cb8e77d6c6d245

Download Submit
C:\Users\Admin\AppData\Local\Temp\YizkxK021t\files_\system_info.txt
Filesize
7KB

MD5
db25c571586330b24a33ac53a9bbeb24

SHA1
a1fa13f6775f8c2a3ff84a042400be63ec8c9c41

SHA256
dfa979fc251486c1fdfe87de1390014a65dc657f29242ef740bfff2eeed8462b

SHA512
8abcaa9a81a3eb0e908928fdfb7ad35749ed7e6760c515d3188ca4740c66c37e736aea03f9ea2c9c14a45b45d16634eab1217f8865d77789bf9370a011c78924

Download Submit
C:\Users\Admin\AppData\Local\Temp\YizkxK021t\ljh0g6xommEsh.zip
Filesize
255KB

MD5
056c543e55a79f98c71a294cd345eec2

SHA1
fbc8025b4cb902f5cac43943fea4c1103fd430e2

SHA256
63d34e55bcc67d77469018f5e106fefbac77c0c1f679d8a86cd53fee8cb1331a

SHA512
1ec50dd8794ce2a8389b20249feeb10a40f0016a250aef4383bfeac9e3a329cccab32bb5138f7a0129befcf32720afa81913c127427bd2b16caf6eea3a169c7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\YizkxK021t\xlhdpoVjdUAmx.zip
Filesize
255KB

MD5
bed82b124391ff445e1a5e9bb667961a

SHA1
57adb2172082b961680e306626ae21cb73cb5de5

SHA256
07a93e6dbd2e08032325401cd16f491892ed2ed72e293268db5a162822baf689

SHA512
770d6b6176d7de93a0ae12f963592cf187c7e2a4615fc127243a5e6ad8f591b3dc92f693246ed0268df14bb7f237ae7e1b4b30e178c4f32f5e4fba10ac13e547

Download Submit
memory/920-234-0x0000000000C20000-0x0000000001123000-memory.dmp

Filesize
5.0MB

Download
memory/920-2-0x0000000005610000-0x0000000005611000-memory.dmp

Filesize
4KB

Download
memory/920-236-0x0000000000C20000-0x0000000001123000-memory.dmp

Filesize
5.0MB

Download
memory/920-4-0x0000000005620000-0x0000000005621000-memory.dmp

Filesize
4KB

Download
memory/920-239-0x0000000000C20000-0x0000000001123000-memory.dmp

Filesize
5.0MB

Download
memory/920-3-0x0000000005630000-0x0000000005631000-memory.dmp

Filesize
4KB

Download
memory/920-1-0x0000000077154000-0x0000000077156000-memory.dmp

Filesize
8KB

Download
memory/920-242-0x0000000000C20000-0x0000000001123000-memory.dmp

Filesize
5.0MB

Download
memory/920-230-0x0000000000C20000-0x0000000001123000-memory.dmp

Filesize
5.0MB

Download
memory/920-0-0x0000000000C20000-0x0000000001123000-memory.dmp

Filesize
5.0MB

Download
memory/920-232-0x0000000000C20000-0x0000000001123000-memory.dmp

Filesize
5.0MB

Download
memory/920-6-0x0000000000C20000-0x0000000001123000-memory.dmp

Filesize
5.0MB

Download
memory/920-82-0x0000000000C20000-0x0000000001123000-memory.dmp

Filesize
5.0MB

Download
memory/920-5-0x0000000000C21000-0x0000000000C7C000-memory.dmp

Filesize
364KB

Download
memory/920-228-0x0000000000C20000-0x0000000001123000-memory.dmp

Filesize
5.0MB

Download
memory/920-246-0x0000000000C20000-0x0000000001123000-memory.dmp

Filesize
5.0MB

Download
memory/920-249-0x0000000000C20000-0x0000000001123000-memory.dmp

Filesize
5.0MB

Download
memory/920-252-0x0000000000C20000-0x0000000001123000-memory.dmp

Filesize
5.0MB

Download
memory/920-255-0x0000000000C20000-0x0000000001123000-memory.dmp

Filesize
5.0MB

Download
memory/920-257-0x0000000000C20000-0x0000000001123000-memory.dmp

Filesize
5.0MB

Download
memory/920-263-0x0000000000C20000-0x0000000001123000-memory.dmp

Filesize
5.0MB

Download
memory/920-7-0x0000000000C20000-0x0000000001123000-memory.dmp

Filesize
5.0MB

Download
memory/920-267-0x0000000000C20000-0x0000000001123000-memory.dmp

Filesize
5.0MB

Download
memory/920-269-0x0000000000C20000-0x0000000001123000-memory.dmp

Filesize
5.0MB

Download
memory/920-272-0x0000000000C20000-0x0000000001123000-memory.dmp

Filesize
5.0MB

Download