cryptbot | 594d68c6b76ccac03aeec7e6c336f8abe3ce680c74c3f4eae350d2bcd3966c56

Analysis

max time kernel
143s
max time network
145s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 15:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67b369f0a0ed76a6013bc9aeecdbae31_JaffaCakes118.exe
Size

2.0MB
MD5

67b369f0a0ed76a6013bc9aeecdbae31
SHA1

902a13d8565b3d47e14ee042474ae7589e5c67ea
SHA256

594d68c6b76ccac03aeec7e6c336f8abe3ce680c74c3f4eae350d2bcd3966c56
SHA512

956685aeb621c7671f219059bb54627d49e01f76b2badf39c214f1361c77002f38fb00d671029f701bcd8fb481a683581cd24eeccfc6e4f9ca57547a565980b9
SSDEEP

49152:ZzXxQzLE0M8C8pHs/XAvLX32Qfoh3tFNL2Ro6:Z7xQfplFvLXNfoJp6R

Score

10^/10

cryptbot discovery evasion spyware stealer

Malware Config

Extracted

Family

cryptbot

bibinene01.top

moraass05.top

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 15 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2744-228-0x00000000008D0000-0x0000000000DC2000-memory.dmp	family_cryptbot
behavioral1/memory/2744-229-0x00000000008D0000-0x0000000000DC2000-memory.dmp	family_cryptbot
behavioral1/memory/2744-231-0x00000000008D0000-0x0000000000DC2000-memory.dmp	family_cryptbot
behavioral1/memory/2744-233-0x00000000008D0000-0x0000000000DC2000-memory.dmp	family_cryptbot
behavioral1/memory/2744-235-0x00000000008D0000-0x0000000000DC2000-memory.dmp	family_cryptbot
behavioral1/memory/2744-238-0x00000000008D0000-0x0000000000DC2000-memory.dmp	family_cryptbot
behavioral1/memory/2744-240-0x00000000008D0000-0x0000000000DC2000-memory.dmp	family_cryptbot
behavioral1/memory/2744-242-0x00000000008D0000-0x0000000000DC2000-memory.dmp	family_cryptbot
behavioral1/memory/2744-245-0x00000000008D0000-0x0000000000DC2000-memory.dmp	family_cryptbot
behavioral1/memory/2744-247-0x00000000008D0000-0x0000000000DC2000-memory.dmp	family_cryptbot
behavioral1/memory/2744-249-0x00000000008D0000-0x0000000000DC2000-memory.dmp	family_cryptbot
behavioral1/memory/2744-251-0x00000000008D0000-0x0000000000DC2000-memory.dmp	family_cryptbot
behavioral1/memory/2744-254-0x00000000008D0000-0x0000000000DC2000-memory.dmp	family_cryptbot
behavioral1/memory/2744-256-0x00000000008D0000-0x0000000000DC2000-memory.dmp	family_cryptbot
behavioral1/memory/2744-258-0x00000000008D0000-0x0000000000DC2000-memory.dmp	family_cryptbot

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

67b369f0a0ed76a6013bc9aeecdbae31_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 67b369f0a0ed76a6013bc9aeecdbae31_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	67b369f0a0ed76a6013bc9aeecdbae31_JaffaCakes118.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

67b369f0a0ed76a6013bc9aeecdbae31_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	67b369f0a0ed76a6013bc9aeecdbae31_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	67b369f0a0ed76a6013bc9aeecdbae31_JaffaCakes118.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

67b369f0a0ed76a6013bc9aeecdbae31_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Wine 67b369f0a0ed76a6013bc9aeecdbae31_JaffaCakes118.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

67b369f0a0ed76a6013bc9aeecdbae31_JaffaCakes118.exe

pid process

2744 67b369f0a0ed76a6013bc9aeecdbae31_JaffaCakes118.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Wine	67b369f0a0ed76a6013bc9aeecdbae31_JaffaCakes118.exe

pid	process
2744	67b369f0a0ed76a6013bc9aeecdbae31_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

67b369f0a0ed76a6013bc9aeecdbae31_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	67b369f0a0ed76a6013bc9aeecdbae31_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	67b369f0a0ed76a6013bc9aeecdbae31_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

67b369f0a0ed76a6013bc9aeecdbae31_JaffaCakes118.exe

pid process

2744 67b369f0a0ed76a6013bc9aeecdbae31_JaffaCakes118.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

67b369f0a0ed76a6013bc9aeecdbae31_JaffaCakes118.exe

pid process

2744 67b369f0a0ed76a6013bc9aeecdbae31_JaffaCakes118.exe
2744 67b369f0a0ed76a6013bc9aeecdbae31_JaffaCakes118.exe

pid	process
2744	67b369f0a0ed76a6013bc9aeecdbae31_JaffaCakes118.exe

pid	process
2744	67b369f0a0ed76a6013bc9aeecdbae31_JaffaCakes118.exe
2744	67b369f0a0ed76a6013bc9aeecdbae31_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\67b369f0a0ed76a6013bc9aeecdbae31_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\67b369f0a0ed76a6013bc9aeecdbae31_JaffaCakes118.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2744

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ovW3RWtB0tXu\_Files\_Files\EditPush.txt
Filesize
571KB

MD5
151e620131047dbc62f1a7abf7e750ae

SHA1
ad0170a9f9b490d51d1bf615a9158ba10b1dade9

SHA256
b0b56d66e98f9314411a4e907897406cd3748b4ee0742c06d6d30fa3ab8cad3f

SHA512
d918828d2bc82db31c8abae9284602bebc17bae69828ea22dd45d70feafbc7f0a7729ac7cb5f760ff66cd20b7bf29fd6f63a97acdd97e5922acf0a272a0f9005

Download Submit
C:\Users\Admin\AppData\Local\Temp\ovW3RWtB0tXu\_Files\_Information.txt
Filesize
1KB

MD5
2f5e323e7f54a3e85bdf5ecf5aeaa209

SHA1
655097de121236e81d05298798466bcfee4a8514

SHA256
5d9f1a53137415656fddc0168c5e2b7595b5e66015056f4bcd38088a2f867cec

SHA512
6fd3b2d7f7e6973e128521f8f4c0ec5dc21bd228e082c9037cecb7569229f125b02978f6239828041f149120bd14fcf2b26f8939dd1cb31132bff681d28fa183

Download Submit
C:\Users\Admin\AppData\Local\Temp\ovW3RWtB0tXu\_Files\_Information.txt
Filesize
1KB

MD5
eff038147b457658d8675de379aa9781

SHA1
e3765f2e76a008d15521a96aea6c5f220d6896fb

SHA256
6e764d555c26cd071c09e74ac27923e49ec0b29333f7ac9f1ead14b5d73d92e9

SHA512
da3195d51522c0be9b661901e305aa68d1e289dbc16a5c9f86f69687fb7dc888dfa87dc1bf06b55dcd2491d5263bbed81e19cddf3ca3bac4681515a91c28cd15

Download Submit
C:\Users\Admin\AppData\Local\Temp\ovW3RWtB0tXu\_Files\_Information.txt
Filesize
3KB

MD5
270112df484101f1c26c24715180d61f

SHA1
0910ad6815a9fb92bf63c9d4b738c6a124ab1e46

SHA256
9e400f49bea319a23f438eccc7474395c062bd487fae83086cdaa490ff92201f

SHA512
1386a8f358548d6a90dac9d435779d95e35a4e2fc030f69503e4eafef30ce1f81e8f86400810c03a3c1fed6b591f703be54dd2965a928d3a710c061d3bd1d311

Download Submit
C:\Users\Admin\AppData\Local\Temp\ovW3RWtB0tXu\_Files\_Information.txt
Filesize
3KB

MD5
c75b3b50cbf596ffe89154a67dcf2055

SHA1
5d08cbe8ff9d8124792ea5d513b12748140066e3

SHA256
b99376f17e12a3954b85f99fb643c70459469d2026b891ee2f25e037da5d3f46

SHA512
53877cff3af6b111a17284d1cdbcc59ab2400e7a6fd359761d07956178c05c32b29102d84062d9cd1f700dabb62edd8e3fc2be701bbf9f398d384bfa16b5b92a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ovW3RWtB0tXu\_Files\_Information.txt
Filesize
4KB

MD5
15d6ef965f2c48f7f5549cc57224dbf7

SHA1
9d9ae36dfe9fa67d3d3b47deac08e5e8fa1ec553

SHA256
a1cf1483f4336dbab0fb3dc2d623507015da0abfa338b0c4e6a9bdb12166abe2

SHA512
5494281b59ad41ca0387a97462f8311fa5387c6be5ab38c52c68abfa143996f77ab20c618b7c0865151d3719fc06ce7b820182676c7ff3705ff512c0294da4a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ovW3RWtB0tXu\_Files\_Screen_Desktop.jpeg
Filesize
43KB

MD5
74deee2ee4330f1dc593114a16385a42

SHA1
a5d058d7564494148f54659241495d288453f559

SHA256
c46ad634674a47e9955b32ee207a9eefe1369852c5ff122c7c5399b658c9e18e

SHA512
4394d61f19a61e4e7edbeed97119d9ca3c299817531692f4fa3474c361ec3e1937299838166d1a57fc942a77af918838742cdc65622c83d9625c2e0c394a8eab

Download Submit
C:\Users\Admin\AppData\Local\Temp\ovW3RWtB0tXu\files_\system_info.txt
Filesize
834B

MD5
4a62394314483d47c4555b76bb75828e

SHA1
2d2088a3538552e5cf59b07fdec8b3b04908341e

SHA256
9c26239e0c0ab86a0d0a637f457c661e0f195cd43da389e05e41b4b6ca0bdd9a

SHA512
d47aa4a1836f5765d9cccd302dfa3f486a0522ac814c63e11e22aa126098a7396739cea9c394a691411f3e38b4f9547d942cb53874d2a2e626022ef698092898

Download Submit
C:\Users\Admin\AppData\Local\Temp\ovW3RWtB0tXu\files_\system_info.txt
Filesize
1KB

MD5
88b551f3209b2e060d5a2f274a4fd637

SHA1
2f725e29f6e03a6071f0c1978de19a1fb9d70892

SHA256
1ff783d0b8f80cd780533953171b2449a3bbd157ad0697b99bbe0d4c30c9e803

SHA512
8e10f396974749204107b325e2dcb5da1bdb448961176ec15b9b88fd80690ef7140c6471a99f80651280b1943d0bbaf013a8694c50f3bc60c276177dceb90268

Download Submit
C:\Users\Admin\AppData\Local\Temp\ovW3RWtB0tXu\files_\system_info.txt
Filesize
3KB

MD5
615f08e3389c8c1d84234b8a541115f4

SHA1
b3c5dfd9143812c4baed97d70d77e54f7fc75767

SHA256
9c7f382d44120be9d17a62c93750a8035e820e32d86eb10abe88efa2165ba702

SHA512
7316733c8cdb69cb785c1339d8aee0a7f1d255e2179f7a90b52746d689c85ea0e67ba37698eea59aadb7a81da097e56c8852b3b34b44dc220a1f23503a0e9be7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ovW3RWtB0tXu\files_\system_info.txt
Filesize
4KB

MD5
00517860f10d4a44c78025cf44e243ec

SHA1
ae35be7b60a0f5fea55502f7c79429b9bf31358b

SHA256
2f1ad9e8acc667aaf0ae2fe95f76faa25e5a4bfc7fda8cd912abd49b9da75f3b

SHA512
1208bfecac29bfb91e29f084b902808414d9a07a8780d5d851c8e128a24a81ec62921067a49657c1728fc44cab3d42c3ccdfc3f7e8fe15603d2a56d4c3f328cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ovW3RWtB0tXu\fxtA3ry47Y6Ymd.zip
Filesize
607KB

MD5
dbeeedaee6209d8466ac6e4b877aa2ba

SHA1
375df1e8ca4bf325b5708246ea6f0726b6372eb8

SHA256
af0906066a7f61544f990eae9024357ff84f5ebc97db1b3603e1a4c7a0df73b6

SHA512
bf79dfe93c3c56cfe14859299aabdd958353103cb26bd483b5cca536c26403806a1dc1ec5531573b7b6d8baefd2864ad7748b290b2b62361edfe7c497c2930cd

Download Submit
memory/2744-231-0x00000000008D0000-0x0000000000DC2000-memory.dmp

Filesize
4.9MB

Download
memory/2744-238-0x00000000008D0000-0x0000000000DC2000-memory.dmp

Filesize
4.9MB

Download
memory/2744-3-0x0000000077A20000-0x0000000077A22000-memory.dmp

Filesize
8KB

Download
memory/2744-1-0x00000000011C0000-0x00000000016B2000-memory.dmp

Filesize
4.9MB

Download
memory/2744-0-0x00000000008D0000-0x0000000000DC2000-memory.dmp

Filesize
4.9MB

Download
memory/2744-228-0x00000000008D0000-0x0000000000DC2000-memory.dmp

Filesize
4.9MB

Download
memory/2744-229-0x00000000008D0000-0x0000000000DC2000-memory.dmp

Filesize
4.9MB

Download
memory/2744-5-0x00000000008D1000-0x000000000092C000-memory.dmp

Filesize
364KB

Download
memory/2744-4-0x00000000008C0000-0x00000000008C2000-memory.dmp

Filesize
8KB

Download
memory/2744-233-0x00000000008D0000-0x0000000000DC2000-memory.dmp

Filesize
4.9MB

Download
memory/2744-235-0x00000000008D0000-0x0000000000DC2000-memory.dmp

Filesize
4.9MB

Download
memory/2744-2-0x00000000011C0000-0x00000000016B2000-memory.dmp

Filesize
4.9MB

Download
memory/2744-240-0x00000000008D0000-0x0000000000DC2000-memory.dmp

Filesize
4.9MB

Download
memory/2744-242-0x00000000008D0000-0x0000000000DC2000-memory.dmp

Filesize
4.9MB

Download
memory/2744-245-0x00000000008D0000-0x0000000000DC2000-memory.dmp

Filesize
4.9MB

Download
memory/2744-247-0x00000000008D0000-0x0000000000DC2000-memory.dmp

Filesize
4.9MB

Download
memory/2744-249-0x00000000008D0000-0x0000000000DC2000-memory.dmp

Filesize
4.9MB

Download
memory/2744-251-0x00000000008D0000-0x0000000000DC2000-memory.dmp

Filesize
4.9MB

Download
memory/2744-254-0x00000000008D0000-0x0000000000DC2000-memory.dmp

Filesize
4.9MB

Download
memory/2744-256-0x00000000008D0000-0x0000000000DC2000-memory.dmp

Filesize
4.9MB

Download
memory/2744-258-0x00000000008D0000-0x0000000000DC2000-memory.dmp

Filesize
4.9MB

Download