cryptbot | 594d68c6b76ccac03aeec7e6c336f8abe3ce680c74c3f4eae350d2bcd3966c56

Analysis

max time kernel
146s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 15:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67b369f0a0ed76a6013bc9aeecdbae31_JaffaCakes118.exe
Size

2.0MB
MD5

67b369f0a0ed76a6013bc9aeecdbae31
SHA1

902a13d8565b3d47e14ee042474ae7589e5c67ea
SHA256

594d68c6b76ccac03aeec7e6c336f8abe3ce680c74c3f4eae350d2bcd3966c56
SHA512

956685aeb621c7671f219059bb54627d49e01f76b2badf39c214f1361c77002f38fb00d671029f701bcd8fb481a683581cd24eeccfc6e4f9ca57547a565980b9
SSDEEP

49152:ZzXxQzLE0M8C8pHs/XAvLX32Qfoh3tFNL2Ro6:Z7xQfplFvLXNfoJp6R

Score

10^/10

cryptbot discovery evasion spyware stealer

Malware Config

Extracted

Family

cryptbot

bibinene01.top

moraass05.top

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 18 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3672-6-0x0000000000480000-0x0000000000972000-memory.dmp	family_cryptbot
behavioral2/memory/3672-7-0x0000000000480000-0x0000000000972000-memory.dmp	family_cryptbot
behavioral2/memory/3672-222-0x0000000000480000-0x0000000000972000-memory.dmp	family_cryptbot
behavioral2/memory/3672-224-0x0000000000480000-0x0000000000972000-memory.dmp	family_cryptbot
behavioral2/memory/3672-225-0x0000000000480000-0x0000000000972000-memory.dmp	family_cryptbot
behavioral2/memory/3672-227-0x0000000000480000-0x0000000000972000-memory.dmp	family_cryptbot
behavioral2/memory/3672-229-0x0000000000480000-0x0000000000972000-memory.dmp	family_cryptbot
behavioral2/memory/3672-231-0x0000000000480000-0x0000000000972000-memory.dmp	family_cryptbot
behavioral2/memory/3672-234-0x0000000000480000-0x0000000000972000-memory.dmp	family_cryptbot
behavioral2/memory/3672-237-0x0000000000480000-0x0000000000972000-memory.dmp	family_cryptbot
behavioral2/memory/3672-240-0x0000000000480000-0x0000000000972000-memory.dmp	family_cryptbot
behavioral2/memory/3672-243-0x0000000000480000-0x0000000000972000-memory.dmp	family_cryptbot
behavioral2/memory/3672-245-0x0000000000480000-0x0000000000972000-memory.dmp	family_cryptbot
behavioral2/memory/3672-248-0x0000000000480000-0x0000000000972000-memory.dmp	family_cryptbot
behavioral2/memory/3672-251-0x0000000000480000-0x0000000000972000-memory.dmp	family_cryptbot
behavioral2/memory/3672-257-0x0000000000480000-0x0000000000972000-memory.dmp	family_cryptbot
behavioral2/memory/3672-259-0x0000000000480000-0x0000000000972000-memory.dmp	family_cryptbot
behavioral2/memory/3672-263-0x0000000000480000-0x0000000000972000-memory.dmp	family_cryptbot

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

67b369f0a0ed76a6013bc9aeecdbae31_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 67b369f0a0ed76a6013bc9aeecdbae31_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	67b369f0a0ed76a6013bc9aeecdbae31_JaffaCakes118.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

67b369f0a0ed76a6013bc9aeecdbae31_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	67b369f0a0ed76a6013bc9aeecdbae31_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	67b369f0a0ed76a6013bc9aeecdbae31_JaffaCakes118.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

67b369f0a0ed76a6013bc9aeecdbae31_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Wine 67b369f0a0ed76a6013bc9aeecdbae31_JaffaCakes118.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

67b369f0a0ed76a6013bc9aeecdbae31_JaffaCakes118.exe

pid process

3672 67b369f0a0ed76a6013bc9aeecdbae31_JaffaCakes118.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Wine	67b369f0a0ed76a6013bc9aeecdbae31_JaffaCakes118.exe

pid	process
3672	67b369f0a0ed76a6013bc9aeecdbae31_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

67b369f0a0ed76a6013bc9aeecdbae31_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	67b369f0a0ed76a6013bc9aeecdbae31_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	67b369f0a0ed76a6013bc9aeecdbae31_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

67b369f0a0ed76a6013bc9aeecdbae31_JaffaCakes118.exe

pid process

3672 67b369f0a0ed76a6013bc9aeecdbae31_JaffaCakes118.exe
3672 67b369f0a0ed76a6013bc9aeecdbae31_JaffaCakes118.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

67b369f0a0ed76a6013bc9aeecdbae31_JaffaCakes118.exe

pid process

3672 67b369f0a0ed76a6013bc9aeecdbae31_JaffaCakes118.exe
3672 67b369f0a0ed76a6013bc9aeecdbae31_JaffaCakes118.exe

pid	process
3672	67b369f0a0ed76a6013bc9aeecdbae31_JaffaCakes118.exe
3672	67b369f0a0ed76a6013bc9aeecdbae31_JaffaCakes118.exe

pid	process
3672	67b369f0a0ed76a6013bc9aeecdbae31_JaffaCakes118.exe
3672	67b369f0a0ed76a6013bc9aeecdbae31_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\67b369f0a0ed76a6013bc9aeecdbae31_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\67b369f0a0ed76a6013bc9aeecdbae31_JaffaCakes118.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:3672

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ovW3RWtB0tXu\_Files\_Information.txt
Filesize
1KB

MD5
9462f9cca0d5e94e052a1b4d79509816

SHA1
6ae2ad1d923d226268e341d90bc4eb494a214b81

SHA256
7fdc5ca0fd7ef72aca4d37288d35dc349617eec4d6603ac553c8ed009bc561dc

SHA512
cb21974d919e3c4ceec313116edf1b477beb0705ace042f54dcd5b11fb4d1406d13fd3af2b4198ad96506a56cf1c5014734d9d90f0afe95d6b65d28d26ffa8f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ovW3RWtB0tXu\_Files\_Information.txt
Filesize
1KB

MD5
036ef8002314b71e6b37b39f13ccae25

SHA1
60371e0b2afc3650efccaccf1f8dc7592555d283

SHA256
d646dfb40f4bc40279ed9d732e7b0099f6763f55cd51de7df4fa5db0b985fc64

SHA512
620adbbcdc1e2a211f500b4e66ab4c62105f532f320c585a470e49bc629b6e8deb141e9c52dc64a1a9c422bd5d3c753fc634e18462db4d725112bda9c2fb24ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\ovW3RWtB0tXu\_Files\_Information.txt
Filesize
7KB

MD5
6daa5b83addc4c65dae13a10e87be6e2

SHA1
ff90a8dd341f3a487f250d3d9eff32e22bc25078

SHA256
4bb378ecfc749849035c6cc5d8166749cda337868f6e9450b04824b365ef7100

SHA512
06b80c94348602960899bf7a88af166a324aa48b622ec4a2358cdddd1d396311c2d80ccd07e4834bc3166e1b0fcb49446c6528249a226948b555b1607584fc2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ovW3RWtB0tXu\_Files\_Screen_Desktop.jpeg
Filesize
46KB

MD5
4b83cb065a17fbf08b8b73f0c5720536

SHA1
4c60543174ebcf4c3be61900390c5cc6cd56a078

SHA256
a8a3d7cb940ab19079730de22b712da4a389a3b9eda059c17cbc8845f796c8eb

SHA512
d9e6457be6ce97ad073c3768968bfdfe79f281c30f25cf1073d7996d7f33bcebab42972bf917323386e3b22f0c338c4fe6b8658456c1fdf96451e6de065a13b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ovW3RWtB0tXu\files_\system_info.txt
Filesize
2KB

MD5
9e66b35272066726d5a08d2fba802a64

SHA1
8dce1be2f59e1bfe529e489a71358ad75613da48

SHA256
46371781cc7f459059579b4397f041fecb5e63388236510c88dee9304a0e339a

SHA512
aaa58983d5126b68001875c142386c732153f404730a7bcfcc471097ad8c28cb13401871c0c4095b56ba56b1d4bba6d33ee7766bada617f7844bc24cff133775

Download Submit
C:\Users\Admin\AppData\Local\Temp\ovW3RWtB0tXu\files_\system_info.txt
Filesize
5KB

MD5
855ed2dd13c78e742bc0af7fe31f1d60

SHA1
81450b44448a5d6e4d4f5b7ae67c75ec2f0aa6f1

SHA256
927f225365af455226e9e7b9ffe1392f6a2ff491dc2651ee2b2b8ae566031e41

SHA512
eb154ac707f29427c6ea4c2b5449cb827d7c9af1f79469046820d0e389d2f61150079c2192fdc7d031b7ca17fcc1731c40b7dce901b0bbbf7ca784413cab36b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ovW3RWtB0tXu\fxtA3ry47Y6Ymd.zip
Filesize
40KB

MD5
3bff11f1c7934a593dcfe4e08ed7c536

SHA1
c1b1ee8578858291d062a900b99bf69a60bf0948

SHA256
b558d008fea7fd306795c6ab2394d5a1b93eb28af7b87b0c27d6210226e96639

SHA512
d01b1596de5ba72c6890efb2a72c654f22e0c4889bdf03492c4379f700524ef3e1db6618e1e5bec0ef79d78608c31a54471ba20bfad017714c307747a2a9ced2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ovW3RWtB0tXu\yhwUOym5d.zip
Filesize
40KB

MD5
85296e5eca65ca36e6e11142ac2a2686

SHA1
4bf4bb7bf54e5f797cff281c4e7f784b6a2e685f

SHA256
6069c053d2fa7ef4be9c9a70c97b746224798f83fdd7a4cd22eafba85d16b0ac

SHA512
d8ae8ddb76d1d592501175460a4c0cacb3165081d067897c12de3fa6c9dd9cc54d94cef27fcd631c65d8c5ef55996089cecab0a63767f26726a7c03058822e5c

Download Submit
memory/3672-225-0x0000000000480000-0x0000000000972000-memory.dmp

Filesize
4.9MB

Download
memory/3672-229-0x0000000000480000-0x0000000000972000-memory.dmp

Filesize
4.9MB

Download
memory/3672-6-0x0000000000480000-0x0000000000972000-memory.dmp

Filesize
4.9MB

Download
memory/3672-2-0x0000000004B80000-0x0000000004B81000-memory.dmp

Filesize
4KB

Download
memory/3672-5-0x0000000000481000-0x00000000004DC000-memory.dmp

Filesize
364KB

Download
memory/3672-3-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

Filesize
4KB

Download
memory/3672-222-0x0000000000480000-0x0000000000972000-memory.dmp

Filesize
4.9MB

Download
memory/3672-224-0x0000000000480000-0x0000000000972000-memory.dmp

Filesize
4.9MB

Download
memory/3672-0-0x0000000000480000-0x0000000000972000-memory.dmp

Filesize
4.9MB

Download
memory/3672-4-0x0000000004B90000-0x0000000004B91000-memory.dmp

Filesize
4KB

Download
memory/3672-227-0x0000000000480000-0x0000000000972000-memory.dmp

Filesize
4.9MB

Download
memory/3672-7-0x0000000000480000-0x0000000000972000-memory.dmp

Filesize
4.9MB

Download
memory/3672-231-0x0000000000480000-0x0000000000972000-memory.dmp

Filesize
4.9MB

Download
memory/3672-234-0x0000000000480000-0x0000000000972000-memory.dmp

Filesize
4.9MB

Download
memory/3672-237-0x0000000000480000-0x0000000000972000-memory.dmp

Filesize
4.9MB

Download
memory/3672-240-0x0000000000480000-0x0000000000972000-memory.dmp

Filesize
4.9MB

Download
memory/3672-243-0x0000000000480000-0x0000000000972000-memory.dmp

Filesize
4.9MB

Download
memory/3672-245-0x0000000000480000-0x0000000000972000-memory.dmp

Filesize
4.9MB

Download
memory/3672-248-0x0000000000480000-0x0000000000972000-memory.dmp

Filesize
4.9MB

Download
memory/3672-251-0x0000000000480000-0x0000000000972000-memory.dmp

Filesize
4.9MB

Download
memory/3672-257-0x0000000000480000-0x0000000000972000-memory.dmp

Filesize
4.9MB

Download
memory/3672-259-0x0000000000480000-0x0000000000972000-memory.dmp

Filesize
4.9MB

Download
memory/3672-1-0x0000000077B34000-0x0000000077B36000-memory.dmp

Filesize
8KB

Download
memory/3672-263-0x0000000000480000-0x0000000000972000-memory.dmp

Filesize
4.9MB

Download