cryptbot | 1dd611fc80b9bbd697113ef3afe747edf5fe51e23b3c7407a29c65f753f1260d

Analysis

max time kernel
143s
max time network
145s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 13:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b16a229b3af43c100a1c8baae0b0d4f_JaffaCakes118.exe
Size

4.2MB
MD5

6b16a229b3af43c100a1c8baae0b0d4f
SHA1

bc8b107ca7db60e94a36fd01908a853292025a9c
SHA256

1dd611fc80b9bbd697113ef3afe747edf5fe51e23b3c7407a29c65f753f1260d
SHA512

6aa3aa03ed24d75ea2fbbd2c9e6ad785032d3d23ca450ff467b61e793ca46cd71594027f1b990471ddaa867e4822fd52d059eeb9d0d6f655baf7c7e2ff9f747e
SSDEEP

98304:G0YVc8p/kHGJq2fMZggNR97ORwF5mBvoN0VH9zZDHnvVoZ0ljqNRYx:G078pPq64RURwbvN8HV1HnvVoZ4CRYx

Score

10^/10

cryptbot discovery evasion spyware stealer

Malware Config

Extracted

Family

cryptbot

nkoopw03.top

moraass06.top

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 15 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2568-252-0x0000000001330000-0x0000000001848000-memory.dmp	family_cryptbot
behavioral1/memory/2568-257-0x0000000001330000-0x0000000001848000-memory.dmp	family_cryptbot
behavioral1/memory/2568-260-0x0000000001330000-0x0000000001848000-memory.dmp	family_cryptbot
behavioral1/memory/2568-262-0x0000000001330000-0x0000000001848000-memory.dmp	family_cryptbot
behavioral1/memory/2568-265-0x0000000001330000-0x0000000001848000-memory.dmp	family_cryptbot
behavioral1/memory/2568-267-0x0000000001330000-0x0000000001848000-memory.dmp	family_cryptbot
behavioral1/memory/2568-270-0x0000000001330000-0x0000000001848000-memory.dmp	family_cryptbot
behavioral1/memory/2568-272-0x0000000001330000-0x0000000001848000-memory.dmp	family_cryptbot
behavioral1/memory/2568-274-0x0000000001330000-0x0000000001848000-memory.dmp	family_cryptbot
behavioral1/memory/2568-276-0x0000000001330000-0x0000000001848000-memory.dmp	family_cryptbot
behavioral1/memory/2568-279-0x0000000001330000-0x0000000001848000-memory.dmp	family_cryptbot
behavioral1/memory/2568-281-0x0000000001330000-0x0000000001848000-memory.dmp	family_cryptbot
behavioral1/memory/2568-284-0x0000000001330000-0x0000000001848000-memory.dmp	family_cryptbot
behavioral1/memory/2568-286-0x0000000001330000-0x0000000001848000-memory.dmp	family_cryptbot
behavioral1/memory/2568-288-0x0000000001330000-0x0000000001848000-memory.dmp	family_cryptbot

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

1.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1.exe
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

1.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1.exe
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1.exe
Executes dropped EXE 1 IoCs

Processes:

1.exe

pid process

2568 1.exe
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

1.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Wine 1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1.exe

pid	process
2568	1.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Wine	1.exe

Loads dropped DLL 7 IoCs

Processes:

6b16a229b3af43c100a1c8baae0b0d4f_JaffaCakes118.exe1.exe

pid	process
2924	6b16a229b3af43c100a1c8baae0b0d4f_JaffaCakes118.exe
2924	6b16a229b3af43c100a1c8baae0b0d4f_JaffaCakes118.exe
2924	6b16a229b3af43c100a1c8baae0b0d4f_JaffaCakes118.exe
2924	6b16a229b3af43c100a1c8baae0b0d4f_JaffaCakes118.exe
2568	1.exe
2568	1.exe
2568	1.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

1.exe

pid process

2568 1.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2568	1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	1.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

1.exe

pid process

2568 1.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

1.exe

pid process

2568 1.exe
2568 1.exe

pid	process
2568	1.exe

pid	process
2568	1.exe
2568	1.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

6b16a229b3af43c100a1c8baae0b0d4f_JaffaCakes118.exe

description	pid	process	target process
PID 2924 wrote to memory of 2568	2924	6b16a229b3af43c100a1c8baae0b0d4f_JaffaCakes118.exe	1.exe
PID 2924 wrote to memory of 2568	2924	6b16a229b3af43c100a1c8baae0b0d4f_JaffaCakes118.exe	1.exe
PID 2924 wrote to memory of 2568	2924	6b16a229b3af43c100a1c8baae0b0d4f_JaffaCakes118.exe	1.exe
PID 2924 wrote to memory of 2568	2924	6b16a229b3af43c100a1c8baae0b0d4f_JaffaCakes118.exe	1.exe
PID 2924 wrote to memory of 2568	2924	6b16a229b3af43c100a1c8baae0b0d4f_JaffaCakes118.exe	1.exe
PID 2924 wrote to memory of 2568	2924	6b16a229b3af43c100a1c8baae0b0d4f_JaffaCakes118.exe	1.exe
PID 2924 wrote to memory of 2568	2924	6b16a229b3af43c100a1c8baae0b0d4f_JaffaCakes118.exe	1.exe

C:\Users\Admin\AppData\Local\Temp\6b16a229b3af43c100a1c8baae0b0d4f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6b16a229b3af43c100a1c8baae0b0d4f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2924

C:\Users\Admin\AppData\Local\Temp\sibF00.tmp\0\1.exe
"C:\Users\Admin\AppData\Local\Temp\sibF00.tmp\0\1.exe" /s
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2568

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\86le6zo\VrUlpGpmLAtz.zip
Filesize
37KB

MD5
c5b6bdf1f2bb13322aa89a93ca7364e0

SHA1
b2b943079eb98ef8a43765ba6747a3d56c131030

SHA256
f2c47c771b3469b1becd4cfe078073e539a4fbca2def2ed2727454b1ab847070

SHA512
66b47afa4a337c066e94511ee3db1b5ecb5b1fade418075184ab366f4391237ec5e6bb0dfb40a8982c5de04e8b630645e4a36b2ec82d15f07d7b80763e5007c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\86le6zo\_Files\_Information.txt
Filesize
4KB

MD5
0d2609ab06e9d7c35564ee41858e99fb

SHA1
24fffef81ec7c92c6a34364236a1dfd2e9fdf617

SHA256
081c56773d52c0a6a063e4affa32c5acfacfa97a2515257184337747f110fb68

SHA512
5a97ac231e464b78dca53882ffb2985533ad1ee7fd03f106d1b8218efd1898bdd7640cc80f7d12c53fac239d6c1791c310e3ef89775a22e43d632f77776d5ef2

Download Submit
C:\Users\Admin\AppData\Local\Temp\86le6zo\_Files\_Screen_Desktop.jpeg
Filesize
44KB

MD5
f05f755c7109b95593711a5479264f00

SHA1
e91036752600619f16f78147c862b9ebed5cfc63

SHA256
a3a1d18dade50eee35c3aed2fe37cc94e3db7fae944b2a7f6473bfee353801fc

SHA512
eceae0f3be63c5a83e79e533b1391de6f820cb2a9a37843d7764498940c966f35d4efe176a8e3d1b5b7beaebc25ec7329d17f6188cb04893709610dfbfdefde6

Download Submit
C:\Users\Admin\AppData\Local\Temp\86le6zo\files_\system_info.txt
Filesize
8KB

MD5
d7703ad791220c156ea5ac8e03a308f1

SHA1
28810b4d2dd93c7fed0cc7b9c8b750b2e465d2ee

SHA256
834397c1b2ecab0b7f5839c33a4e94fb2a7572929d234894f4d34ae09cd2ac51

SHA512
2c98741ab4070bad1b861649e5c903dd541b6e1742900b091db261d5f61f09952ae59d0aa33dcd97b73a3a59c2c4cba92d3341ad68c4a7e6cde1cb01d40ad92d

Download Submit
\Users\Admin\AppData\Local\Temp\nstE63.tmp\Sibuia.dll
Filesize
524KB

MD5
6a3c3c97e92a5949f88311e80268bbb5

SHA1
48c11e3f694b468479bc2c978749d27b5d03faa2

SHA256
7938db73242aafbe80915e4ca886d38be9b7e872b93bdae1e8ee6cf4a005b7d9

SHA512
6141886a889825ccdfa59a419f7670a34ef240c4f90a83bc17223c415f2fbd983280e98e67485710e449746b5bf3284907537bef6ab698a48954dd4910ddf693

Download Submit
\Users\Admin\AppData\Local\Temp\sibF00.tmp\0\1.exe
Filesize
2.2MB

MD5
c14c9a4a5c513503819a11cd45990ffb

SHA1
8870d5367a74a28c3bb9cbf87f997dca97b011df

SHA256
d8422a39eda16826cbf159e7589605124c2f4b695354ccb9040f641aa0cd5e0f

SHA512
76019b6906b5f2fdbc25a514c7de099ddac3f88b8939e59fcc700ed880d9de522746ff4b09cfa18cb68a6257c2e8b390650037a7efd80dd5d6751a7b819e6e97

Download Submit
\Users\Admin\AppData\Local\Temp\sibF00.tmp\SibClr.dll
Filesize
51KB

MD5
5ea6d2ffeb1be3fc0571961d0c4c2b5f

SHA1
902dfe9ae735c83fb0cb46b3e110bbf2aa80209e

SHA256
508336b6a7c3226738e74f6ce969e828da904ad9f7610b9112f883a316ee9222

SHA512
e81657087f451a37f06a07bf84175117fdaf75d5d8b84cbdc49497fcf88f96e259074518ea3037680d27c9eaeebd7a8df496297593fead88d7edea202a572585

Download Submit
memory/2568-30-0x0000000000BA0000-0x00000000010B8000-memory.dmp

Filesize
5.1MB

Download
memory/2568-257-0x0000000001330000-0x0000000001848000-memory.dmp

Filesize
5.1MB

Download
memory/2568-288-0x0000000001330000-0x0000000001848000-memory.dmp

Filesize
5.1MB

Download
memory/2568-29-0x0000000001330000-0x0000000001848000-memory.dmp

Filesize
5.1MB

Download
memory/2568-32-0x0000000000BA0000-0x00000000010B8000-memory.dmp

Filesize
5.1MB

Download
memory/2568-31-0x0000000000BA0000-0x00000000010B8000-memory.dmp

Filesize
5.1MB

Download
memory/2568-33-0x00000000779D0000-0x00000000779D2000-memory.dmp

Filesize
8KB

Download
memory/2568-35-0x0000000001331000-0x000000000138C000-memory.dmp

Filesize
364KB

Download
memory/2568-34-0x0000000000F10000-0x0000000000F12000-memory.dmp

Filesize
8KB

Download
memory/2568-286-0x0000000001330000-0x0000000001848000-memory.dmp

Filesize
5.1MB

Download
memory/2568-284-0x0000000001330000-0x0000000001848000-memory.dmp

Filesize
5.1MB

Download
memory/2568-281-0x0000000001330000-0x0000000001848000-memory.dmp

Filesize
5.1MB

Download
memory/2568-252-0x0000000001330000-0x0000000001848000-memory.dmp

Filesize
5.1MB

Download
memory/2568-279-0x0000000001330000-0x0000000001848000-memory.dmp

Filesize
5.1MB

Download
memory/2568-276-0x0000000001330000-0x0000000001848000-memory.dmp

Filesize
5.1MB

Download
memory/2568-274-0x0000000001330000-0x0000000001848000-memory.dmp

Filesize
5.1MB

Download
memory/2568-258-0x0000000000BA0000-0x00000000010B8000-memory.dmp

Filesize
5.1MB

Download
memory/2568-272-0x0000000001330000-0x0000000001848000-memory.dmp

Filesize
5.1MB

Download
memory/2568-260-0x0000000001330000-0x0000000001848000-memory.dmp

Filesize
5.1MB

Download
memory/2568-270-0x0000000001330000-0x0000000001848000-memory.dmp

Filesize
5.1MB

Download
memory/2568-262-0x0000000001330000-0x0000000001848000-memory.dmp

Filesize
5.1MB

Download
memory/2568-265-0x0000000001330000-0x0000000001848000-memory.dmp

Filesize
5.1MB

Download
memory/2568-267-0x0000000001330000-0x0000000001848000-memory.dmp

Filesize
5.1MB

Download
memory/2924-10-0x000000007431E000-0x000000007431F000-memory.dmp

Filesize
4KB

Download
memory/2924-256-0x000000001D150000-0x000000001D668000-memory.dmp

Filesize
5.1MB

Download
memory/2924-28-0x000000001D150000-0x000000001D668000-memory.dmp

Filesize
5.1MB

Download
memory/2924-255-0x0000000074310000-0x00000000749FE000-memory.dmp

Filesize
6.9MB

Download
memory/2924-254-0x000000007431E000-0x000000007431F000-memory.dmp

Filesize
4KB

Download
memory/2924-14-0x00000000029A0000-0x00000000029B2000-memory.dmp

Filesize
72KB

Download
memory/2924-15-0x0000000011070000-0x000000001112A000-memory.dmp

Filesize
744KB

Download
memory/2924-18-0x0000000074310000-0x00000000749FE000-memory.dmp

Filesize
6.9MB

Download
memory/2924-24-0x0000000074310000-0x00000000749FE000-memory.dmp

Filesize
6.9MB

Download