cryptbot | 1dd611fc80b9bbd697113ef3afe747edf5fe51e23b3c7407a29c65f753f1260d

Analysis

max time kernel
150s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 13:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b16a229b3af43c100a1c8baae0b0d4f_JaffaCakes118.exe
Size

4.2MB
MD5

6b16a229b3af43c100a1c8baae0b0d4f
SHA1

bc8b107ca7db60e94a36fd01908a853292025a9c
SHA256

1dd611fc80b9bbd697113ef3afe747edf5fe51e23b3c7407a29c65f753f1260d
SHA512

6aa3aa03ed24d75ea2fbbd2c9e6ad785032d3d23ca450ff467b61e793ca46cd71594027f1b990471ddaa867e4822fd52d059eeb9d0d6f655baf7c7e2ff9f747e
SSDEEP

98304:G0YVc8p/kHGJq2fMZggNR97ORwF5mBvoN0VH9zZDHnvVoZ0ljqNRYx:G078pPq64RURwbvN8HV1HnvVoZ4CRYx

Score

10^/10

cryptbot discovery evasion spyware stealer

Malware Config

Extracted

Family

cryptbot

nkoopw03.top

moraass06.top

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 19 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4948-30-0x0000000000C90000-0x00000000011A8000-memory.dmp	family_cryptbot
behavioral2/memory/4948-31-0x0000000000C90000-0x00000000011A8000-memory.dmp	family_cryptbot
behavioral2/memory/4948-246-0x0000000000C90000-0x00000000011A8000-memory.dmp	family_cryptbot
behavioral2/memory/4948-250-0x0000000000C90000-0x00000000011A8000-memory.dmp	family_cryptbot
behavioral2/memory/4948-252-0x0000000000C90000-0x00000000011A8000-memory.dmp	family_cryptbot
behavioral2/memory/4948-253-0x0000000000C90000-0x00000000011A8000-memory.dmp	family_cryptbot
behavioral2/memory/4948-255-0x0000000000C90000-0x00000000011A8000-memory.dmp	family_cryptbot
behavioral2/memory/4948-257-0x0000000000C90000-0x00000000011A8000-memory.dmp	family_cryptbot
behavioral2/memory/4948-260-0x0000000000C90000-0x00000000011A8000-memory.dmp	family_cryptbot
behavioral2/memory/4948-263-0x0000000000C90000-0x00000000011A8000-memory.dmp	family_cryptbot
behavioral2/memory/4948-266-0x0000000000C90000-0x00000000011A8000-memory.dmp	family_cryptbot
behavioral2/memory/4948-268-0x0000000000C90000-0x00000000011A8000-memory.dmp	family_cryptbot
behavioral2/memory/4948-271-0x0000000000C90000-0x00000000011A8000-memory.dmp	family_cryptbot
behavioral2/memory/4948-274-0x0000000000C90000-0x00000000011A8000-memory.dmp	family_cryptbot
behavioral2/memory/4948-276-0x0000000000C90000-0x00000000011A8000-memory.dmp	family_cryptbot
behavioral2/memory/4948-282-0x0000000000C90000-0x00000000011A8000-memory.dmp	family_cryptbot
behavioral2/memory/4948-284-0x0000000000C90000-0x00000000011A8000-memory.dmp	family_cryptbot
behavioral2/memory/4948-287-0x0000000000C90000-0x00000000011A8000-memory.dmp	family_cryptbot
behavioral2/memory/4948-290-0x0000000000C90000-0x00000000011A8000-memory.dmp	family_cryptbot

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

1.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1.exe
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

1.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1.exe
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1.exe
Executes dropped EXE 1 IoCs

Processes:

1.exe

pid process

4948 1.exe
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

1.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Wine 1.exe
Loads dropped DLL 3 IoCs

Processes:

6b16a229b3af43c100a1c8baae0b0d4f_JaffaCakes118.exe

pid process

2620 6b16a229b3af43c100a1c8baae0b0d4f_JaffaCakes118.exe
2620 6b16a229b3af43c100a1c8baae0b0d4f_JaffaCakes118.exe
2620 6b16a229b3af43c100a1c8baae0b0d4f_JaffaCakes118.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

1.exe

pid process

4948 1.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1.exe

pid	process
4948	1.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Wine	1.exe

pid	process
2620	6b16a229b3af43c100a1c8baae0b0d4f_JaffaCakes118.exe
2620	6b16a229b3af43c100a1c8baae0b0d4f_JaffaCakes118.exe
2620	6b16a229b3af43c100a1c8baae0b0d4f_JaffaCakes118.exe

pid	process
4948	1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	1.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

1.exe

pid process

4948 1.exe
4948 1.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

1.exe

pid process

4948 1.exe
4948 1.exe

pid	process
4948	1.exe
4948	1.exe

pid	process
4948	1.exe
4948	1.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

6b16a229b3af43c100a1c8baae0b0d4f_JaffaCakes118.exe

description	pid	process	target process
PID 2620 wrote to memory of 4948	2620	6b16a229b3af43c100a1c8baae0b0d4f_JaffaCakes118.exe	1.exe
PID 2620 wrote to memory of 4948	2620	6b16a229b3af43c100a1c8baae0b0d4f_JaffaCakes118.exe	1.exe
PID 2620 wrote to memory of 4948	2620	6b16a229b3af43c100a1c8baae0b0d4f_JaffaCakes118.exe	1.exe

C:\Users\Admin\AppData\Local\Temp\6b16a229b3af43c100a1c8baae0b0d4f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6b16a229b3af43c100a1c8baae0b0d4f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620

C:\Users\Admin\AppData\Local\Temp\sib4B63.tmp\0\1.exe
"C:\Users\Admin\AppData\Local\Temp\sib4B63.tmp\0\1.exe" /s
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:4948

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\86le6zo\FwNaistN.zip
Filesize
43KB

MD5
fb27f9e540f69e2db204e4f962773ddd

SHA1
8ef88ee850d2cc437fdcb1c644493c31a80b5e4d

SHA256
1de82330688f5fed4b0be1238dc630bfc791aab7f8347fcd3e87f58ad8bb5b44

SHA512
935c334f8c46975a9bd559cba5d1135d95e2a9cca12e8076afa0e18fe6778b40aeda62fccf49d075cc22186a301e209a46ab118b56f9f96fa1d7644da9467a80

Download Submit
C:\Users\Admin\AppData\Local\Temp\86le6zo\VrUlpGpmLAtz.zip
Filesize
43KB

MD5
18488e551e18555b17221b0d95140287

SHA1
8f4f914fe37a1ee85a2a7d4cdeec48ce3ebb6d20

SHA256
0a0097ab69b7792b5276050a745fd7d24c44fd23e9779ab96818ba8148bd2a57

SHA512
e9cb5e6ac1199dcda9dd598e31c5ec89232f5fdab26166246f15fac89f0fe6aa74e7aba759209533b61a0940efe4f322a1b87f88f2b7675af6eba3f1cb3144e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\86le6zo\_Files\_Information.txt
Filesize
4KB

MD5
c2c05e88a5de77bfcef2bceb38ef22ce

SHA1
08078214adcec0d03792aeb48e6be31f47a2ea1c

SHA256
c3536c2d07da54a7c7249b560861a9a474026c2784098232715fae0a65a6aaab

SHA512
a21668c0ed0addc4192c89d53c4ab85a0eb9b8bde7b113cba72b766725d780c8740cc26b528f8602f81c5e1c8bac1242ee2886ab643558fe9b84a7e1484b2193

Download Submit
C:\Users\Admin\AppData\Local\Temp\86le6zo\_Files\_Information.txt
Filesize
5KB

MD5
98be9d4e1041f2f7604219825b6b1b31

SHA1
9e38a0f5e97f42a380a4648dbef04139e4b34793

SHA256
ee49d8916332bcf9b8bc82eb0feaf40d7ed451dc8bd3d1ff1838277dea3d4e39

SHA512
c64450ce6a581cbdb490126195fd645d8d8de156d8fcf6d36c6bedecfca4b6c111888c6ec693f2be6c5ca63460810f8dd3f66dab33fa0f7d1f1ff0708a8e6bb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\86le6zo\_Files\_Screen_Desktop.jpeg
Filesize
49KB

MD5
0382f2ee284518aab63cb4d10beb9812

SHA1
50edf9709a598b0503bb71895b6bc0f8b3b29cbf

SHA256
66d444481b4529a64a012d5fbb9397efa74f961d10ce2f1e90a513fbc9ad0faf

SHA512
a2ef49d7e700548606a08dbd00dafb6450685152021ccb368f8a8b9edd45969780719bc2f29f556bd618c6e151a2c93f0c7313ec5ab401f2de8ace40d2e49052

Download Submit
C:\Users\Admin\AppData\Local\Temp\86le6zo\files_\system_info.txt
Filesize
684B

MD5
4a1a1c50f3a9e19605f72d54d96f5daf

SHA1
514fd05c6b4d0219dea27767ea8057fe6693e95c

SHA256
4aa8e7605aaa59dfd3ccd279c8e8292bb73ff6a8b7d2590aa6bde3744448b1b7

SHA512
653284c719906540a3d4a60ec9da0bdbe9feb673f30ca97762a910f0fc69fa0ea05e300c24b899a3fbbecd83a7e0a3242d6b2ce7a1ea009420fbd4082154f984

Download Submit
C:\Users\Admin\AppData\Local\Temp\86le6zo\files_\system_info.txt
Filesize
5KB

MD5
4671e0b7e04519fc0e9f2c0cba0a0fb6

SHA1
67021d529674990007f03325f34ec5a9c7744e46

SHA256
2ff2f0d9ed6998ac8c9d8a2558bfced4c89571c05a8d640a8ba6e7d53245a44b

SHA512
cba3707841c5da04dc7f008e4d56096b5613e8388d2672de9e4430072af70d7e6a957b400ad22876fe895f5cc55ff7cf7ba3e0dd16c5e3765f367c1dfc1dd7df

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg4AC5.tmp\Sibuia.dll
Filesize
524KB

MD5
6a3c3c97e92a5949f88311e80268bbb5

SHA1
48c11e3f694b468479bc2c978749d27b5d03faa2

SHA256
7938db73242aafbe80915e4ca886d38be9b7e872b93bdae1e8ee6cf4a005b7d9

SHA512
6141886a889825ccdfa59a419f7670a34ef240c4f90a83bc17223c415f2fbd983280e98e67485710e449746b5bf3284907537bef6ab698a48954dd4910ddf693

Download Submit
C:\Users\Admin\AppData\Local\Temp\sib4B63.tmp\0\1.exe
Filesize
2.2MB

MD5
c14c9a4a5c513503819a11cd45990ffb

SHA1
8870d5367a74a28c3bb9cbf87f997dca97b011df

SHA256
d8422a39eda16826cbf159e7589605124c2f4b695354ccb9040f641aa0cd5e0f

SHA512
76019b6906b5f2fdbc25a514c7de099ddac3f88b8939e59fcc700ed880d9de522746ff4b09cfa18cb68a6257c2e8b390650037a7efd80dd5d6751a7b819e6e97

Download Submit
C:\Users\Admin\AppData\Local\Temp\sib4B63.tmp\SibClr.dll
Filesize
51KB

MD5
5ea6d2ffeb1be3fc0571961d0c4c2b5f

SHA1
902dfe9ae735c83fb0cb46b3e110bbf2aa80209e

SHA256
508336b6a7c3226738e74f6ce969e828da904ad9f7610b9112f883a316ee9222

SHA512
e81657087f451a37f06a07bf84175117fdaf75d5d8b84cbdc49497fcf88f96e259074518ea3037680d27c9eaeebd7a8df496297593fead88d7edea202a572585

Download Submit
memory/2620-15-0x0000000010CB0000-0x0000000010D6A000-memory.dmp

Filesize
744KB

Download
memory/2620-248-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/2620-247-0x000000007464E000-0x000000007464F000-memory.dmp

Filesize
4KB

Download
memory/2620-19-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/2620-16-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/2620-14-0x0000000010C90000-0x0000000010CA2000-memory.dmp

Filesize
72KB

Download
memory/2620-10-0x000000007464E000-0x000000007464F000-memory.dmp

Filesize
4KB

Download
memory/4948-28-0x00000000056F0000-0x00000000056F1000-memory.dmp

Filesize
4KB

Download
memory/4948-257-0x0000000000C90000-0x00000000011A8000-memory.dmp

Filesize
5.1MB

Download
memory/4948-30-0x0000000000C90000-0x00000000011A8000-memory.dmp

Filesize
5.1MB

Download
memory/4948-29-0x0000000000C91000-0x0000000000CEC000-memory.dmp

Filesize
364KB

Download
memory/4948-25-0x00000000056C0000-0x00000000056C1000-memory.dmp

Filesize
4KB

Download
memory/4948-246-0x0000000000C90000-0x00000000011A8000-memory.dmp

Filesize
5.1MB

Download
memory/4948-26-0x00000000056D0000-0x00000000056D1000-memory.dmp

Filesize
4KB

Download
memory/4948-27-0x00000000056E0000-0x00000000056E1000-memory.dmp

Filesize
4KB

Download
memory/4948-250-0x0000000000C90000-0x00000000011A8000-memory.dmp

Filesize
5.1MB

Download
memory/4948-24-0x0000000077E64000-0x0000000077E66000-memory.dmp

Filesize
8KB

Download
memory/4948-252-0x0000000000C90000-0x00000000011A8000-memory.dmp

Filesize
5.1MB

Download
memory/4948-253-0x0000000000C90000-0x00000000011A8000-memory.dmp

Filesize
5.1MB

Download
memory/4948-255-0x0000000000C90000-0x00000000011A8000-memory.dmp

Filesize
5.1MB

Download
memory/4948-31-0x0000000000C90000-0x00000000011A8000-memory.dmp

Filesize
5.1MB

Download
memory/4948-260-0x0000000000C90000-0x00000000011A8000-memory.dmp

Filesize
5.1MB

Download
memory/4948-263-0x0000000000C90000-0x00000000011A8000-memory.dmp

Filesize
5.1MB

Download
memory/4948-266-0x0000000000C90000-0x00000000011A8000-memory.dmp

Filesize
5.1MB

Download
memory/4948-268-0x0000000000C90000-0x00000000011A8000-memory.dmp

Filesize
5.1MB

Download
memory/4948-271-0x0000000000C90000-0x00000000011A8000-memory.dmp

Filesize
5.1MB

Download
memory/4948-274-0x0000000000C90000-0x00000000011A8000-memory.dmp

Filesize
5.1MB

Download
memory/4948-276-0x0000000000C90000-0x00000000011A8000-memory.dmp

Filesize
5.1MB

Download
memory/4948-282-0x0000000000C90000-0x00000000011A8000-memory.dmp

Filesize
5.1MB

Download
memory/4948-284-0x0000000000C90000-0x00000000011A8000-memory.dmp

Filesize
5.1MB

Download
memory/4948-23-0x0000000000C90000-0x00000000011A8000-memory.dmp

Filesize
5.1MB

Download
memory/4948-287-0x0000000000C90000-0x00000000011A8000-memory.dmp

Filesize
5.1MB

Download
memory/4948-290-0x0000000000C90000-0x00000000011A8000-memory.dmp

Filesize
5.1MB

Download