cryptbot | 72454e25fcf6428797f032ba6e5ab9a2c4a49c33fd3f353ce15b6c87979f4b54

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 21:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6febfef814559223cecd46a376011b9a_JaffaCakes118.exe
Size

2.1MB
MD5

6febfef814559223cecd46a376011b9a
SHA1

c1cbd367b8859834e56baecbb4adae006de66852
SHA256

72454e25fcf6428797f032ba6e5ab9a2c4a49c33fd3f353ce15b6c87979f4b54
SHA512

be52e9fed62afb08753c0af6513a3d0196c3ab519082bbf09973c3f5dd47da9978a24c39b09552684b443d76248e358d8053ea53b85036c009d26ccdd2c242b3
SSDEEP

49152:6MPAcFI+Oa9vb9cCp0RUFE9y6cthn/2mO7Vy/R5nsQ:6MPAcFI5+vb9cCQevhn5+Vy/Rt

Score

10^/10

cryptbot discovery evasion spyware stealer

Malware Config

Extracted

Family

cryptbot

bibinene01.top

moraass05.top

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 20 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2132-9-0x00000000001D0000-0x00000000006E6000-memory.dmp	family_cryptbot
behavioral1/memory/2132-10-0x00000000001D0000-0x00000000006E6000-memory.dmp	family_cryptbot
behavioral1/memory/2132-119-0x00000000001D0000-0x00000000006E6000-memory.dmp	family_cryptbot
behavioral1/memory/2132-228-0x00000000001D0000-0x00000000006E6000-memory.dmp	family_cryptbot
behavioral1/memory/2132-230-0x00000000001D0000-0x00000000006E6000-memory.dmp	family_cryptbot
behavioral1/memory/2132-232-0x00000000001D0000-0x00000000006E6000-memory.dmp	family_cryptbot
behavioral1/memory/2132-233-0x00000000001D0000-0x00000000006E6000-memory.dmp	family_cryptbot
behavioral1/memory/2132-234-0x00000000001D0000-0x00000000006E6000-memory.dmp	family_cryptbot
behavioral1/memory/2132-236-0x00000000001D0000-0x00000000006E6000-memory.dmp	family_cryptbot
behavioral1/memory/2132-238-0x00000000001D0000-0x00000000006E6000-memory.dmp	family_cryptbot
behavioral1/memory/2132-240-0x00000000001D0000-0x00000000006E6000-memory.dmp	family_cryptbot
behavioral1/memory/2132-243-0x00000000001D0000-0x00000000006E6000-memory.dmp	family_cryptbot
behavioral1/memory/2132-245-0x00000000001D0000-0x00000000006E6000-memory.dmp	family_cryptbot
behavioral1/memory/2132-248-0x00000000001D0000-0x00000000006E6000-memory.dmp	family_cryptbot
behavioral1/memory/2132-250-0x00000000001D0000-0x00000000006E6000-memory.dmp	family_cryptbot
behavioral1/memory/2132-252-0x00000000001D0000-0x00000000006E6000-memory.dmp	family_cryptbot
behavioral1/memory/2132-255-0x00000000001D0000-0x00000000006E6000-memory.dmp	family_cryptbot
behavioral1/memory/2132-257-0x00000000001D0000-0x00000000006E6000-memory.dmp	family_cryptbot
behavioral1/memory/2132-259-0x00000000001D0000-0x00000000006E6000-memory.dmp	family_cryptbot
behavioral1/memory/2132-262-0x00000000001D0000-0x00000000006E6000-memory.dmp	family_cryptbot

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

6febfef814559223cecd46a376011b9a_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 6febfef814559223cecd46a376011b9a_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	6febfef814559223cecd46a376011b9a_JaffaCakes118.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6febfef814559223cecd46a376011b9a_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6febfef814559223cecd46a376011b9a_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6febfef814559223cecd46a376011b9a_JaffaCakes118.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

6febfef814559223cecd46a376011b9a_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine 6febfef814559223cecd46a376011b9a_JaffaCakes118.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

6febfef814559223cecd46a376011b9a_JaffaCakes118.exe

pid process

2132 6febfef814559223cecd46a376011b9a_JaffaCakes118.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Wine	6febfef814559223cecd46a376011b9a_JaffaCakes118.exe

pid	process
2132	6febfef814559223cecd46a376011b9a_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6febfef814559223cecd46a376011b9a_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	6febfef814559223cecd46a376011b9a_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	6febfef814559223cecd46a376011b9a_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

6febfef814559223cecd46a376011b9a_JaffaCakes118.exe

pid process

2132 6febfef814559223cecd46a376011b9a_JaffaCakes118.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

6febfef814559223cecd46a376011b9a_JaffaCakes118.exe

pid process

2132 6febfef814559223cecd46a376011b9a_JaffaCakes118.exe
2132 6febfef814559223cecd46a376011b9a_JaffaCakes118.exe

pid	process
2132	6febfef814559223cecd46a376011b9a_JaffaCakes118.exe

pid	process
2132	6febfef814559223cecd46a376011b9a_JaffaCakes118.exe
2132	6febfef814559223cecd46a376011b9a_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\6febfef814559223cecd46a376011b9a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6febfef814559223cecd46a376011b9a_JaffaCakes118.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2132

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6dlSOiq\_Files\_Information.txt
Filesize
8KB

MD5
242d9a14a344035e64b64c525aaf8b83

SHA1
e2a24391fc25adaa2b4443461e3799045a759f6c

SHA256
07169b49e1301ba71672f7bcf1b646c8d68e634ea9e728a71379065a58af7fe0

SHA512
41376a6f9cd03fb3939312d56d4e69a308b13ab7b288e737105d1ac6e7c3466858c9522c371c95fe30bed3fae415cc7e52033e004c8c0d8ee6dd82ef64c49968

Download Submit
C:\Users\Admin\AppData\Local\Temp\6dlSOiq\_Files\_Screen_Desktop.jpeg
Filesize
44KB

MD5
5354f7a4f0c0074eef2088f337b42c69

SHA1
bbc42b29135fca04ca58a9ac67b132b159102b7e

SHA256
925df60ff2647091caf48cdc83f15dbbd6304157f2c826afee56251ee3a41c28

SHA512
00b440bc4a5ee8f369dd214f80cd76caaae9cc69111f0027b5ce0047bf8d9ecf7a6cf3fa28fc63daf5e5602f892a2bb608e3858094c512a75ffe43872430a97f

Download Submit
C:\Users\Admin\AppData\Local\Temp\6dlSOiq\c2shHlfZHdQ.zip
Filesize
37KB

MD5
6c386ca57567c5a945f416822f63d5c6

SHA1
880cb28865df0b3c736c434d576f4d56be60593a

SHA256
66a3290a323722bd39ba064c16962dad2238bea860b90babd24b7aaa29273b2b

SHA512
6d49b4e9ed5d1a52e48e551093cc5ee50959cf1f7a741e0d7e830e1db705c9a6c91386ace468d3b721290d4290bb886a02be5b60eefd91ce2d2a51602e8ee305

Download Submit
C:\Users\Admin\AppData\Local\Temp\6dlSOiq\files_\system_info.txt
Filesize
8KB

MD5
10249303824493dbcb4740726375bc8b

SHA1
59b0fc5bbe2193465061dc4088f15b5b5d8357ef

SHA256
ccf7a2b9e95b597cc56ecb0cf7c6002d3343c3ad2d15414cdaee8a086d7a94a1

SHA512
81e4b70215f9752bee683d81e3fbb1a01e24fffb2f0e8ec8c4b9c736bea250c9e68a61ee703eb4a7f2d493cdc07ae311616b2dffc839d317f018c0b2568520c4

Download Submit
memory/2132-230-0x00000000001D0000-0x00000000006E6000-memory.dmp

Filesize
5.1MB

Download
memory/2132-234-0x00000000001D0000-0x00000000006E6000-memory.dmp

Filesize
5.1MB

Download
memory/2132-6-0x00000000025A0000-0x00000000025A1000-memory.dmp

Filesize
4KB

Download
memory/2132-7-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/2132-8-0x00000000001D1000-0x000000000022C000-memory.dmp

Filesize
364KB

Download
memory/2132-9-0x00000000001D0000-0x00000000006E6000-memory.dmp

Filesize
5.1MB

Download
memory/2132-10-0x00000000001D0000-0x00000000006E6000-memory.dmp

Filesize
5.1MB

Download
memory/2132-4-0x0000000002860000-0x0000000002861000-memory.dmp

Filesize
4KB

Download
memory/2132-119-0x00000000001D0000-0x00000000006E6000-memory.dmp

Filesize
5.1MB

Download
memory/2132-3-0x0000000002320000-0x0000000002321000-memory.dmp

Filesize
4KB

Download
memory/2132-2-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download
memory/2132-228-0x00000000001D0000-0x00000000006E6000-memory.dmp

Filesize
5.1MB

Download
memory/2132-0-0x00000000001D0000-0x00000000006E6000-memory.dmp

Filesize
5.1MB

Download
memory/2132-232-0x00000000001D0000-0x00000000006E6000-memory.dmp

Filesize
5.1MB

Download
memory/2132-233-0x00000000001D0000-0x00000000006E6000-memory.dmp

Filesize
5.1MB

Download
memory/2132-5-0x0000000002880000-0x0000000002881000-memory.dmp

Filesize
4KB

Download
memory/2132-1-0x0000000077450000-0x0000000077452000-memory.dmp

Filesize
8KB

Download
memory/2132-236-0x00000000001D0000-0x00000000006E6000-memory.dmp

Filesize
5.1MB

Download
memory/2132-238-0x00000000001D0000-0x00000000006E6000-memory.dmp

Filesize
5.1MB

Download
memory/2132-240-0x00000000001D0000-0x00000000006E6000-memory.dmp

Filesize
5.1MB

Download
memory/2132-243-0x00000000001D0000-0x00000000006E6000-memory.dmp

Filesize
5.1MB

Download
memory/2132-245-0x00000000001D0000-0x00000000006E6000-memory.dmp

Filesize
5.1MB

Download
memory/2132-248-0x00000000001D0000-0x00000000006E6000-memory.dmp

Filesize
5.1MB

Download
memory/2132-250-0x00000000001D0000-0x00000000006E6000-memory.dmp

Filesize
5.1MB

Download
memory/2132-252-0x00000000001D0000-0x00000000006E6000-memory.dmp

Filesize
5.1MB

Download
memory/2132-255-0x00000000001D0000-0x00000000006E6000-memory.dmp

Filesize
5.1MB

Download
memory/2132-257-0x00000000001D0000-0x00000000006E6000-memory.dmp

Filesize
5.1MB

Download
memory/2132-259-0x00000000001D0000-0x00000000006E6000-memory.dmp

Filesize
5.1MB

Download
memory/2132-262-0x00000000001D0000-0x00000000006E6000-memory.dmp

Filesize
5.1MB

Download