cryptbot | 72454e25fcf6428797f032ba6e5ab9a2c4a49c33fd3f353ce15b6c87979f4b54

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 21:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6febfef814559223cecd46a376011b9a_JaffaCakes118.exe
Size

2.1MB
MD5

6febfef814559223cecd46a376011b9a
SHA1

c1cbd367b8859834e56baecbb4adae006de66852
SHA256

72454e25fcf6428797f032ba6e5ab9a2c4a49c33fd3f353ce15b6c87979f4b54
SHA512

be52e9fed62afb08753c0af6513a3d0196c3ab519082bbf09973c3f5dd47da9978a24c39b09552684b443d76248e358d8053ea53b85036c009d26ccdd2c242b3
SSDEEP

49152:6MPAcFI+Oa9vb9cCp0RUFE9y6cthn/2mO7Vy/R5nsQ:6MPAcFI5+vb9cCQevhn5+Vy/Rt

Score

10^/10

cryptbot discovery evasion spyware stealer

Malware Config

Extracted

Family

cryptbot

bibinene01.top

moraass05.top

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 17 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1292-6-0x0000000000560000-0x0000000000A76000-memory.dmp	family_cryptbot
behavioral2/memory/1292-221-0x0000000000560000-0x0000000000A76000-memory.dmp	family_cryptbot
behavioral2/memory/1292-223-0x0000000000560000-0x0000000000A76000-memory.dmp	family_cryptbot
behavioral2/memory/1292-226-0x0000000000560000-0x0000000000A76000-memory.dmp	family_cryptbot
behavioral2/memory/1292-227-0x0000000000560000-0x0000000000A76000-memory.dmp	family_cryptbot
behavioral2/memory/1292-229-0x0000000000560000-0x0000000000A76000-memory.dmp	family_cryptbot
behavioral2/memory/1292-232-0x0000000000560000-0x0000000000A76000-memory.dmp	family_cryptbot
behavioral2/memory/1292-235-0x0000000000560000-0x0000000000A76000-memory.dmp	family_cryptbot
behavioral2/memory/1292-238-0x0000000000560000-0x0000000000A76000-memory.dmp	family_cryptbot
behavioral2/memory/1292-240-0x0000000000560000-0x0000000000A76000-memory.dmp	family_cryptbot
behavioral2/memory/1292-243-0x0000000000560000-0x0000000000A76000-memory.dmp	family_cryptbot
behavioral2/memory/1292-246-0x0000000000560000-0x0000000000A76000-memory.dmp	family_cryptbot
behavioral2/memory/1292-249-0x0000000000560000-0x0000000000A76000-memory.dmp	family_cryptbot
behavioral2/memory/1292-254-0x0000000000560000-0x0000000000A76000-memory.dmp	family_cryptbot
behavioral2/memory/1292-257-0x0000000000560000-0x0000000000A76000-memory.dmp	family_cryptbot
behavioral2/memory/1292-259-0x0000000000560000-0x0000000000A76000-memory.dmp	family_cryptbot
behavioral2/memory/1292-263-0x0000000000560000-0x0000000000A76000-memory.dmp	family_cryptbot

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

6febfef814559223cecd46a376011b9a_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 6febfef814559223cecd46a376011b9a_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	6febfef814559223cecd46a376011b9a_JaffaCakes118.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6febfef814559223cecd46a376011b9a_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6febfef814559223cecd46a376011b9a_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6febfef814559223cecd46a376011b9a_JaffaCakes118.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

6febfef814559223cecd46a376011b9a_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Wine 6febfef814559223cecd46a376011b9a_JaffaCakes118.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

6febfef814559223cecd46a376011b9a_JaffaCakes118.exe

pid process

1292 6febfef814559223cecd46a376011b9a_JaffaCakes118.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Wine	6febfef814559223cecd46a376011b9a_JaffaCakes118.exe

pid	process
1292	6febfef814559223cecd46a376011b9a_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6febfef814559223cecd46a376011b9a_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	6febfef814559223cecd46a376011b9a_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	6febfef814559223cecd46a376011b9a_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

6febfef814559223cecd46a376011b9a_JaffaCakes118.exe

pid process

1292 6febfef814559223cecd46a376011b9a_JaffaCakes118.exe
1292 6febfef814559223cecd46a376011b9a_JaffaCakes118.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

6febfef814559223cecd46a376011b9a_JaffaCakes118.exe

pid process

1292 6febfef814559223cecd46a376011b9a_JaffaCakes118.exe
1292 6febfef814559223cecd46a376011b9a_JaffaCakes118.exe

pid	process
1292	6febfef814559223cecd46a376011b9a_JaffaCakes118.exe
1292	6febfef814559223cecd46a376011b9a_JaffaCakes118.exe

pid	process
1292	6febfef814559223cecd46a376011b9a_JaffaCakes118.exe
1292	6febfef814559223cecd46a376011b9a_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\6febfef814559223cecd46a376011b9a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6febfef814559223cecd46a376011b9a_JaffaCakes118.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1292

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\KUs22JIZTC\8qLyeasm5IY4a.zip
Filesize
41KB

MD5
e1f2b9823036da6a95102d4f61774e4a

SHA1
4cf112b1dc90b75a5c6c49c5f87daf80e8aefbf7

SHA256
7bc1ee1dfb248e1d60020435cd1b7710792f698824033f069b14c387b837fa31

SHA512
713a044144c3c3f09f19bcd8a1080bddd11c3a6fc38202f2666a7fc0f01818e87c882c5adc3741305493758c3d20f77e75e28b8b3220b83ec203822c6d3ca879

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUs22JIZTC\_Files\_Information.txt
Filesize
1KB

MD5
0c18f1b65d37f2bce723d78b91f174db

SHA1
d0ddf304efb6a1f718b7016114c06424ed8bbedc

SHA256
d880fde66ccd8509c57a113bc4c43e40ee49046e7ec4374389eb92a873da1ade

SHA512
4229de12c8951347ff8a69faac17ffaf237645c688e938c2fdedac9a3f1c10dfde0906e7fc4c6fa8418d4207f30de7df4c7ced6e1c8ee02562dccc5d1e08a7a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUs22JIZTC\_Files\_Information.txt
Filesize
1KB

MD5
5efc7e59bde9b31436401897656a6789

SHA1
905f98c197df5e286ff6d095c5f99f4db4ce85e0

SHA256
c29a4f74181dc99bcb42aced998c45c20d97748268e63c021606d222ccf7c30c

SHA512
15ef8cf1df1203d91f7320324a612f9d14c0b625eb8e4e13503732654b8a9dff9e5b638e836507e5a23a700d58b8deb734709d878d19ea767edfbc413408851e

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUs22JIZTC\_Files\_Information.txt
Filesize
4KB

MD5
ffa7a3e32759a5c6412b1549232c393e

SHA1
d136358b6d67540478ede48a5cedd461a0a79a06

SHA256
75209a36ef136fc3a36e0be67b2e13efa53606ada8b7ff3f0624c5b45b69869b

SHA512
4dc53a159b39bf383229e6d6155b16f1826efcda1768ed3f9ee054af8625b5617a3c0cdca1b2356fd1ea52af74c0179a701ccdb1333441a2207edad94b122902

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUs22JIZTC\_Files\_Information.txt
Filesize
4KB

MD5
7cf0e14f5441c519e5d51e5aea82fec8

SHA1
a9e9b7a19aa84f33bd4be8d7cb4455ede344e564

SHA256
99a4fcfc881dbc1293c1dddb9856592280677c08396f25a1eb14244ec65e431b

SHA512
f597129a26334bfc73e22857c36fc5d3981b8cf6eb6b07d952929a372cb8f247c942b9cba245641358db256ac4e1958347ff0bb780f22c7e1ca961f3dfe89378

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUs22JIZTC\_Files\_Screen_Desktop.jpeg
Filesize
47KB

MD5
e7b8097248ee3845feb9adce7755c59c

SHA1
b25ebf3612bf280fef47f55129e432e966a46691

SHA256
3d35049c80a7ea03f0f13ecc9f2bb123679f046718ba13f57a96718609197b56

SHA512
c1c357cfac72d6e5cb4387fcd1584de1b1e2f0ea6b91e0ea459749a3eab972a03ce213aa6fd5a206678096752225630f4507633f23f6eb675992208b5d85709d

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUs22JIZTC\files_\system_info.txt
Filesize
7KB

MD5
7bcfcf3616d7de2754389d6a178b55a8

SHA1
729fa2a4c2bd485e72ca6005a4fcf15fa28369a8

SHA256
b355f4efc3c9af28d2f5fd0e128ee62bfa464132c8ca2763f437476e21e2994b

SHA512
b2cbcece5e177b211fa2297cc51c553b30d45479f7666016369e214374fe84869cd7d796992cc6373227ee3189972b26353cc12ba9658ed50e261aa6ca6d8638

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUs22JIZTC\oroAfErW.zip
Filesize
41KB

MD5
1df3cc486979fd649d2bafa7b9f6f4fa

SHA1
17c399f375aaff6e4ad6f9d6c9641fbcd645d976

SHA256
5fe3175f2f23b505477da8a781b98c084ea0beb22a66bb950f1775e06c177de2

SHA512
dc46ae88aa3ecb821dcd152fa2dfe45171d68a5c57ebde88df146223ab0be68a08ff8335a6c5abd15165f1050be1ed439caa1177cfb71aa6ea53f99a89416cef

Download Submit
memory/1292-223-0x0000000000560000-0x0000000000A76000-memory.dmp

Filesize
5.1MB

Download
memory/1292-232-0x0000000000560000-0x0000000000A76000-memory.dmp

Filesize
5.1MB

Download
memory/1292-5-0x0000000000561000-0x00000000005BC000-memory.dmp

Filesize
364KB

Download
memory/1292-2-0x0000000004D10000-0x0000000004D11000-memory.dmp

Filesize
4KB

Download
memory/1292-3-0x0000000004D30000-0x0000000004D31000-memory.dmp

Filesize
4KB

Download
memory/1292-221-0x0000000000560000-0x0000000000A76000-memory.dmp

Filesize
5.1MB

Download
memory/1292-0-0x0000000000560000-0x0000000000A76000-memory.dmp

Filesize
5.1MB

Download
memory/1292-4-0x0000000004D20000-0x0000000004D21000-memory.dmp

Filesize
4KB

Download
memory/1292-226-0x0000000000560000-0x0000000000A76000-memory.dmp

Filesize
5.1MB

Download
memory/1292-227-0x0000000000560000-0x0000000000A76000-memory.dmp

Filesize
5.1MB

Download
memory/1292-229-0x0000000000560000-0x0000000000A76000-memory.dmp

Filesize
5.1MB

Download
memory/1292-6-0x0000000000560000-0x0000000000A76000-memory.dmp

Filesize
5.1MB

Download
memory/1292-235-0x0000000000560000-0x0000000000A76000-memory.dmp

Filesize
5.1MB

Download
memory/1292-238-0x0000000000560000-0x0000000000A76000-memory.dmp

Filesize
5.1MB

Download
memory/1292-240-0x0000000000560000-0x0000000000A76000-memory.dmp

Filesize
5.1MB

Download
memory/1292-243-0x0000000000560000-0x0000000000A76000-memory.dmp

Filesize
5.1MB

Download
memory/1292-246-0x0000000000560000-0x0000000000A76000-memory.dmp

Filesize
5.1MB

Download
memory/1292-249-0x0000000000560000-0x0000000000A76000-memory.dmp

Filesize
5.1MB

Download
memory/1292-254-0x0000000000560000-0x0000000000A76000-memory.dmp

Filesize
5.1MB

Download
memory/1292-257-0x0000000000560000-0x0000000000A76000-memory.dmp

Filesize
5.1MB

Download
memory/1292-1-0x0000000077D94000-0x0000000077D96000-memory.dmp

Filesize
8KB

Download
memory/1292-259-0x0000000000560000-0x0000000000A76000-memory.dmp

Filesize
5.1MB

Download
memory/1292-263-0x0000000000560000-0x0000000000A76000-memory.dmp

Filesize
5.1MB

Download