General
-
Target
6f2f7f2ce0ef33d170cf9ee67265770d_JaffaCakes118
-
Size
4.2MB
-
Sample
240524-vdmp1ace4v
-
MD5
6f2f7f2ce0ef33d170cf9ee67265770d
-
SHA1
beb2c4bd2ab65ed67028a1a8db92750c624d7eb8
-
SHA256
4e459e942437ee7a6b767925f7cfaac795f9049c71b9211392061b2f4338dbfb
-
SHA512
11e01409e4038e812f5351753f498e3a179d7a8e209f7d652682198796fab226406e4b613a669cac379513d689d0f920050d7a7e6a362470c5599169481b00fc
-
SSDEEP
98304:BXDf8Q9Ymb74VAMgbMHWIZ/CA3VFSLVnqzGHsSM:BTf8QSSQiA2IZd3XUVnJ0
Malware Config
Extracted
cryptbot
biss01.info
Targets
-
-
Target
6f2f7f2ce0ef33d170cf9ee67265770d_JaffaCakes118
-
Size
4.2MB
-
MD5
6f2f7f2ce0ef33d170cf9ee67265770d
-
SHA1
beb2c4bd2ab65ed67028a1a8db92750c624d7eb8
-
SHA256
4e459e942437ee7a6b767925f7cfaac795f9049c71b9211392061b2f4338dbfb
-
SHA512
11e01409e4038e812f5351753f498e3a179d7a8e209f7d652682198796fab226406e4b613a669cac379513d689d0f920050d7a7e6a362470c5599169481b00fc
-
SSDEEP
98304:BXDf8Q9Ymb74VAMgbMHWIZ/CA3VFSLVnqzGHsSM:BTf8QSSQiA2IZd3XUVnJ0
Score10/10-
CryptBot
A C++ stealer distributed widely in bundle with other software.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocklisted process makes network request
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
$PLUGINSDIR/System.dll
-
Size
11KB
-
MD5
bf712f32249029466fa86756f5546950
-
SHA1
75ac4dc4808ac148ddd78f6b89a51afbd4091c2e
-
SHA256
7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af
-
SHA512
13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4
-
SSDEEP
192:0N2gQuUwXzioj4KALV2upWzVd7q1QDXEbBZ8KxHdGzyS/Kx:rJoiO8V2upW7vQjS/
Score3/10 -
-
-
Target
$PLUGINSDIR/UAC.dll
-
Size
14KB
-
MD5
adb29e6b186daa765dc750128649b63d
-
SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9
-
SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
-
SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
-
SSDEEP
192:DiF6v2imI36Op/tGZGfWxdyWHD0I53vLl7WVl8e04IpDlPjs:DGVY6ClGoWxXH75T1WVl83lLs
Score3/10 -
-
-
Target
$PLUGINSDIR/UserInfo.dll
-
Size
4KB
-
MD5
c7ce0e47c83525983fd2c4c9566b4aad
-
SHA1
38b7ad7bb32ffae35540fce373b8a671878dc54e
-
SHA256
6293408a5fa6d0f55f0a4d01528eb5b807ee9447a75a28b5986267475ebcd3ae
-
SHA512
ee9f23ea5210f418d4c559628bbfb3a0f892440bcd5dc4c1901cb8e510078e4481ea8353b262795076a19055e70b88e08fee5fb7e8f35a6f49022096408df20e
Score3/10 -
-
-
Target
$PLUGINSDIR/nsDialogs.dll
-
Size
9KB
-
MD5
4ccc4a742d4423f2f0ed744fd9c81f63
-
SHA1
704f00a1acc327fd879cf75fc90d0b8f927c36bc
-
SHA256
416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6
-
SHA512
790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb
-
SSDEEP
192:SbEunjqjIcESwFlioU3M0LLF/t8t9pKSfOi:SbESjFCw6oWPFl8jfOi
Score3/10 -
-
-
Target
$PLUGINSDIR/nsExec.dll
-
Size
6KB
-
MD5
132e6153717a7f9710dcea4536f364cd
-
SHA1
e39bc82c7602e6dd0797115c2bd12e872a5fb2ab
-
SHA256
d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2
-
SHA512
9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1
-
SSDEEP
96:M/SspqrIYxLPEQhThvov3TE4/2Sa5P9QFFYzOx4uF3sbSEI5LP39sQvM:M/QUG7lhvov36S5FcUjliSEI5LuQ
Score3/10 -
-
-
Target
Setup.exe
-
Size
2.2MB
-
MD5
112612c1ceaf7965ed7beb7d2341e0e2
-
SHA1
4a2e3df41d122e0ab2e4d8b774e806554f4a6296
-
SHA256
b5ee04d73e9cfa30a1719d2cbf9d17e76a5c8dc6149f9bb571365d5ee5b00072
-
SHA512
5ebf8b9f98497c35629d6924e03ca5d7661fea4ff5ae46ae56c56111f38d3af2ad51818d4363985424991e53663d1b96c366d84cbeb34dbecf641e7d09c1eeba
-
SSDEEP
49152:8NE9c7j+VxRCE0ntUyaDou+DuPSQQN/630zOKDYhKk:2j+0jntUODuPwdyZKDYhKk
Score10/10-
CryptBot
A C++ stealer distributed widely in bundle with other software.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
Setupres.exe
-
Size
2.0MB
-
MD5
e75b71aa66f4177b62485503809ec837
-
SHA1
8203e06f29d51c25b2af48c62fa6074c58958660
-
SHA256
f2ac71dbbc1ec524d93811dd4cd64edc5c836be379fa9cfd565af7ba45cfe80c
-
SHA512
2761d0880e60a87b9cca31cd533f626b218ddf9939dbd751cc468904500d19a59e63c09af0f44ede21bbf8a416ec05b08ac7f6629cf7de1072323b349d9df2f7
-
SSDEEP
49152:b82GHJEEqZj0HcfkfXhgW7Xvn0/55ScrQI+HKU/Z:b48foR370hFrzIZ
Score9/10-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
VMProtectSDK32.dll
-
Size
62KB
-
MD5
1e6fdcd6d847bbf9cd3a37ba72cda3f7
-
SHA1
4630e17975f151858f6acefb591286d09daaf6f9
-
SHA256
06754cb39c2e814577ac287b7dd0083f59933c867038407cddfb22ebc6c0f193
-
SHA512
1ff53ac4eff9a2eb33f9e3f51dc848154d19e36cfc6e02912fde6e4004bfbfada3fa7ad76079ec18026ab7305f603f11e647682cb410efba1f27f7e9fd2be0f1
-
SSDEEP
768:HoPxJEvm79UXEHoJ9Zu+mCpvuJx/cH/3raj5ckespr6vv6USYhCDgAkhHHqD+x8:HoP7EvctUT3Gejaj5He66KUScM+x8
Score1/10 -
-
-
Target
ipras.vbs
-
Size
126B
-
MD5
b802ff9244875f69db2fae0f78e92b10
-
SHA1
49385a89cd575894a29fbda969b99cc1f5cf8076
-
SHA256
a1b0cb16fb2ecd66fccf156024404801ad694056e8a596326c1b27b57d8eabe8
-
SHA512
609856415a7ae2b3e260f945f1c8a8d2a28884c202d37181bea948708918f24b42ae03f17dba1520fddc91b2f7a182b0b8f885f33ea6f81bb3ee4c72e4e9350e
Score8/10-
Blocklisted process makes network request
-
Legitimate hosting services abused for malware hosting/C2
-