cryptbot | e8ce5ad5f725d815f30881cbc45cd4fecd528d4e74f18654d11816c07964bf2e

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
27-05-2024 17:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79d694b6013391578dcb6b0dddd21994_JaffaCakes118.exe
Size

2.1MB
MD5

79d694b6013391578dcb6b0dddd21994
SHA1

ab6ed57debc6eea81fde739926aeef08aaccae10
SHA256

e8ce5ad5f725d815f30881cbc45cd4fecd528d4e74f18654d11816c07964bf2e
SHA512

dcda7e5d2a4e3ceb70413cc18fb0c185e033541a5838643b6c620f2197691655a458a0d05604606b32a680ce9e83ff51f3f694f32dba453bdf454ca3ac7b941d
SSDEEP

49152:avQex8xXSUvxfxjO/x5f+2vMkZ2hKAh1tRF4K0pMqLtfkCxJh:avQ08xXFvxfRux5G2vdZb674K0pMqLtj

Score

10^/10

cryptbot discovery evasion spyware stealer

Malware Config

Extracted

Family

cryptbot

hbv01.info

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

79d694b6013391578dcb6b0dddd21994_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 79d694b6013391578dcb6b0dddd21994_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	79d694b6013391578dcb6b0dddd21994_JaffaCakes118.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

79d694b6013391578dcb6b0dddd21994_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	79d694b6013391578dcb6b0dddd21994_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	79d694b6013391578dcb6b0dddd21994_JaffaCakes118.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

79d694b6013391578dcb6b0dddd21994_JaffaCakes118.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation 79d694b6013391578dcb6b0dddd21994_JaffaCakes118.exe
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

79d694b6013391578dcb6b0dddd21994_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Wine 79d694b6013391578dcb6b0dddd21994_JaffaCakes118.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

12 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

79d694b6013391578dcb6b0dddd21994_JaffaCakes118.exe

pid process

1160 79d694b6013391578dcb6b0dddd21994_JaffaCakes118.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	79d694b6013391578dcb6b0dddd21994_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Wine	79d694b6013391578dcb6b0dddd21994_JaffaCakes118.exe

flow	ioc
12	ip-api.com

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

79d694b6013391578dcb6b0dddd21994_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	79d694b6013391578dcb6b0dddd21994_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	79d694b6013391578dcb6b0dddd21994_JaffaCakes118.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

5040 timeout.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

79d694b6013391578dcb6b0dddd21994_JaffaCakes118.exe

pid process

1160 79d694b6013391578dcb6b0dddd21994_JaffaCakes118.exe
1160 79d694b6013391578dcb6b0dddd21994_JaffaCakes118.exe

pid	process
5040	timeout.exe

Suspicious use of FindShellTrayWindow 12 IoCs

Processes:

79d694b6013391578dcb6b0dddd21994_JaffaCakes118.exe

pid	process
1160	79d694b6013391578dcb6b0dddd21994_JaffaCakes118.exe
1160	79d694b6013391578dcb6b0dddd21994_JaffaCakes118.exe
1160	79d694b6013391578dcb6b0dddd21994_JaffaCakes118.exe
1160	79d694b6013391578dcb6b0dddd21994_JaffaCakes118.exe
1160	79d694b6013391578dcb6b0dddd21994_JaffaCakes118.exe
1160	79d694b6013391578dcb6b0dddd21994_JaffaCakes118.exe
1160	79d694b6013391578dcb6b0dddd21994_JaffaCakes118.exe
1160	79d694b6013391578dcb6b0dddd21994_JaffaCakes118.exe
1160	79d694b6013391578dcb6b0dddd21994_JaffaCakes118.exe
1160	79d694b6013391578dcb6b0dddd21994_JaffaCakes118.exe
1160	79d694b6013391578dcb6b0dddd21994_JaffaCakes118.exe
1160	79d694b6013391578dcb6b0dddd21994_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

79d694b6013391578dcb6b0dddd21994_JaffaCakes118.execmd.exe

description	pid	process	target process
PID 1160 wrote to memory of 3224	1160	79d694b6013391578dcb6b0dddd21994_JaffaCakes118.exe	cmd.exe
PID 1160 wrote to memory of 3224	1160	79d694b6013391578dcb6b0dddd21994_JaffaCakes118.exe	cmd.exe
PID 1160 wrote to memory of 3224	1160	79d694b6013391578dcb6b0dddd21994_JaffaCakes118.exe	cmd.exe
PID 3224 wrote to memory of 5040	3224	cmd.exe	timeout.exe
PID 3224 wrote to memory of 5040	3224	cmd.exe	timeout.exe
PID 3224 wrote to memory of 5040	3224	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\79d694b6013391578dcb6b0dddd21994_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\79d694b6013391578dcb6b0dddd21994_JaffaCakes118.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1160

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\EyfEyCLGiwX1c & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\79d694b6013391578dcb6b0dddd21994_JaffaCakes118.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3224

C:\Windows\SysWOW64\timeout.exe
timeout 2
3⤵
- Delays execution with timeout.exe
PID:5040

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\EyfEyCLGiwX1c\47283761.txt
Filesize
156B

MD5
b5089e0c5a3d5377e9bd19c0557ef04e

SHA1
9402e326be3d240e234c06892b15c24e93c93eb8

SHA256
d77789b2c49759c882f4fdd6f53e665b0d012f8f0949d0150eaba47fbf2a0eb5

SHA512
942349ccb99854f274ef1e20b623660588e15bd0d25bfc817fe9b2d010db656af340652e0e67b41edbf0cf259d55ab880d6b50acb1d7e8ab394f1393f7956c13

Download Submit
C:\ProgramData\EyfEyCLGiwX1c\Files\Files\Desktop\REVOKE~1.TXT
Filesize
865KB

MD5
4402e78e9dc289b3454f8a6c8630eb3e

SHA1
a89539feeeb9cffdbc31037612ce6828cf75afa3

SHA256
2a90b5992aaaa5ac7013cd79e22d75c4b9f88bc23c1f2b8e715117fc6997b74a

SHA512
21a1b07c1127130938e104db1ad2e975d6a7bdedfbcc2efcf273318f2535f6cd58a49d370b7f4937ac50b0c46e865469f282d8bbb44bd94a1468d94a16e92b52

Download Submit
C:\ProgramData\EyfEyCLGiwX1c\Files\_Info.txt
Filesize
8KB

MD5
458fd490a4f79b6d4b9f53a75a3e0d29

SHA1
649bc44af64edb8384541611d9dd7795a0e07d5a

SHA256
3488706691fdaf779d96e477291ae5c1998f6c43ffdc47a3bf94223245ade0fc

SHA512
79f2edefad2772982ec4cdb7880029b770b282323d3d085be440f8cdc9a31005c22cd27095f502282b1543dc9515ca840a4a4ac2995daf873b69810949f34e5b

Download Submit
C:\ProgramData\EyfEyCLGiwX1c\Files\_Screen.jpg
Filesize
49KB

MD5
2209dec40df2d01569cbfbac88bf4b73

SHA1
6705fdcfbf46e1fe88c61c03580f4992ed80d4f0

SHA256
f2bd62f4498ea289ab727c494ce2f03c6dcab53950417a4a393df7b9fa2effb5

SHA512
c2e91ff75caa2b99a495be0658d6f00a97f78898093c3822331bad063a2aeae6d4a90d40348aaac54d8a5658bfb0f0a09caf2355c572087330a0cbfa615e56cb

Download Submit
C:\ProgramData\EyfEyCLGiwX1c\KwYfUbYdgMCTWdaB.zip
Filesize
910KB

MD5
c8beddff5284b49702ad5d1c7908d33d

SHA1
2e9e1a26798bb4d4374bd05444cff013f4577d37

SHA256
29df0a0c6de56b55a9a7070ec7f435c5dbd309db45c04d9b2c53871323eb19b8

SHA512
28564fae5612bf7af36da654a7dc02df20c58bc8946da7bec2d3022fb4f978e139f22e422d677b68ae3f4422a0a78d452c456e4c37d78b83915c91d22df6f5a3

Download Submit
C:\ProgramData\EyfEyCLGiwX1c\MOZ_CO~1.DB
Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
memory/1160-163-0x0000000000140000-0x0000000000674000-memory.dmp

Filesize
5.2MB

Download
memory/1160-169-0x0000000000140000-0x0000000000674000-memory.dmp

Filesize
5.2MB

Download
memory/1160-17-0x0000000000140000-0x0000000000674000-memory.dmp

Filesize
5.2MB

Download
memory/1160-20-0x0000000000140000-0x0000000000674000-memory.dmp

Filesize
5.2MB

Download
memory/1160-13-0x0000000000140000-0x0000000000674000-memory.dmp

Filesize
5.2MB

Download
memory/1160-2-0x0000000004B90000-0x0000000004B91000-memory.dmp

Filesize
4KB

Download
memory/1160-145-0x0000000000140000-0x0000000000674000-memory.dmp

Filesize
5.2MB

Download
memory/1160-157-0x0000000000140000-0x0000000000674000-memory.dmp

Filesize
5.2MB

Download
memory/1160-158-0x0000000000140000-0x0000000000674000-memory.dmp

Filesize
5.2MB

Download
memory/1160-160-0x0000000000140000-0x0000000000674000-memory.dmp

Filesize
5.2MB

Download
memory/1160-3-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

Filesize
4KB

Download
memory/1160-162-0x0000000000140000-0x0000000000674000-memory.dmp

Filesize
5.2MB

Download
memory/1160-0-0x0000000000140000-0x0000000000674000-memory.dmp

Filesize
5.2MB

Download
memory/1160-165-0x0000000000140000-0x0000000000674000-memory.dmp

Filesize
5.2MB

Download
memory/1160-166-0x0000000000140000-0x0000000000674000-memory.dmp

Filesize
5.2MB

Download
memory/1160-16-0x0000000000140000-0x0000000000674000-memory.dmp

Filesize
5.2MB

Download
memory/1160-172-0x0000000000140000-0x0000000000674000-memory.dmp

Filesize
5.2MB

Download
memory/1160-175-0x0000000000140000-0x0000000000674000-memory.dmp

Filesize
5.2MB

Download
memory/1160-179-0x0000000000140000-0x0000000000674000-memory.dmp

Filesize
5.2MB

Download
memory/1160-182-0x0000000000140000-0x0000000000674000-memory.dmp

Filesize
5.2MB

Download
memory/1160-184-0x0000000000140000-0x0000000000674000-memory.dmp

Filesize
5.2MB

Download
memory/1160-188-0x0000000000140000-0x0000000000674000-memory.dmp

Filesize
5.2MB

Download
memory/1160-191-0x0000000000140000-0x0000000000674000-memory.dmp

Filesize
5.2MB

Download
memory/1160-193-0x0000000000140000-0x0000000000674000-memory.dmp

Filesize
5.2MB

Download
memory/1160-196-0x0000000000140000-0x0000000000674000-memory.dmp

Filesize
5.2MB

Download
memory/1160-199-0x0000000000140000-0x0000000000674000-memory.dmp

Filesize
5.2MB

Download
memory/1160-201-0x0000000000140000-0x0000000000674000-memory.dmp

Filesize
5.2MB

Download
memory/1160-4-0x0000000004B50000-0x0000000004B51000-memory.dmp

Filesize
4KB

Download
memory/1160-7-0x0000000000141000-0x00000000001A0000-memory.dmp

Filesize
380KB

Download
memory/1160-1-0x00000000774E4000-0x00000000774E6000-memory.dmp

Filesize
8KB

Download