cryptbot | 7cedfec517d2cb0967ed42266802acbbdb12dfbac5f32d677f7b5a8d43544cf9

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
30-05-2024 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

84ed617163c46602cbac577800ca9af0_JaffaCakes118.exe
Size

2.1MB
MD5

84ed617163c46602cbac577800ca9af0
SHA1

44ece41b2f92117655b0aed8180890ab3a2e79a9
SHA256

7cedfec517d2cb0967ed42266802acbbdb12dfbac5f32d677f7b5a8d43544cf9
SHA512

455a990ee280a9445d1c3884e2ba2841e964f37d429a2742a91076e1bd819c0f8f692923700929d0fad88144c7916f2393d049b964bf9cba5cb99b42c1822233
SSDEEP

49152:T2pgPMMANpMshiMAZPMQQMCzTEBliSd/FTJEQbatj:T2pgPrssZLdBltd9TJ

Score

10^/10

cryptbot discovery evasion spyware stealer

Malware Config

Extracted

Family

cryptbot

bibinene03.top

moraass05.top

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 20 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2248-9-0x0000000001230000-0x0000000001734000-memory.dmp	family_cryptbot
behavioral1/memory/2248-10-0x0000000001230000-0x0000000001734000-memory.dmp	family_cryptbot
behavioral1/memory/2248-119-0x0000000001230000-0x0000000001734000-memory.dmp	family_cryptbot
behavioral1/memory/2248-229-0x0000000001230000-0x0000000001734000-memory.dmp	family_cryptbot
behavioral1/memory/2248-230-0x0000000001230000-0x0000000001734000-memory.dmp	family_cryptbot
behavioral1/memory/2248-232-0x0000000001230000-0x0000000001734000-memory.dmp	family_cryptbot
behavioral1/memory/2248-233-0x0000000001230000-0x0000000001734000-memory.dmp	family_cryptbot
behavioral1/memory/2248-234-0x0000000001230000-0x0000000001734000-memory.dmp	family_cryptbot
behavioral1/memory/2248-236-0x0000000001230000-0x0000000001734000-memory.dmp	family_cryptbot
behavioral1/memory/2248-238-0x0000000001230000-0x0000000001734000-memory.dmp	family_cryptbot
behavioral1/memory/2248-240-0x0000000001230000-0x0000000001734000-memory.dmp	family_cryptbot
behavioral1/memory/2248-243-0x0000000001230000-0x0000000001734000-memory.dmp	family_cryptbot
behavioral1/memory/2248-245-0x0000000001230000-0x0000000001734000-memory.dmp	family_cryptbot
behavioral1/memory/2248-248-0x0000000001230000-0x0000000001734000-memory.dmp	family_cryptbot
behavioral1/memory/2248-250-0x0000000001230000-0x0000000001734000-memory.dmp	family_cryptbot
behavioral1/memory/2248-252-0x0000000001230000-0x0000000001734000-memory.dmp	family_cryptbot
behavioral1/memory/2248-254-0x0000000001230000-0x0000000001734000-memory.dmp	family_cryptbot
behavioral1/memory/2248-256-0x0000000001230000-0x0000000001734000-memory.dmp	family_cryptbot
behavioral1/memory/2248-258-0x0000000001230000-0x0000000001734000-memory.dmp	family_cryptbot
behavioral1/memory/2248-261-0x0000000001230000-0x0000000001734000-memory.dmp	family_cryptbot

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

84ed617163c46602cbac577800ca9af0_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 84ed617163c46602cbac577800ca9af0_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	84ed617163c46602cbac577800ca9af0_JaffaCakes118.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

84ed617163c46602cbac577800ca9af0_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	84ed617163c46602cbac577800ca9af0_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	84ed617163c46602cbac577800ca9af0_JaffaCakes118.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

84ed617163c46602cbac577800ca9af0_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Wine 84ed617163c46602cbac577800ca9af0_JaffaCakes118.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

84ed617163c46602cbac577800ca9af0_JaffaCakes118.exe

pid process

2248 84ed617163c46602cbac577800ca9af0_JaffaCakes118.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Wine	84ed617163c46602cbac577800ca9af0_JaffaCakes118.exe

pid	process
2248	84ed617163c46602cbac577800ca9af0_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

84ed617163c46602cbac577800ca9af0_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	84ed617163c46602cbac577800ca9af0_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	84ed617163c46602cbac577800ca9af0_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

84ed617163c46602cbac577800ca9af0_JaffaCakes118.exe

pid process

2248 84ed617163c46602cbac577800ca9af0_JaffaCakes118.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

84ed617163c46602cbac577800ca9af0_JaffaCakes118.exe

pid process

2248 84ed617163c46602cbac577800ca9af0_JaffaCakes118.exe
2248 84ed617163c46602cbac577800ca9af0_JaffaCakes118.exe

pid	process
2248	84ed617163c46602cbac577800ca9af0_JaffaCakes118.exe

pid	process
2248	84ed617163c46602cbac577800ca9af0_JaffaCakes118.exe
2248	84ed617163c46602cbac577800ca9af0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\84ed617163c46602cbac577800ca9af0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\84ed617163c46602cbac577800ca9af0_JaffaCakes118.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2248

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2jucYSbuWKT\_Files\_Information.txt
Filesize
8KB

MD5
b0a4bc4b29a252a9d72fb55270c3bb11

SHA1
b861aa0edc57dc251de3cdc53a8184a81aa67ea8

SHA256
837232868ca77b551e1e9df54ea03039de31324298cbe5ff40531e46426a3932

SHA512
cfc976a2befabd2f92a1367d6fe616fc841698339c8102ba43e73e2cead04b1bbf9e501a3811904137bf152920633590db1ef5535d7aaa72b976cc7d25a9f8fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\2jucYSbuWKT\_Files\_Screen_Desktop.jpeg
Filesize
39KB

MD5
e74e07eac353af152b79aba264fc8a5c

SHA1
0cbdfdd1479718e07f1baeea67646f6adde34321

SHA256
1c97109e2e00ec2162e0c1e0e35c41845542f497ff3f059888658a376fe8043f

SHA512
db2e516e05d53e2f91d5d29092097ca798f0ef30d3084731cd22c6b556208a9774fb7860a4f5889553256d8e804eadfd9185da52783e8aeda2ac1bb37f59161c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2jucYSbuWKT\files_\system_info.txt
Filesize
1KB

MD5
43757443c3e8e081cb0fe1c0da349bc6

SHA1
3fdc1db7256fbdf703a5493719cdd79351ac945e

SHA256
d5f3a89e6cc480fb0f0aa90077444549ae7dcbd64aca51d866a4a4cd4d3cab6c

SHA512
397b75202ec6eeb27303439c1956fe624cdaf90e4f885300f103216e7a08f03277d635ce1fc92268574329e1c8f365a5312afbd4c4624b5a40c5bc23ff5a75f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\2jucYSbuWKT\files_\system_info.txt
Filesize
3KB

MD5
34c960710bfb57791df55ab8cac9e2f2

SHA1
398c2fc272551ff2e49fd0409aaf0ad985a53810

SHA256
f719181281eb079bafb79361eb8ed813ee647b82c677760b4e8d68e8b1c699f6

SHA512
58e159aa1805ced407669d862c806ebca2f55b142024b2c20b46bf62da3975843adfed5ea00e55dff56dbd67c02766f48242c795b02247b95c69b57a7f9e3d08

Download Submit
C:\Users\Admin\AppData\Local\Temp\2jucYSbuWKT\files_\system_info.txt
Filesize
4KB

MD5
1ec2a1b599d4f7febfe674885c59b5a3

SHA1
eacf2b6ffe8f6af032d3ea93a84da2c4bc8fe637

SHA256
66ab5abdbb0fdd0ced42f0f637dad8b6e60431b3641b69867947d9a2060663bd

SHA512
72aec90e6e87ceec02609ec73b5fd0e8354a823174f541471c40aab4785ce1cf02f0a494abd54cdffc7c24c140c10980ee97fca4be8820df07474e0d17c24d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\2jucYSbuWKT\vjTmHpewjelObx.zip
Filesize
31KB

MD5
db9d214e5132a3d919fe710d1624979b

SHA1
d716cb6143f4db0e80c1ff136ede3c1e969c7cf8

SHA256
a83179fd064692cd862af75ffb611ce8ff5f9a83334efe35ae942b32984ff7ba

SHA512
14fb7ca4fc3f9f561bc8fab3ea6c0de6b97b3a6576018d47e5f69334ebb9d3422add995d7606a636d7af6a11342e8516e7bf745006cac35a04a36e9fd1472419

Download Submit
memory/2248-2-0x0000000000A80000-0x0000000000A81000-memory.dmp

Filesize
4KB

Download
memory/2248-234-0x0000000001230000-0x0000000001734000-memory.dmp

Filesize
5.0MB

Download
memory/2248-0-0x0000000001230000-0x0000000001734000-memory.dmp

Filesize
5.0MB

Download
memory/2248-9-0x0000000001230000-0x0000000001734000-memory.dmp

Filesize
5.0MB

Download
memory/2248-10-0x0000000001230000-0x0000000001734000-memory.dmp

Filesize
5.0MB

Download
memory/2248-4-0x0000000000C00000-0x0000000000C01000-memory.dmp

Filesize
4KB

Download
memory/2248-119-0x0000000001230000-0x0000000001734000-memory.dmp

Filesize
5.0MB

Download
memory/2248-5-0x0000000000D70000-0x0000000000D71000-memory.dmp

Filesize
4KB

Download
memory/2248-6-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/2248-7-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/2248-8-0x0000000001231000-0x000000000128C000-memory.dmp

Filesize
364KB

Download
memory/2248-229-0x0000000001230000-0x0000000001734000-memory.dmp

Filesize
5.0MB

Download
memory/2248-230-0x0000000001230000-0x0000000001734000-memory.dmp

Filesize
5.0MB

Download
memory/2248-232-0x0000000001230000-0x0000000001734000-memory.dmp

Filesize
5.0MB

Download
memory/2248-233-0x0000000001230000-0x0000000001734000-memory.dmp

Filesize
5.0MB

Download
memory/2248-3-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

Filesize
4KB

Download
memory/2248-1-0x0000000077130000-0x0000000077132000-memory.dmp

Filesize
8KB

Download
memory/2248-236-0x0000000001230000-0x0000000001734000-memory.dmp

Filesize
5.0MB

Download
memory/2248-238-0x0000000001230000-0x0000000001734000-memory.dmp

Filesize
5.0MB

Download
memory/2248-240-0x0000000001230000-0x0000000001734000-memory.dmp

Filesize
5.0MB

Download
memory/2248-243-0x0000000001230000-0x0000000001734000-memory.dmp

Filesize
5.0MB

Download
memory/2248-245-0x0000000001230000-0x0000000001734000-memory.dmp

Filesize
5.0MB

Download
memory/2248-248-0x0000000001230000-0x0000000001734000-memory.dmp

Filesize
5.0MB

Download
memory/2248-250-0x0000000001230000-0x0000000001734000-memory.dmp

Filesize
5.0MB

Download
memory/2248-252-0x0000000001230000-0x0000000001734000-memory.dmp

Filesize
5.0MB

Download
memory/2248-254-0x0000000001230000-0x0000000001734000-memory.dmp

Filesize
5.0MB

Download
memory/2248-256-0x0000000001230000-0x0000000001734000-memory.dmp

Filesize
5.0MB

Download
memory/2248-258-0x0000000001230000-0x0000000001734000-memory.dmp

Filesize
5.0MB

Download
memory/2248-261-0x0000000001230000-0x0000000001734000-memory.dmp

Filesize
5.0MB

Download