cryptbot | 7cedfec517d2cb0967ed42266802acbbdb12dfbac5f32d677f7b5a8d43544cf9

Analysis

max time kernel
149s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
30-05-2024 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

84ed617163c46602cbac577800ca9af0_JaffaCakes118.exe
Size

2.1MB
MD5

84ed617163c46602cbac577800ca9af0
SHA1

44ece41b2f92117655b0aed8180890ab3a2e79a9
SHA256

7cedfec517d2cb0967ed42266802acbbdb12dfbac5f32d677f7b5a8d43544cf9
SHA512

455a990ee280a9445d1c3884e2ba2841e964f37d429a2742a91076e1bd819c0f8f692923700929d0fad88144c7916f2393d049b964bf9cba5cb99b42c1822233
SSDEEP

49152:T2pgPMMANpMshiMAZPMQQMCzTEBliSd/FTJEQbatj:T2pgPrssZLdBltd9TJ

Score

10^/10

cryptbot discovery evasion spyware stealer

Malware Config

Extracted

Family

cryptbot

bibinene03.top

moraass05.top

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 18 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4760-6-0x00000000005C0000-0x0000000000AC4000-memory.dmp	family_cryptbot
behavioral2/memory/4760-7-0x00000000005C0000-0x0000000000AC4000-memory.dmp	family_cryptbot
behavioral2/memory/4760-222-0x00000000005C0000-0x0000000000AC4000-memory.dmp	family_cryptbot
behavioral2/memory/4760-224-0x00000000005C0000-0x0000000000AC4000-memory.dmp	family_cryptbot
behavioral2/memory/4760-226-0x00000000005C0000-0x0000000000AC4000-memory.dmp	family_cryptbot
behavioral2/memory/4760-228-0x00000000005C0000-0x0000000000AC4000-memory.dmp	family_cryptbot
behavioral2/memory/4760-230-0x00000000005C0000-0x0000000000AC4000-memory.dmp	family_cryptbot
behavioral2/memory/4760-233-0x00000000005C0000-0x0000000000AC4000-memory.dmp	family_cryptbot
behavioral2/memory/4760-236-0x00000000005C0000-0x0000000000AC4000-memory.dmp	family_cryptbot
behavioral2/memory/4760-239-0x00000000005C0000-0x0000000000AC4000-memory.dmp	family_cryptbot
behavioral2/memory/4760-242-0x00000000005C0000-0x0000000000AC4000-memory.dmp	family_cryptbot
behavioral2/memory/4760-245-0x00000000005C0000-0x0000000000AC4000-memory.dmp	family_cryptbot
behavioral2/memory/4760-248-0x00000000005C0000-0x0000000000AC4000-memory.dmp	family_cryptbot
behavioral2/memory/4760-250-0x00000000005C0000-0x0000000000AC4000-memory.dmp	family_cryptbot
behavioral2/memory/4760-256-0x00000000005C0000-0x0000000000AC4000-memory.dmp	family_cryptbot
behavioral2/memory/4760-259-0x00000000005C0000-0x0000000000AC4000-memory.dmp	family_cryptbot
behavioral2/memory/4760-261-0x00000000005C0000-0x0000000000AC4000-memory.dmp	family_cryptbot
behavioral2/memory/4760-265-0x00000000005C0000-0x0000000000AC4000-memory.dmp	family_cryptbot

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

84ed617163c46602cbac577800ca9af0_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 84ed617163c46602cbac577800ca9af0_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	84ed617163c46602cbac577800ca9af0_JaffaCakes118.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

84ed617163c46602cbac577800ca9af0_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	84ed617163c46602cbac577800ca9af0_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	84ed617163c46602cbac577800ca9af0_JaffaCakes118.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

84ed617163c46602cbac577800ca9af0_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Wine 84ed617163c46602cbac577800ca9af0_JaffaCakes118.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

84ed617163c46602cbac577800ca9af0_JaffaCakes118.exe

pid process

4760 84ed617163c46602cbac577800ca9af0_JaffaCakes118.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Wine	84ed617163c46602cbac577800ca9af0_JaffaCakes118.exe

pid	process
4760	84ed617163c46602cbac577800ca9af0_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

84ed617163c46602cbac577800ca9af0_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	84ed617163c46602cbac577800ca9af0_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	84ed617163c46602cbac577800ca9af0_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

84ed617163c46602cbac577800ca9af0_JaffaCakes118.exe

pid process

4760 84ed617163c46602cbac577800ca9af0_JaffaCakes118.exe
4760 84ed617163c46602cbac577800ca9af0_JaffaCakes118.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

84ed617163c46602cbac577800ca9af0_JaffaCakes118.exe

pid process

4760 84ed617163c46602cbac577800ca9af0_JaffaCakes118.exe
4760 84ed617163c46602cbac577800ca9af0_JaffaCakes118.exe

pid	process
4760	84ed617163c46602cbac577800ca9af0_JaffaCakes118.exe
4760	84ed617163c46602cbac577800ca9af0_JaffaCakes118.exe

pid	process
4760	84ed617163c46602cbac577800ca9af0_JaffaCakes118.exe
4760	84ed617163c46602cbac577800ca9af0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\84ed617163c46602cbac577800ca9af0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\84ed617163c46602cbac577800ca9af0_JaffaCakes118.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:4760

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Gz3Dea1l\CXDWkorAXzEG2S.zip
Filesize
44KB

MD5
d552e2f6df52c0d7c372d3ca0b51dc88

SHA1
54b59588d56f49d1c75b3fae967aa795d0e8df68

SHA256
6685427ba73e754a6c38f1171dfedd17fc4a877a348d5d910a133884c6467fcb

SHA512
1f539206891088a62c4c25288553b3e6e8fe3882293fae21a1b6fc7d24356f7bc2e634e830d0ea1b12fc9d724409b238ebae95112405e2fc4cad26c630edfe48

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gz3Dea1l\_Files\_Information.txt
Filesize
1KB

MD5
bc0f6e81f81aa9245de89c2b9ec6384f

SHA1
bd5daa4fd4896547b786a9fd33f8edd3988f4a29

SHA256
4c08c4732e7be2a4b1bcb52f7bb8e2d819b651ee42cc499bec9597dcf71aaf3a

SHA512
eda5fe3d04c02c195b105dfccbf76d21cce81d841806ae599fd8b5f3bea5fc2c25b0c46ae3e02ed7200f0f96f333d72a6a8137c450ac1f45ed9d2ae1e6898dc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gz3Dea1l\_Files\_Information.txt
Filesize
5KB

MD5
dc5e6ff4483fb6e27cf3326d3caf48f3

SHA1
4152048a9f2eb82f79b6154275c050aba8ee044d

SHA256
aa1d4cd8be21edef13db8528c9ca3729f67ddfed9962effd4791940aac51856f

SHA512
728a73f14772cb0e4e8e75fac1489c99a10cb48aac5bd773612633060505059b1ad0c8f745fb049eb50fffe3f520c84e0987407a591b7683a80866d9f5024125

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gz3Dea1l\_Files\_Screen_Desktop.jpeg
Filesize
50KB

MD5
dbed2d95046b873a35156c58d0a68188

SHA1
d2f3abb2cdf6a46d30a1d16445bd8fbbb05d16d9

SHA256
5305075bfc4b91f86992aa20fe5548033033855064ac038e9887705f4dab0791

SHA512
ce768ed547dcfcbe02f266bd6031eabf9e94886c362e5d83fdf8b402f77d49a3bc389db06587aa8a54dde9a51449b9252f74834a6f3d5b8ed712b704d7ab8126

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gz3Dea1l\files_\system_info.txt
Filesize
7KB

MD5
6f60eb9a257e4f2131ab1d9e7aa216af

SHA1
33aab7c31db154410a52393186b30bc801df04a3

SHA256
baf9bd1e897c4906d5d1b4f973768d9b088ab01fd00844181e2d732b3180240c

SHA512
4a1f417d403bbf094aac65809bd68f4c44ab4997376ab5533dbc534692fe5588a3f3e757911e1b23f1e600cf85135843f528ea48cfff72d8471458cf88556ea7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gz3Dea1l\nEhi5gWsHhUu.zip
Filesize
44KB

MD5
dcb3f887195f12d66faf2e5fe02a4bbe

SHA1
1f549634823e96af3c9c5ed93b97b2367455168c

SHA256
6a5a764d7b37e61da53cc6f7188dba415b665edf5df38525156f34196e82f804

SHA512
87e13c9d8885acbd9c8aa7e2ff024f0f984342df622f82e3756240029c61032fc3194585dbf10784b2b9fd3eec1f48ae55ffc4b1696c5431a2d7e5982bd37b79

Download Submit
memory/4760-7-0x00000000005C0000-0x0000000000AC4000-memory.dmp

Filesize
5.0MB

Download
memory/4760-230-0x00000000005C0000-0x0000000000AC4000-memory.dmp

Filesize
5.0MB

Download
memory/4760-6-0x00000000005C0000-0x0000000000AC4000-memory.dmp

Filesize
5.0MB

Download
memory/4760-2-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/4760-5-0x00000000005C1000-0x000000000061C000-memory.dmp

Filesize
364KB

Download
memory/4760-3-0x0000000004FC0000-0x0000000004FC1000-memory.dmp

Filesize
4KB

Download
memory/4760-222-0x00000000005C0000-0x0000000000AC4000-memory.dmp

Filesize
5.0MB

Download
memory/4760-224-0x00000000005C0000-0x0000000000AC4000-memory.dmp

Filesize
5.0MB

Download
memory/4760-4-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

Filesize
4KB

Download
memory/4760-226-0x00000000005C0000-0x0000000000AC4000-memory.dmp

Filesize
5.0MB

Download
memory/4760-228-0x00000000005C0000-0x0000000000AC4000-memory.dmp

Filesize
5.0MB

Download
memory/4760-0-0x00000000005C0000-0x0000000000AC4000-memory.dmp

Filesize
5.0MB

Download
memory/4760-233-0x00000000005C0000-0x0000000000AC4000-memory.dmp

Filesize
5.0MB

Download
memory/4760-236-0x00000000005C0000-0x0000000000AC4000-memory.dmp

Filesize
5.0MB

Download
memory/4760-239-0x00000000005C0000-0x0000000000AC4000-memory.dmp

Filesize
5.0MB

Download
memory/4760-242-0x00000000005C0000-0x0000000000AC4000-memory.dmp

Filesize
5.0MB

Download
memory/4760-245-0x00000000005C0000-0x0000000000AC4000-memory.dmp

Filesize
5.0MB

Download
memory/4760-248-0x00000000005C0000-0x0000000000AC4000-memory.dmp

Filesize
5.0MB

Download
memory/4760-250-0x00000000005C0000-0x0000000000AC4000-memory.dmp

Filesize
5.0MB

Download
memory/4760-256-0x00000000005C0000-0x0000000000AC4000-memory.dmp

Filesize
5.0MB

Download
memory/4760-1-0x0000000076FA4000-0x0000000076FA6000-memory.dmp

Filesize
8KB

Download
memory/4760-259-0x00000000005C0000-0x0000000000AC4000-memory.dmp

Filesize
5.0MB

Download
memory/4760-261-0x00000000005C0000-0x0000000000AC4000-memory.dmp

Filesize
5.0MB

Download
memory/4760-265-0x00000000005C0000-0x0000000000AC4000-memory.dmp

Filesize
5.0MB

Download