cryptbot | a7c197851b0d857569e0f4711d965bfdf3da7da820ea95caa6ee1317e9f8602d

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
31-05-2024 17:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

87baf758e41c9e99d91975085d024aad_JaffaCakes118.exe
Size

4.0MB
MD5

87baf758e41c9e99d91975085d024aad
SHA1

7816e63608f056dbb1aaf25fbf4041a959073f81
SHA256

a7c197851b0d857569e0f4711d965bfdf3da7da820ea95caa6ee1317e9f8602d
SHA512

770b669b7821c4c893d222a023b12d41b01cc6afd4ca6a81c738a583411e7c6f61576a1e1d6aec943e5257c9233038d0827d67e8d9743a4d1e3440f3ae3541a3
SSDEEP

98304:7WP/L48ggBUAmtNSId9TxLw5uEcltXCFA9F2LHHJyfWRu2IYEfA:7Wrpgge0ILTuAEclBCFssLnJRuVY

Score

10^/10

cryptbot discovery evasion spyware stealer

Malware Config

Extracted

Family

cryptbot

vvz01.pro

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Set.exeSetup.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Set.exe
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Setup.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Set.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Setup.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Setup.exeSet.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Set.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Set.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Setup.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation Setup.exe
Executes dropped EXE 2 IoCs

Processes:

Setup.exeSet.exe

pid process

2948 Setup.exe
1148 Set.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Setup.exe

pid	process
2948	Setup.exe
1148	Set.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

Setup.exeSet.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Wine	Setup.exe
Key opened	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Wine	Set.exe

Loads dropped DLL 1 IoCs

Processes:

87baf758e41c9e99d91975085d024aad_JaffaCakes118.exe

pid process

2180 87baf758e41c9e99d91975085d024aad_JaffaCakes118.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

67 iplogger.org
68 iplogger.org
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

9 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

Setup.exeSet.exe

pid process

2948 Setup.exe
1148 Set.exe

pid	process
2180	87baf758e41c9e99d91975085d024aad_JaffaCakes118.exe

flow	ioc
67	iplogger.org
68	iplogger.org

flow	ioc
9	ip-api.com

pid	process
2948	Setup.exe
1148	Set.exe

Drops file in Program Files directory 5 IoCs

Processes:

87baf758e41c9e99d91975085d024aad_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files (x86)\Cyper\vm_risc_begin.inc	87baf758e41c9e99d91975085d024aad_JaffaCakes118.exe
File created	C:\Program Files (x86)\Cyper\Set.exe	87baf758e41c9e99d91975085d024aad_JaffaCakes118.exe
File created	C:\Program Files (x86)\Cyper\Setup.exe	87baf758e41c9e99d91975085d024aad_JaffaCakes118.exe
File created	C:\Program Files (x86)\Cyper\vm_begin.inc	87baf758e41c9e99d91975085d024aad_JaffaCakes118.exe
File created	C:\Program Files (x86)\Cyper\vm_end.inc	87baf758e41c9e99d91975085d024aad_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Setup.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Setup.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1268 timeout.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Setup.exeSet.exe

pid process

2948 Setup.exe
2948 Setup.exe
1148 Set.exe
1148 Set.exe
Suspicious use of FindShellTrayWindow 12 IoCs

Processes:

Setup.exe

pid process

2948 Setup.exe
2948 Setup.exe
2948 Setup.exe
2948 Setup.exe
2948 Setup.exe
2948 Setup.exe
2948 Setup.exe
2948 Setup.exe
2948 Setup.exe
2948 Setup.exe
2948 Setup.exe
2948 Setup.exe

pid	process
1268	timeout.exe

pid	process
2948	Setup.exe
2948	Setup.exe
1148	Set.exe
1148	Set.exe

pid	process
2948	Setup.exe
2948	Setup.exe
2948	Setup.exe
2948	Setup.exe
2948	Setup.exe
2948	Setup.exe
2948	Setup.exe
2948	Setup.exe
2948	Setup.exe
2948	Setup.exe
2948	Setup.exe
2948	Setup.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

87baf758e41c9e99d91975085d024aad_JaffaCakes118.exeSetup.execmd.exe

description	pid	process	target process
PID 2180 wrote to memory of 2948	2180	87baf758e41c9e99d91975085d024aad_JaffaCakes118.exe	Setup.exe
PID 2180 wrote to memory of 2948	2180	87baf758e41c9e99d91975085d024aad_JaffaCakes118.exe	Setup.exe
PID 2180 wrote to memory of 2948	2180	87baf758e41c9e99d91975085d024aad_JaffaCakes118.exe	Setup.exe
PID 2948 wrote to memory of 4024	2948	Setup.exe	cmd.exe
PID 2948 wrote to memory of 4024	2948	Setup.exe	cmd.exe
PID 2948 wrote to memory of 4024	2948	Setup.exe	cmd.exe
PID 4024 wrote to memory of 1268	4024	cmd.exe	timeout.exe
PID 4024 wrote to memory of 1268	4024	cmd.exe	timeout.exe
PID 4024 wrote to memory of 1268	4024	cmd.exe	timeout.exe
PID 2180 wrote to memory of 1148	2180	87baf758e41c9e99d91975085d024aad_JaffaCakes118.exe	Set.exe
PID 2180 wrote to memory of 1148	2180	87baf758e41c9e99d91975085d024aad_JaffaCakes118.exe	Set.exe
PID 2180 wrote to memory of 1148	2180	87baf758e41c9e99d91975085d024aad_JaffaCakes118.exe	Set.exe

C:\Users\Admin\AppData\Local\Temp\87baf758e41c9e99d91975085d024aad_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\87baf758e41c9e99d91975085d024aad_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2180

C:\Program Files (x86)\Cyper\Setup.exe
"C:\Program Files (x86)\Cyper\Setup.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2948

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\3T46OoQYgQHw0Do & timeout 2 & del /f /q "C:\Program Files (x86)\Cyper\Setup.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:4024

C:\Windows\SysWOW64\timeout.exe
timeout 2
4⤵
- Delays execution with timeout.exe
PID:1268

C:\Program Files (x86)\Cyper\Set.exe
"C:\Program Files (x86)\Cyper\Set.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1148

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Cyper\Set.exe
Filesize
1.9MB

MD5
8baf775e6405ac5d6fb0a1a415909014

SHA1
a315a3bf0604464122a852be17dc8b809c5db6fb

SHA256
23f05a44b97ab0dae4b7820c9e01fadce31021d4d3826fb646aa2000ca2701d8

SHA512
8dedee40d23df25a68a5243ede2d5ab4ba6160842b8701c22a8f4f5c0355cdb1c53bc2f58fe01345b768fb055694d8000bef2831e958fa7b95e71c5ccdbc1b23

Download Submit
C:\Program Files (x86)\Cyper\Setup.exe
Filesize
2.2MB

MD5
184073024e93d570c71c2e49afc5b26b

SHA1
dbb7cdcb73b04092e9465969f1075227617e88bb

SHA256
cc76ddcff8abaf26698c735a56abb171773c48262e06ae2dbdcaf13769edb8de

SHA512
00296de5e63229dd91e71dc8d347a34203829314339690a63b5e448ecfda9a7be0f1be11fd34f2936590d30c05ec7ef126ad9ab695ef18459326bdc66160474d

Download Submit
C:\ProgramData\3T46OoQYgQHw0Do\47283761.txt
Filesize
156B

MD5
b5089e0c5a3d5377e9bd19c0557ef04e

SHA1
9402e326be3d240e234c06892b15c24e93c93eb8

SHA256
d77789b2c49759c882f4fdd6f53e665b0d012f8f0949d0150eaba47fbf2a0eb5

SHA512
942349ccb99854f274ef1e20b623660588e15bd0d25bfc817fe9b2d010db656af340652e0e67b41edbf0cf259d55ab880d6b50acb1d7e8ab394f1393f7956c13

Download Submit
C:\ProgramData\3T46OoQYgQHw0Do\Files\_Info.txt
Filesize
7KB

MD5
7b4b29061c437a88383e6ac1362dac35

SHA1
4175bda7f27d85779e49a152b641bbc76876f024

SHA256
7de6dcdffc0b43b772383a4d07bcc52f3693ffaae5aebc1a4d1f2139eea6615f

SHA512
b5f7b024e0864f2525d46aeb69233f1b9801086fec21abfafa10b53cbc117282c8113a93b5d4ffd8ef76e75ed1ecfda7694ef3d2404f0ee80cc3959f804d286d

Download Submit
C:\ProgramData\3T46OoQYgQHw0Do\Files\_Info.txt
Filesize
6KB

MD5
cd310f651b3df8a45af44d544f3fe691

SHA1
9deb38baf7ef0ee9f11f26411e909f6fe4b16dd6

SHA256
7d5c367152a63b746a150b69cd763cd83d380f89b32456d929944fe9a522c39b

SHA512
f0fc47bcefe827eb746dcf3ef19183e390e583d0826d5bde8bb25a9794096fd05c28cb2490ffc1b70276407aa3d269f69ea27fea685b56809e34901d706eb8d7

Download Submit
C:\ProgramData\3T46OoQYgQHw0Do\Files\_Screen.jpg
Filesize
50KB

MD5
a0bb2763eb2df4004d67163da8f1e51c

SHA1
78e3d9d22477e3ce123a0652fa6f1b5c8628c36f

SHA256
8426faabbebfbf598eabce776a3b54c28210d9d0b8b0415ec3605966c1fe0d7e

SHA512
82e5b4df80e2e91636b90ddf2dfbaba7b7a100877ea88f3dae52af379d96ec264da40b134f117a3783ccc3c0e5b36490c99fd2889988b5741e5107d584fedece

Download Submit
C:\ProgramData\3T46OoQYgQHw0Do\MOZ_CO~1.DB
Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\ProgramData\3T46OoQYgQHw0Do\f8UQpnURn.zip
Filesize
45KB

MD5
e2725bcf64801f0aa1c4dbaa57eced76

SHA1
4836001ceeacae990527a490916a2fd145573bb5

SHA256
46bac058a4c7a2c6da68ea0b9cf3a8f036da639d02ffb8a6921604df9eece9a4

SHA512
f5c5522fb53a22c652fd10c4ab9b3d925b44a61e093123aee7788fe7736cd5607bfbfbd948f82f9fd2f6c7f8edd46bd7f016b20f8ff52bc2359b2913172e2593

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr253C.tmp\UAC.dll
Filesize
14KB

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
memory/1148-213-0x0000000000400000-0x00000000008AC000-memory.dmp

Filesize
4.7MB

Download
memory/2948-170-0x0000000000B10000-0x0000000001062000-memory.dmp

Filesize
5.3MB

Download
memory/2948-184-0x0000000000B10000-0x0000000001062000-memory.dmp

Filesize
5.3MB

Download
memory/2948-18-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/2948-19-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/2948-164-0x0000000000B10000-0x0000000001062000-memory.dmp

Filesize
5.3MB

Download
memory/2948-30-0x0000000000B10000-0x0000000001062000-memory.dmp

Filesize
5.3MB

Download
memory/2948-167-0x0000000000B10000-0x0000000001062000-memory.dmp

Filesize
5.3MB

Download
memory/2948-168-0x0000000000B10000-0x0000000001062000-memory.dmp

Filesize
5.3MB

Download
memory/2948-17-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/2948-172-0x0000000000B10000-0x0000000001062000-memory.dmp

Filesize
5.3MB

Download
memory/2948-175-0x0000000000B10000-0x0000000001062000-memory.dmp

Filesize
5.3MB

Download
memory/2948-179-0x0000000000B10000-0x0000000001062000-memory.dmp

Filesize
5.3MB

Download
memory/2948-181-0x0000000000B10000-0x0000000001062000-memory.dmp

Filesize
5.3MB

Download
memory/2948-33-0x0000000000B10000-0x0000000001062000-memory.dmp

Filesize
5.3MB

Download
memory/2948-187-0x0000000000B10000-0x0000000001062000-memory.dmp

Filesize
5.3MB

Download
memory/2948-190-0x0000000000B10000-0x0000000001062000-memory.dmp

Filesize
5.3MB

Download
memory/2948-193-0x0000000000B10000-0x0000000001062000-memory.dmp

Filesize
5.3MB

Download
memory/2948-196-0x0000000000B10000-0x0000000001062000-memory.dmp

Filesize
5.3MB

Download
memory/2948-199-0x0000000000B10000-0x0000000001062000-memory.dmp

Filesize
5.3MB

Download
memory/2948-201-0x0000000000B10000-0x0000000001062000-memory.dmp

Filesize
5.3MB

Download
memory/2948-204-0x0000000000B10000-0x0000000001062000-memory.dmp

Filesize
5.3MB

Download
memory/2948-205-0x0000000000B10000-0x0000000001062000-memory.dmp

Filesize
5.3MB

Download
memory/2948-28-0x0000000000B10000-0x0000000001062000-memory.dmp

Filesize
5.3MB

Download
memory/2948-20-0x0000000004FE0000-0x0000000004FE1000-memory.dmp

Filesize
4KB

Download
memory/2948-22-0x0000000000B11000-0x0000000000B70000-memory.dmp

Filesize
380KB

Download
memory/2948-14-0x0000000077AD4000-0x0000000077AD6000-memory.dmp

Filesize
8KB

Download
memory/2948-13-0x0000000000B10000-0x0000000001062000-memory.dmp

Filesize
5.3MB

Download