cryptbot | 12dd0096f6d94a29abc4f8da7203dfef2b3f8ce5a0fb4c959fe53caa3b26d4a3

Analysis

max time kernel
150s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
03-06-2024 11:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

91a8df2a703c7a45dd810b8ac711b3f1_JaffaCakes118.exe
Size

2.0MB
MD5

91a8df2a703c7a45dd810b8ac711b3f1
SHA1

584704b833ff492ee99ed1cb9a13365a0993a539
SHA256

12dd0096f6d94a29abc4f8da7203dfef2b3f8ce5a0fb4c959fe53caa3b26d4a3
SHA512

d0d20c6896d602801d6cd5e6f779c43db6d5c620a90a87c208f2aa5a5e0b1e119235ba6c919a16069251828fb91af9dcaac7002e1bff80fca70c4cf28ee8762e
SSDEEP

49152:2/t+m+UUUUUUJUUUUUUQ9XpiNfwG0chfhp838YbgBs0qm56TZylx+ZJMV:W+mJUUUUUJUUUUUUZVHhp83xEu6x+/

Score

10^/10

cryptbot discovery evasion spyware stealer

Malware Config

Extracted

Family

cryptbot

nkoopw01.top

moraass06.top

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 18 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2964-6-0x0000000000630000-0x0000000000B20000-memory.dmp	family_cryptbot
behavioral2/memory/2964-7-0x0000000000630000-0x0000000000B20000-memory.dmp	family_cryptbot
behavioral2/memory/2964-56-0x0000000000630000-0x0000000000B20000-memory.dmp	family_cryptbot
behavioral2/memory/2964-214-0x0000000000630000-0x0000000000B20000-memory.dmp	family_cryptbot
behavioral2/memory/2964-215-0x0000000000630000-0x0000000000B20000-memory.dmp	family_cryptbot
behavioral2/memory/2964-217-0x0000000000630000-0x0000000000B20000-memory.dmp	family_cryptbot
behavioral2/memory/2964-219-0x0000000000630000-0x0000000000B20000-memory.dmp	family_cryptbot
behavioral2/memory/2964-221-0x0000000000630000-0x0000000000B20000-memory.dmp	family_cryptbot
behavioral2/memory/2964-224-0x0000000000630000-0x0000000000B20000-memory.dmp	family_cryptbot
behavioral2/memory/2964-226-0x0000000000630000-0x0000000000B20000-memory.dmp	family_cryptbot
behavioral2/memory/2964-229-0x0000000000630000-0x0000000000B20000-memory.dmp	family_cryptbot
behavioral2/memory/2964-232-0x0000000000630000-0x0000000000B20000-memory.dmp	family_cryptbot
behavioral2/memory/2964-235-0x0000000000630000-0x0000000000B20000-memory.dmp	family_cryptbot
behavioral2/memory/2964-238-0x0000000000630000-0x0000000000B20000-memory.dmp	family_cryptbot
behavioral2/memory/2964-240-0x0000000000630000-0x0000000000B20000-memory.dmp	family_cryptbot
behavioral2/memory/2964-243-0x0000000000630000-0x0000000000B20000-memory.dmp	family_cryptbot
behavioral2/memory/2964-249-0x0000000000630000-0x0000000000B20000-memory.dmp	family_cryptbot
behavioral2/memory/2964-251-0x0000000000630000-0x0000000000B20000-memory.dmp	family_cryptbot

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

91a8df2a703c7a45dd810b8ac711b3f1_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 91a8df2a703c7a45dd810b8ac711b3f1_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	91a8df2a703c7a45dd810b8ac711b3f1_JaffaCakes118.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

91a8df2a703c7a45dd810b8ac711b3f1_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	91a8df2a703c7a45dd810b8ac711b3f1_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	91a8df2a703c7a45dd810b8ac711b3f1_JaffaCakes118.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

91a8df2a703c7a45dd810b8ac711b3f1_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine 91a8df2a703c7a45dd810b8ac711b3f1_JaffaCakes118.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

91a8df2a703c7a45dd810b8ac711b3f1_JaffaCakes118.exe

pid process

2964 91a8df2a703c7a45dd810b8ac711b3f1_JaffaCakes118.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine	91a8df2a703c7a45dd810b8ac711b3f1_JaffaCakes118.exe

pid	process
2964	91a8df2a703c7a45dd810b8ac711b3f1_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

91a8df2a703c7a45dd810b8ac711b3f1_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	91a8df2a703c7a45dd810b8ac711b3f1_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	91a8df2a703c7a45dd810b8ac711b3f1_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

91a8df2a703c7a45dd810b8ac711b3f1_JaffaCakes118.exe

pid process

2964 91a8df2a703c7a45dd810b8ac711b3f1_JaffaCakes118.exe
2964 91a8df2a703c7a45dd810b8ac711b3f1_JaffaCakes118.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

91a8df2a703c7a45dd810b8ac711b3f1_JaffaCakes118.exe

pid process

2964 91a8df2a703c7a45dd810b8ac711b3f1_JaffaCakes118.exe
2964 91a8df2a703c7a45dd810b8ac711b3f1_JaffaCakes118.exe

pid	process
2964	91a8df2a703c7a45dd810b8ac711b3f1_JaffaCakes118.exe
2964	91a8df2a703c7a45dd810b8ac711b3f1_JaffaCakes118.exe

pid	process
2964	91a8df2a703c7a45dd810b8ac711b3f1_JaffaCakes118.exe
2964	91a8df2a703c7a45dd810b8ac711b3f1_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\91a8df2a703c7a45dd810b8ac711b3f1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\91a8df2a703c7a45dd810b8ac711b3f1_JaffaCakes118.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1032 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
1⤵
PID:1824

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PZLmFMi\3wVKNZeIj.zip
Filesize
38KB

MD5
f6fa0c8609cc32c96647f360005fd7de

SHA1
603d6597805d96c9ec4df45bf75dbc11a2d489c7

SHA256
e8e42f366663ba5ee62f71c5dd1b9ae0b79371e942a9881843527cd958a7d99d

SHA512
3017171a00b9eec5e3fdac67921083a3372a373d67a744d9077561e2d9c3ceb39cf53a260c7ccacf67190edc79182290127e48b7814dc7725b89458ac1a67ee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\PZLmFMi\_Files\_Information.txt
Filesize
4KB

MD5
9194d9b6efc8458467fcd94b74a10118

SHA1
4da4739f5a39a48ba50aad0ccf27cacae1f6194c

SHA256
bb5be695c5906d813a8810ebb7dbb1439d4c9ed432b835b4b8b7dc4fcdf6606f

SHA512
c960a46d497951b8d921f8cf5123967fea0fc292f482bb25c4d09790871ebcbd080966daa8a01c936a0c2cd96c4f9977c487de9c05d6bf9390cb75c2f0ea7585

Download Submit
C:\Users\Admin\AppData\Local\Temp\PZLmFMi\_Files\_Screen_Desktop.jpeg
Filesize
44KB

MD5
9cf03cdbedcc3b9e169e0d330fdd3272

SHA1
b375884e35b273ee9e56b4d4d16bdd742a6e8519

SHA256
4d78f6a132db2eef7a7bcc4eec606e689ce170fe1f17802f7d2b6a745acee04d

SHA512
11d616f564c0c29752d96a83a927f13349922783ea8c1a7dfe60eeea6ec798def12fd8e18217aaf7a7447c246259e6aad53e18b6480bdeeba791e6690c5d3852

Download Submit
C:\Users\Admin\AppData\Local\Temp\PZLmFMi\files_\system_info.txt
Filesize
1KB

MD5
616337c9db3494d210eb971745275d38

SHA1
ecb0680d51272df83c462c1065cf2b10be0a0787

SHA256
bdf02e9a51b404a34f43c83ad013eb05b09af49b5f4dcf817a7113ac362278b2

SHA512
3b036d6a36522a2bf17ac56b87cd23a801d52d372cff7b3ca91b93c111f640a54d743fc54ec11a4d81fe17c37abbf9073a6f64a0da7bdb0cc07be008efba694a

Download Submit
C:\Users\Admin\AppData\Local\Temp\PZLmFMi\files_\system_info.txt
Filesize
3KB

MD5
395a2e7b841982cba1ed4f95c3a532c7

SHA1
9226e6e703497f96de2c3dc0dda127e9a71ddcd8

SHA256
407e7e03298516f27f2d9251a5cac6ca9d523d5406712c81ffa2331ed7c86dad

SHA512
ec3c09102e667611e175846b41a3a4a501e3ab59557d2308b917a37792877310cca31e4416be370debec34187b1e44db3335199f8af7f3afd8b4a5a26dac167c

Download Submit
C:\Users\Admin\AppData\Local\Temp\PZLmFMi\files_\system_info.txt
Filesize
4KB

MD5
badb588c555a2b8a8df2ab7e97f97a54

SHA1
3a20553440ad6c8adb6b07387c9a7c96eebe3287

SHA256
c2ec2342a574808d97720e53fc5646c8d9cb1d5627b9526925817929c721330d

SHA512
e44feb3f2199c2e41ce652a4eb2dfee7e9f4e96be0019773d0f8ad716719c14c56441b8f5cf8c39bc2c7f01ced7465821fc174a35f2264f60b3acbc8f3533107

Download Submit
C:\Users\Admin\AppData\Local\Temp\PZLmFMi\files_\system_info.txt
Filesize
4KB

MD5
a204e58335e175b68ce590e32f025be7

SHA1
1682db16b10a6e22374b63548a3e6834d8d7b41b

SHA256
25b9bf98e15e73bdc045b0c1602573275efeb91f1271dca9117615d44f250ee5

SHA512
44781b638eeba56d183d77bbf70b422a06634628639014026d1b1a115ceecb8b9e9ee38d09932e7f79164ad048d2d8bd1bffa22f9c10be84b4acded00e6472ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\PZLmFMi\yHY8NpAVieA4k.zip
Filesize
38KB

MD5
33d046196f4bee3b262bd75074b72716

SHA1
1b114a64226c6b3f7686dea4daaeff3bc8c4b4cf

SHA256
d8272fbe193ee73fecc58b8aafd9f15ecadc3e7bcb91b027a908df1a20ed2786

SHA512
9184aab625a1859a83bf5edea1a86d7ec47e5c5596277ba37d8b5a3a1651081e4cbce14b156c50e13717f2ed4c5738e380c60e3f7fd3baff978a0031704d4f05

Download Submit
memory/2964-215-0x0000000000630000-0x0000000000B20000-memory.dmp

Filesize
4.9MB

Download
memory/2964-3-0x00000000051D0000-0x00000000051D1000-memory.dmp

Filesize
4KB

Download
memory/2964-7-0x0000000000630000-0x0000000000B20000-memory.dmp

Filesize
4.9MB

Download
memory/2964-6-0x0000000000630000-0x0000000000B20000-memory.dmp

Filesize
4.9MB

Download
memory/2964-5-0x0000000000631000-0x000000000068C000-memory.dmp

Filesize
364KB

Download
memory/2964-2-0x00000000051B0000-0x00000000051B1000-memory.dmp

Filesize
4KB

Download
memory/2964-4-0x00000000051C0000-0x00000000051C1000-memory.dmp

Filesize
4KB

Download
memory/2964-214-0x0000000000630000-0x0000000000B20000-memory.dmp

Filesize
4.9MB

Download
memory/2964-0-0x0000000000630000-0x0000000000B20000-memory.dmp

Filesize
4.9MB

Download
memory/2964-217-0x0000000000630000-0x0000000000B20000-memory.dmp

Filesize
4.9MB

Download
memory/2964-219-0x0000000000630000-0x0000000000B20000-memory.dmp

Filesize
4.9MB

Download
memory/2964-56-0x0000000000630000-0x0000000000B20000-memory.dmp

Filesize
4.9MB

Download
memory/2964-221-0x0000000000630000-0x0000000000B20000-memory.dmp

Filesize
4.9MB

Download
memory/2964-224-0x0000000000630000-0x0000000000B20000-memory.dmp

Filesize
4.9MB

Download
memory/2964-226-0x0000000000630000-0x0000000000B20000-memory.dmp

Filesize
4.9MB

Download
memory/2964-229-0x0000000000630000-0x0000000000B20000-memory.dmp

Filesize
4.9MB

Download
memory/2964-232-0x0000000000630000-0x0000000000B20000-memory.dmp

Filesize
4.9MB

Download
memory/2964-235-0x0000000000630000-0x0000000000B20000-memory.dmp

Filesize
4.9MB

Download
memory/2964-238-0x0000000000630000-0x0000000000B20000-memory.dmp

Filesize
4.9MB

Download
memory/2964-240-0x0000000000630000-0x0000000000B20000-memory.dmp

Filesize
4.9MB

Download
memory/2964-243-0x0000000000630000-0x0000000000B20000-memory.dmp

Filesize
4.9MB

Download
memory/2964-249-0x0000000000630000-0x0000000000B20000-memory.dmp

Filesize
4.9MB

Download
memory/2964-251-0x0000000000630000-0x0000000000B20000-memory.dmp

Filesize
4.9MB

Download
memory/2964-1-0x00000000772D4000-0x00000000772D6000-memory.dmp

Filesize
8KB

Download