cryptbot | c30c4b50fdebd3785a43e8252fd6f00d6cc430e058e9ac27e587bfcdc82ee79b

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11-06-2024 05:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d2e88704dc2ea1ecbdb0395624ce6ce_JaffaCakes118.exe
Size

2.0MB
MD5

9d2e88704dc2ea1ecbdb0395624ce6ce
SHA1

00420cdefcca4cb7e8b21656f22aaa4ad8dcb098
SHA256

c30c4b50fdebd3785a43e8252fd6f00d6cc430e058e9ac27e587bfcdc82ee79b
SHA512

9027ce3bbd409debcf829014c13ac6f0f3411750b1b389a667ec46aeeeaf87e3571b887eab13dbf4d00d193a942f64c56fd4e59d5b34f985c4f4cbf6e6ce8b15
SSDEEP

24576:yXArZj1IaKqnIeZ9hq/8xb7o/sArYReD+3luCWlq/eT6Ky+9Bpums1yh551o02gc:xgcJFq0R7s61utIcumEyh55Cgqh155

Score

10^/10

cryptbot discovery evasion spyware stealer

Malware Config

Extracted

Family

cryptbot

bibinene01.top

moraass05.top

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 18 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2144-6-0x00000000001D0000-0x00000000006C2000-memory.dmp	family_cryptbot
behavioral2/memory/2144-7-0x00000000001D0000-0x00000000006C2000-memory.dmp	family_cryptbot
behavioral2/memory/2144-226-0x00000000001D0000-0x00000000006C2000-memory.dmp	family_cryptbot
behavioral2/memory/2144-227-0x00000000001D0000-0x00000000006C2000-memory.dmp	family_cryptbot
behavioral2/memory/2144-229-0x00000000001D0000-0x00000000006C2000-memory.dmp	family_cryptbot
behavioral2/memory/2144-230-0x00000000001D0000-0x00000000006C2000-memory.dmp	family_cryptbot
behavioral2/memory/2144-231-0x00000000001D0000-0x00000000006C2000-memory.dmp	family_cryptbot
behavioral2/memory/2144-233-0x00000000001D0000-0x00000000006C2000-memory.dmp	family_cryptbot
behavioral2/memory/2144-236-0x00000000001D0000-0x00000000006C2000-memory.dmp	family_cryptbot
behavioral2/memory/2144-238-0x00000000001D0000-0x00000000006C2000-memory.dmp	family_cryptbot
behavioral2/memory/2144-242-0x00000000001D0000-0x00000000006C2000-memory.dmp	family_cryptbot
behavioral2/memory/2144-244-0x00000000001D0000-0x00000000006C2000-memory.dmp	family_cryptbot
behavioral2/memory/2144-245-0x00000000001D0000-0x00000000006C2000-memory.dmp	family_cryptbot
behavioral2/memory/2144-247-0x00000000001D0000-0x00000000006C2000-memory.dmp	family_cryptbot
behavioral2/memory/2144-248-0x00000000001D0000-0x00000000006C2000-memory.dmp	family_cryptbot
behavioral2/memory/2144-250-0x00000000001D0000-0x00000000006C2000-memory.dmp	family_cryptbot
behavioral2/memory/2144-251-0x00000000001D0000-0x00000000006C2000-memory.dmp	family_cryptbot
behavioral2/memory/2144-253-0x00000000001D0000-0x00000000006C2000-memory.dmp	family_cryptbot

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

9d2e88704dc2ea1ecbdb0395624ce6ce_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 9d2e88704dc2ea1ecbdb0395624ce6ce_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	9d2e88704dc2ea1ecbdb0395624ce6ce_JaffaCakes118.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9d2e88704dc2ea1ecbdb0395624ce6ce_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	9d2e88704dc2ea1ecbdb0395624ce6ce_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	9d2e88704dc2ea1ecbdb0395624ce6ce_JaffaCakes118.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

9d2e88704dc2ea1ecbdb0395624ce6ce_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Wine 9d2e88704dc2ea1ecbdb0395624ce6ce_JaffaCakes118.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

9d2e88704dc2ea1ecbdb0395624ce6ce_JaffaCakes118.exe

pid process

2144 9d2e88704dc2ea1ecbdb0395624ce6ce_JaffaCakes118.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Wine	9d2e88704dc2ea1ecbdb0395624ce6ce_JaffaCakes118.exe

pid	process
2144	9d2e88704dc2ea1ecbdb0395624ce6ce_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9d2e88704dc2ea1ecbdb0395624ce6ce_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	9d2e88704dc2ea1ecbdb0395624ce6ce_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	9d2e88704dc2ea1ecbdb0395624ce6ce_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

9d2e88704dc2ea1ecbdb0395624ce6ce_JaffaCakes118.exe

pid process

2144 9d2e88704dc2ea1ecbdb0395624ce6ce_JaffaCakes118.exe
2144 9d2e88704dc2ea1ecbdb0395624ce6ce_JaffaCakes118.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

9d2e88704dc2ea1ecbdb0395624ce6ce_JaffaCakes118.exe

pid process

2144 9d2e88704dc2ea1ecbdb0395624ce6ce_JaffaCakes118.exe
2144 9d2e88704dc2ea1ecbdb0395624ce6ce_JaffaCakes118.exe

pid	process
2144	9d2e88704dc2ea1ecbdb0395624ce6ce_JaffaCakes118.exe
2144	9d2e88704dc2ea1ecbdb0395624ce6ce_JaffaCakes118.exe

pid	process
2144	9d2e88704dc2ea1ecbdb0395624ce6ce_JaffaCakes118.exe
2144	9d2e88704dc2ea1ecbdb0395624ce6ce_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\9d2e88704dc2ea1ecbdb0395624ce6ce_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9d2e88704dc2ea1ecbdb0395624ce6ce_JaffaCakes118.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2144

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aPufWpBe\ZpWqthoPoJ.zip
Filesize
254KB

MD5
340df19f20c4c673ef7e9d57bfd985c2

SHA1
b6e2d2acc94b60ca54ceaa95072fd5f000e9112c

SHA256
11e37494318c67d69a5baf2e82a8c357eada9a44474f4ed39a5d7d22faf54ce4

SHA512
0def923c0254ee63831b3cb2706c9a6e4c58379d0c970bb911889e9bca39734dc5242805b66b4e08344112c07255586c58310de783ed6aba2877dd78afb78e77

Download Submit
C:\Users\Admin\AppData\Local\Temp\aPufWpBe\_Files\_Files\DisconnectResolve.txt
Filesize
211KB

MD5
a1a8bcec5d4d03ae98a092547a227e42

SHA1
ce7d9144290d66487d97e835974473f7adc16c3d

SHA256
d2d3aef4fdb44221b2a7aa7dab2e9a2821f1d0997f8394aca162e971f47fa185

SHA512
44ac6fc364bdcbe66655d74bdb3df15ec97da0c9371165f2c4f662e2f23d6955a8926468e0d6f330a37a23ba9f75aa2b1d89f604f06ff2313bbd0a2c4998af70

Download Submit
C:\Users\Admin\AppData\Local\Temp\aPufWpBe\_Files\_Information.txt
Filesize
1KB

MD5
49dbdbeabc7afe1fabf7242bb93ac008

SHA1
c206b8fc94b5c08b84f56359bb6e923887f293f5

SHA256
6d9e7bad7a0268cc029090e7f431d6bdfc4450e79514cc9d91edc5f808548198

SHA512
8ab55359d7cef7e7cf4d51f6f3a7b992fb6093939058f1ee157cd44e4c8484777fc7bafb24f2fefa899f04fda1758393d237fabf52ac7b55a43f09539c7e7591

Download Submit
C:\Users\Admin\AppData\Local\Temp\aPufWpBe\_Files\_Information.txt
Filesize
1KB

MD5
cd454ca7d04fc7d1930f943c729c2fdc

SHA1
817df69bd44b7de12118c2bb784590719d696858

SHA256
d4681fda20004e6a72342a18cae08b1553b742098def60ee136ef8e0f1129cb1

SHA512
7f22f5584ab372653a590a8ddd497bb617a81171002d1ae3c40b22298338087dd536c9c29a42dae207a4a11e8dbc520f403196e5962d13769b26eee764372aa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\aPufWpBe\_Files\_Information.txt
Filesize
4KB

MD5
6982eedace813597dc482256724b7a20

SHA1
21a745c41fd1a47cc63549be0dfae1e9f53a015c

SHA256
26b3cc4fc400fcab3d4d49bf8b0de763b8c39b10a15a9672d0ea8fc0e56bc2a9

SHA512
954999f35acf38925cf8c1be759b2074a170c190041daadce69d4a115840b4081b6b0db024bd64e4e1850a5820d2932f8ca2eb93abda460148b085c1084bdbfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\aPufWpBe\_Files\_Screen_Desktop.jpeg
Filesize
49KB

MD5
260a8aceb8509716d46242c3c76b19c9

SHA1
c7023f6348f011fde02de8f56661424d6f0e9577

SHA256
791e87aa6896f0fb2b51d51c3416e83f21d551fd89c3ca129f6f2b3ab725f5bc

SHA512
8facb19c2a48c44962d9b0e59cfcfa63ee103badd9b9fdf48b2bfa0f2b09447d1df2122d69c367abe072884978bea34573c0c814bf76a672fa37b34cf24595a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\aPufWpBe\files_\system_info.txt
Filesize
746B

MD5
16b36798482d08d82751351a721fe7d6

SHA1
5c43d0bd0176eec51672dba6804256342fa95f73

SHA256
0cf4e115d3031a2f2925f72f583306c760cbc1f934b9eec1be67828494cb5630

SHA512
009836fc9b2e363b3ec0152fc447fd755f3e95bbbb9b6c08a652a53859b97b01b232506167c34a8804d5c1a54202e7457a103bbee79062f68ac0c227a6e46b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\aPufWpBe\files_\system_info.txt
Filesize
7KB

MD5
edbdef6f235b54bda40f164866761673

SHA1
3e34bf12db14b9bce2096e27cd28eb10f02c0d9e

SHA256
541baa5b5128baa5ab46deb40d82de5af95c00d30ec8dc2e74ddfb4104411f91

SHA512
1f1e23f5c3107836dd729001b8fbd0fbeccba68db6c71155bdafdcf306c80318b9041eb9351c6580eb68fbf3c5409d67961be333f8eb990edf40941d775db58c

Download Submit
memory/2144-227-0x00000000001D0000-0x00000000006C2000-memory.dmp

Filesize
4.9MB

Download
memory/2144-231-0x00000000001D0000-0x00000000006C2000-memory.dmp

Filesize
4.9MB

Download
memory/2144-2-0x0000000004E20000-0x0000000004E21000-memory.dmp

Filesize
4KB

Download
memory/2144-3-0x0000000004E40000-0x0000000004E41000-memory.dmp

Filesize
4KB

Download
memory/2144-6-0x00000000001D0000-0x00000000006C2000-memory.dmp

Filesize
4.9MB

Download
memory/2144-4-0x0000000004E30000-0x0000000004E31000-memory.dmp

Filesize
4KB

Download
memory/2144-5-0x00000000001D1000-0x000000000022C000-memory.dmp

Filesize
364KB

Download
memory/2144-226-0x00000000001D0000-0x00000000006C2000-memory.dmp

Filesize
4.9MB

Download
memory/2144-0-0x00000000001D0000-0x00000000006C2000-memory.dmp

Filesize
4.9MB

Download
memory/2144-229-0x00000000001D0000-0x00000000006C2000-memory.dmp

Filesize
4.9MB

Download
memory/2144-230-0x00000000001D0000-0x00000000006C2000-memory.dmp

Filesize
4.9MB

Download
memory/2144-7-0x00000000001D0000-0x00000000006C2000-memory.dmp

Filesize
4.9MB

Download
memory/2144-233-0x00000000001D0000-0x00000000006C2000-memory.dmp

Filesize
4.9MB

Download
memory/2144-1-0x0000000077154000-0x0000000077156000-memory.dmp

Filesize
8KB

Download
memory/2144-236-0x00000000001D0000-0x00000000006C2000-memory.dmp

Filesize
4.9MB

Download
memory/2144-238-0x00000000001D0000-0x00000000006C2000-memory.dmp

Filesize
4.9MB

Download
memory/2144-242-0x00000000001D0000-0x00000000006C2000-memory.dmp

Filesize
4.9MB

Download
memory/2144-244-0x00000000001D0000-0x00000000006C2000-memory.dmp

Filesize
4.9MB

Download
memory/2144-245-0x00000000001D0000-0x00000000006C2000-memory.dmp

Filesize
4.9MB

Download
memory/2144-247-0x00000000001D0000-0x00000000006C2000-memory.dmp

Filesize
4.9MB

Download
memory/2144-248-0x00000000001D0000-0x00000000006C2000-memory.dmp

Filesize
4.9MB

Download
memory/2144-250-0x00000000001D0000-0x00000000006C2000-memory.dmp

Filesize
4.9MB

Download
memory/2144-251-0x00000000001D0000-0x00000000006C2000-memory.dmp

Filesize
4.9MB

Download
memory/2144-253-0x00000000001D0000-0x00000000006C2000-memory.dmp

Filesize
4.9MB

Download