cryptbot | 450624cfacc4237336833fd0d3e9eb928508224d5f1adf3b907fd3d5016526a6

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
12-06-2024 12:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a0c00db1c96524b17161060ecbbe6a87_JaffaCakes118.exe
Size

4.1MB
MD5

a0c00db1c96524b17161060ecbbe6a87
SHA1

3eaa22467cf0f6a741d5e262c4b416db8c0a1f4b
SHA256

450624cfacc4237336833fd0d3e9eb928508224d5f1adf3b907fd3d5016526a6
SHA512

cedd14061d0d4c1035448d386f327478cfcf6bf3eb3c2c4589580e1e6ce30448f291658e50e44a5eb108caca515980e63525c008172951f7127111418374192a
SSDEEP

98304:7u6PnzjAOpAQiESlgpoWuhiB8k3rPGq8nfklad3O3+2tAcX36/p3a:77zjcllDi8qaPfklaQuFK

Score

10^/10

cryptbot discovery evasion spyware stealer

Malware Config

Extracted

Family

cryptbot

hbv01.info

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Setup.exeSetupX.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Setup.exe
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ SetupX.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SetupX.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Setup.exeSetupX.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SetupX.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SetupX.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Setup.exeSetupX.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	SetupX.exe

Executes dropped EXE 2 IoCs

Processes:

Setup.exeSetupX.exe

pid process

832 Setup.exe
1080 SetupX.exe

pid	process
832	Setup.exe
1080	SetupX.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

Setup.exeSetupX.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Wine	Setup.exe
Key opened	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Wine	SetupX.exe

Loads dropped DLL 1 IoCs

Processes:

a0c00db1c96524b17161060ecbbe6a87_JaffaCakes118.exe

pid process

3696 a0c00db1c96524b17161060ecbbe6a87_JaffaCakes118.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service
T1102

Processes:

flow ioc

18 iplogger.org
19 iplogger.org
23 bitbucket.org
24 bitbucket.org
50 bitbucket.org
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

Setup.exeSetupX.exe

pid process

832 Setup.exe
1080 SetupX.exe

pid	process
3696	a0c00db1c96524b17161060ecbbe6a87_JaffaCakes118.exe

flow	ioc
18	iplogger.org
19	iplogger.org
23	bitbucket.org
24	bitbucket.org
50	bitbucket.org

flow	ioc
3	ip-api.com

pid	process
832	Setup.exe
1080	SetupX.exe

Drops file in Program Files directory 3 IoCs

Processes:

a0c00db1c96524b17161060ecbbe6a87_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files (x86)\Xedd\Setup.exe	a0c00db1c96524b17161060ecbbe6a87_JaffaCakes118.exe
File created	C:\Program Files (x86)\Xedd\SetupX.exe	a0c00db1c96524b17161060ecbbe6a87_JaffaCakes118.exe
File created	C:\Program Files (x86)\Xedd\DiscoveryTree.xml	a0c00db1c96524b17161060ecbbe6a87_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Setup.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Setup.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4748 timeout.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Setup.exeSetupX.exe

pid process

832 Setup.exe
832 Setup.exe
1080 SetupX.exe
1080 SetupX.exe
Suspicious use of FindShellTrayWindow 12 IoCs

Processes:

Setup.exe

pid process

832 Setup.exe
832 Setup.exe
832 Setup.exe
832 Setup.exe
832 Setup.exe
832 Setup.exe
832 Setup.exe
832 Setup.exe
832 Setup.exe
832 Setup.exe
832 Setup.exe
832 Setup.exe

pid	process
4748	timeout.exe

pid	process
832	Setup.exe
832	Setup.exe
1080	SetupX.exe
1080	SetupX.exe

pid	process
832	Setup.exe
832	Setup.exe
832	Setup.exe
832	Setup.exe
832	Setup.exe
832	Setup.exe
832	Setup.exe
832	Setup.exe
832	Setup.exe
832	Setup.exe
832	Setup.exe
832	Setup.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

a0c00db1c96524b17161060ecbbe6a87_JaffaCakes118.exeSetup.execmd.exe

description	pid	process	target process
PID 3696 wrote to memory of 832	3696	a0c00db1c96524b17161060ecbbe6a87_JaffaCakes118.exe	Setup.exe
PID 3696 wrote to memory of 832	3696	a0c00db1c96524b17161060ecbbe6a87_JaffaCakes118.exe	Setup.exe
PID 3696 wrote to memory of 832	3696	a0c00db1c96524b17161060ecbbe6a87_JaffaCakes118.exe	Setup.exe
PID 3696 wrote to memory of 1080	3696	a0c00db1c96524b17161060ecbbe6a87_JaffaCakes118.exe	SetupX.exe
PID 3696 wrote to memory of 1080	3696	a0c00db1c96524b17161060ecbbe6a87_JaffaCakes118.exe	SetupX.exe
PID 3696 wrote to memory of 1080	3696	a0c00db1c96524b17161060ecbbe6a87_JaffaCakes118.exe	SetupX.exe
PID 832 wrote to memory of 4884	832	Setup.exe	cmd.exe
PID 832 wrote to memory of 4884	832	Setup.exe	cmd.exe
PID 832 wrote to memory of 4884	832	Setup.exe	cmd.exe
PID 4884 wrote to memory of 4748	4884	cmd.exe	timeout.exe
PID 4884 wrote to memory of 4748	4884	cmd.exe	timeout.exe
PID 4884 wrote to memory of 4748	4884	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\a0c00db1c96524b17161060ecbbe6a87_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a0c00db1c96524b17161060ecbbe6a87_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3696

C:\Program Files (x86)\Xedd\Setup.exe
"C:\Program Files (x86)\Xedd\Setup.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:832

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\BbZJgLHkhs2vK1A & timeout 2 & del /f /q "C:\Program Files (x86)\Xedd\Setup.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:4884

C:\Windows\SysWOW64\timeout.exe
timeout 2
4⤵
- Delays execution with timeout.exe
PID:4748

C:\Program Files (x86)\Xedd\SetupX.exe
"C:\Program Files (x86)\Xedd\SetupX.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1080

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Xedd\Setup.exe
Filesize
2.1MB

MD5
adf27669e814f5a7a6dfa36ade88c9ae

SHA1
b8dbb43c2070cf04ae6b2d62dc010564fbf3599e

SHA256
dd5ae3cc6b45057a744d2fa1f7f42b03980b7aa90154b2eebdb8b4ad5a02babc

SHA512
5cad0447d1c748424c66fb3bf7a7cf04a7ecae090cb68848f73eeff903ebf83b4431fba474f04752bef2ace9398bb538fae53ec14c3f8aeaa8c65d759f02dd95

Download Submit
C:\Program Files (x86)\Xedd\SetupX.exe
Filesize
2.0MB

MD5
d5f103b258b8d98e4398b82b9972deb5

SHA1
1a43a240d0b4fdc6baf88e7d1104519737b488e8

SHA256
cd19ece38b82e73c78da4b7ff39bb8518f50148adc00e8ba94ffb119e4ee6fe0

SHA512
c764aafbbcb7b6d78b937da0fbf266f9747c0242232326194812d480320dc47ebd52a2aed417a7257569cd9e2159693df00d6249226814f98e8acc59fd728351

Download Submit
C:\ProgramData\BbZJgLHkhs2vK1A\47283761.txt
Filesize
156B

MD5
c12be1e7b6541de7746a7e6f7c722027

SHA1
c637002a9c8aa73dc4dbccc2908aef8ea15819cc

SHA256
0f974cdba262cc57a0a57aac5fc2ab5516ff2dd953247cf817690425dca401fd

SHA512
f7472f853b360639007a307ab6db31ba4287c117bbacc2c0081904e47afdca6f4c236dab438bb387740166cc5bacc184a0752b69d0d7cea92315bac9b5dbd5c5

Download Submit
C:\ProgramData\BbZJgLHkhs2vK1A\Files\_Info.txt
Filesize
764B

MD5
4f2299090c927b0488df389eccd008e1

SHA1
5cf7bfc18b8b2485fa4825043232c0b8477595d5

SHA256
f9d6fa401235aa4736ac30086441c127bd8cfd900af3192edbe44cf4f9f43c64

SHA512
00dcfda429d3b6a6664abdc8137ac3c98050af1584daf69e99d8aa0fc32682787db5a377dfd1c6dcea1d2aeb8588ce721d059fa25a844f61318ea3fd4f207ed7

Download Submit
C:\ProgramData\BbZJgLHkhs2vK1A\Files\_Info.txt
Filesize
8KB

MD5
ad9459d9c83ba46d1450b5fa94c871e7

SHA1
c4d61765425d941aa9b63df1caf0738e54ea7e8c

SHA256
4720b175244d7222faa5cbe6a173dc5509ef06566ab8a8265c2cfd70a2405db7

SHA512
a2ce90266deeafaeefaec658dfa0b733d248deb597dab34bb6fd51018e2beb14606e634d54748f1c58b72967921fb3b283c1c7794bb2c81b836bfaef762bc218

Download Submit
C:\ProgramData\BbZJgLHkhs2vK1A\Files\_Screen.jpg
Filesize
54KB

MD5
899ae83334829851ec5619c203695875

SHA1
170fcebfe4a05c474c7cce9b4e6b3a67814cb78f

SHA256
7252f282362059af6e4c904b1c80223685ef33b7f56f9d263feaa15b6ec51569

SHA512
f0a50fd47c7a5580f0d0ea4ae1dbb97a426c28a7686aed5839e6b35ee388e099bd9a30897ad5d37f9d864e817f30bbb506beefda9eb03768541c721378a000c8

Download Submit
C:\ProgramData\BbZJgLHkhs2vK1A\MOZ_CO~1.DB
Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\ProgramData\BbZJgLHkhs2vK1A\umpCPHYbg.zip
Filesize
49KB

MD5
5210b6b9261e0ceee5e455d87586f3dd

SHA1
4592173b189b6baceacc733ded108266cb330f21

SHA256
4ae407f18606585445e0e32375b3bcf273614e388f1157c709de221e67aae784

SHA512
8d183e5c8e33732b191b858f441a2ec301538e8a0ad0e0ccd8433d905ae02365ef54590649eabeba99418adb796279806cd65bf57380a2edc9e022784b73b96d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl3096.tmp\UAC.dll
Filesize
14KB

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
C:\Users\Admin\AppData\Roaming\erdvecwrv.exe
Filesize
13KB

MD5
1bee5fdc11bf9e09da5ec40c554e6912

SHA1
c528b89f18ede4d1562bfa6d71d8fc0e5401a4cb

SHA256
9660c0646b021407a5386bb225a9dc00f5f51d9f600242fb6d99aef6671011e5

SHA512
0cc7915b7fb58ebb33b68c7da64590f1a709cfceef90babeea41dc6c9e54a6333044b61e3681182614c56257bcbd2c3bc94a75820395bc43f634d684b2bd856d

Download Submit
C:\Users\Admin\AppData\Roaming\ervdetbrvyb.exe
Filesize
13KB

MD5
3c629506c1c9166f1c60199e47015c68

SHA1
3b5fae35853981f8b506a5598413ccface5d3097

SHA256
07d2fe24f6726ac987f3e8af3b221021ae25c6150df12496c1320ab1b034e587

SHA512
93fc8e8dab92641f0ceec04c9fa085c2147ec0b07b74b127bb3b3b59d9883d95367333bca90effdc83e2bdf35dc05a70fb16157b40703a32d4b3eb08a45058ab

Download Submit
memory/832-225-0x00000000005A0000-0x0000000000AD5000-memory.dmp

Filesize
5.2MB

Download
memory/832-233-0x00000000005A0000-0x0000000000AD5000-memory.dmp

Filesize
5.2MB

Download
memory/832-15-0x00000000005A0000-0x0000000000AD5000-memory.dmp

Filesize
5.2MB

Download
memory/832-263-0x00000000005A0000-0x0000000000AD5000-memory.dmp

Filesize
5.2MB

Download
memory/832-17-0x0000000077354000-0x0000000077356000-memory.dmp

Filesize
8KB

Download
memory/832-39-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/832-249-0x00000000005A0000-0x0000000000AD5000-memory.dmp

Filesize
5.2MB

Download
memory/832-32-0x00000000005A0000-0x0000000000AD5000-memory.dmp

Filesize
5.2MB

Download
memory/832-18-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/832-19-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/832-167-0x00000000005A0000-0x0000000000AD5000-memory.dmp

Filesize
5.2MB

Download
memory/832-168-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/832-246-0x00000000005A0000-0x0000000000AD5000-memory.dmp

Filesize
5.2MB

Download
memory/832-175-0x00000000005A0000-0x0000000000AD5000-memory.dmp

Filesize
5.2MB

Download
memory/832-242-0x00000000005A0000-0x0000000000AD5000-memory.dmp

Filesize
5.2MB

Download
memory/832-177-0x00000000005A0000-0x0000000000AD5000-memory.dmp

Filesize
5.2MB

Download
memory/832-179-0x00000000005A0000-0x0000000000AD5000-memory.dmp

Filesize
5.2MB

Download
memory/832-181-0x00000000005A0000-0x0000000000AD5000-memory.dmp

Filesize
5.2MB

Download
memory/832-237-0x00000000005A0000-0x0000000000AD5000-memory.dmp

Filesize
5.2MB

Download
memory/832-33-0x00000000005A0000-0x0000000000AD5000-memory.dmp

Filesize
5.2MB

Download
memory/832-20-0x0000000004FC0000-0x0000000004FC1000-memory.dmp

Filesize
4KB

Download
memory/832-185-0x00000000005A0000-0x0000000000AD5000-memory.dmp

Filesize
5.2MB

Download
memory/832-229-0x00000000005A0000-0x0000000000AD5000-memory.dmp

Filesize
5.2MB

Download
memory/832-23-0x00000000005A0000-0x0000000000AD5000-memory.dmp

Filesize
5.2MB

Download
memory/832-192-0x00000000005A0000-0x0000000000AD5000-memory.dmp

Filesize
5.2MB

Download
memory/832-21-0x00000000005A1000-0x0000000000600000-memory.dmp

Filesize
380KB

Download
memory/832-211-0x00000000005A0000-0x0000000000AD5000-memory.dmp

Filesize
5.2MB

Download
memory/832-207-0x00000000005A0000-0x0000000000AD5000-memory.dmp

Filesize
5.2MB

Download
memory/832-200-0x00000000005A0000-0x0000000000AD5000-memory.dmp

Filesize
5.2MB

Download
memory/832-203-0x00000000005A0000-0x0000000000AD5000-memory.dmp

Filesize
5.2MB

Download
memory/1080-234-0x0000000000400000-0x0000000000913000-memory.dmp

Filesize
5.1MB

Download
memory/1080-195-0x0000000009E10000-0x0000000009E11000-memory.dmp

Filesize
4KB

Download
memory/1080-201-0x0000000000400000-0x0000000000913000-memory.dmp

Filesize
5.1MB

Download
memory/1080-208-0x0000000000400000-0x0000000000913000-memory.dmp

Filesize
5.1MB

Download
memory/1080-182-0x0000000000400000-0x0000000000913000-memory.dmp

Filesize
5.1MB

Download
memory/1080-212-0x0000000000400000-0x0000000000913000-memory.dmp

Filesize
5.1MB

Download
memory/1080-193-0x0000000000400000-0x0000000000913000-memory.dmp

Filesize
5.1MB

Download
memory/1080-238-0x0000000000400000-0x0000000000913000-memory.dmp

Filesize
5.1MB

Download
memory/1080-226-0x0000000000400000-0x0000000000913000-memory.dmp

Filesize
5.1MB

Download
memory/1080-187-0x0000000000400000-0x0000000000913000-memory.dmp

Filesize
5.1MB

Download
memory/1080-230-0x0000000000400000-0x0000000000913000-memory.dmp

Filesize
5.1MB

Download
memory/1080-183-0x0000000000400000-0x0000000000913000-memory.dmp

Filesize
5.1MB

Download
memory/1080-196-0x0000000009E30000-0x0000000009E31000-memory.dmp

Filesize
4KB

Download
memory/1080-204-0x0000000000400000-0x0000000000913000-memory.dmp

Filesize
5.1MB

Download
memory/1080-186-0x0000000000400000-0x0000000000913000-memory.dmp

Filesize
5.1MB

Download
memory/1080-178-0x0000000000400000-0x0000000000913000-memory.dmp

Filesize
5.1MB

Download
memory/1080-243-0x0000000000400000-0x0000000000913000-memory.dmp

Filesize
5.1MB

Download
memory/1080-174-0x0000000000400000-0x0000000000913000-memory.dmp

Filesize
5.1MB

Download
memory/1080-247-0x0000000000400000-0x0000000000913000-memory.dmp

Filesize
5.1MB

Download
memory/1080-50-0x0000000009FF0000-0x0000000009FF2000-memory.dmp

Filesize
8KB

Download
memory/1080-250-0x0000000000400000-0x0000000000913000-memory.dmp

Filesize
5.1MB

Download
memory/1080-35-0x0000000000400000-0x0000000000913000-memory.dmp

Filesize
5.1MB

Download
memory/1080-36-0x0000000000400000-0x0000000000913000-memory.dmp

Filesize
5.1MB

Download
memory/1080-16-0x0000000000400000-0x0000000000913000-memory.dmp

Filesize
5.1MB

Download
memory/1080-34-0x0000000000400000-0x0000000000913000-memory.dmp

Filesize
5.1MB

Download