cryptbot | 637b36fdc2cb3c6b930fd6ed725211a6f71d4be69f51d78330d6010305b255ac

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 01:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac7e35bcbfd470a51f449556aa1fbe9e_JaffaCakes118.exe
Size

2.1MB
MD5

ac7e35bcbfd470a51f449556aa1fbe9e
SHA1

7dd5876685e9ca21f8ff5098242ead93b8423d36
SHA256

637b36fdc2cb3c6b930fd6ed725211a6f71d4be69f51d78330d6010305b255ac
SHA512

4ed25e226970b4fc12f08a605a7066291929499926c920731c34be476947d987f659f61869daa08c0bf9dfdddcc78f449b2477f4f792eef3ea022e32a2732d53
SSDEEP

49152:vmKgSdJRVHOOoZ/25dTtON+3AFKUstkqpZjv8bnNX:eKgSdJnOOoZen40IKUKRANX

Score

10^/10

cryptbot discovery evasion spyware stealer

Malware Config

Extracted

Family

cryptbot

bibinene03.top

moraass05.top

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 18 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3040-7-0x0000000000720000-0x0000000000C2B000-memory.dmp	family_cryptbot
behavioral2/memory/3040-8-0x0000000000720000-0x0000000000C2B000-memory.dmp	family_cryptbot
behavioral2/memory/3040-227-0x0000000000720000-0x0000000000C2B000-memory.dmp	family_cryptbot
behavioral2/memory/3040-228-0x0000000000720000-0x0000000000C2B000-memory.dmp	family_cryptbot
behavioral2/memory/3040-230-0x0000000000720000-0x0000000000C2B000-memory.dmp	family_cryptbot
behavioral2/memory/3040-231-0x0000000000720000-0x0000000000C2B000-memory.dmp	family_cryptbot
behavioral2/memory/3040-232-0x0000000000720000-0x0000000000C2B000-memory.dmp	family_cryptbot
behavioral2/memory/3040-234-0x0000000000720000-0x0000000000C2B000-memory.dmp	family_cryptbot
behavioral2/memory/3040-237-0x0000000000720000-0x0000000000C2B000-memory.dmp	family_cryptbot
behavioral2/memory/3040-239-0x0000000000720000-0x0000000000C2B000-memory.dmp	family_cryptbot
behavioral2/memory/3040-242-0x0000000000720000-0x0000000000C2B000-memory.dmp	family_cryptbot
behavioral2/memory/3040-243-0x0000000000720000-0x0000000000C2B000-memory.dmp	family_cryptbot
behavioral2/memory/3040-246-0x0000000000720000-0x0000000000C2B000-memory.dmp	family_cryptbot
behavioral2/memory/3040-248-0x0000000000720000-0x0000000000C2B000-memory.dmp	family_cryptbot
behavioral2/memory/3040-250-0x0000000000720000-0x0000000000C2B000-memory.dmp	family_cryptbot
behavioral2/memory/3040-252-0x0000000000720000-0x0000000000C2B000-memory.dmp	family_cryptbot
behavioral2/memory/3040-253-0x0000000000720000-0x0000000000C2B000-memory.dmp	family_cryptbot
behavioral2/memory/3040-256-0x0000000000720000-0x0000000000C2B000-memory.dmp	family_cryptbot

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

ac7e35bcbfd470a51f449556aa1fbe9e_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ac7e35bcbfd470a51f449556aa1fbe9e_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ac7e35bcbfd470a51f449556aa1fbe9e_JaffaCakes118.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ac7e35bcbfd470a51f449556aa1fbe9e_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ac7e35bcbfd470a51f449556aa1fbe9e_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ac7e35bcbfd470a51f449556aa1fbe9e_JaffaCakes118.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

ac7e35bcbfd470a51f449556aa1fbe9e_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Wine ac7e35bcbfd470a51f449556aa1fbe9e_JaffaCakes118.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

ac7e35bcbfd470a51f449556aa1fbe9e_JaffaCakes118.exe

pid process

3040 ac7e35bcbfd470a51f449556aa1fbe9e_JaffaCakes118.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Wine	ac7e35bcbfd470a51f449556aa1fbe9e_JaffaCakes118.exe

pid	process
3040	ac7e35bcbfd470a51f449556aa1fbe9e_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ac7e35bcbfd470a51f449556aa1fbe9e_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ac7e35bcbfd470a51f449556aa1fbe9e_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ac7e35bcbfd470a51f449556aa1fbe9e_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

ac7e35bcbfd470a51f449556aa1fbe9e_JaffaCakes118.exe

pid process

3040 ac7e35bcbfd470a51f449556aa1fbe9e_JaffaCakes118.exe
3040 ac7e35bcbfd470a51f449556aa1fbe9e_JaffaCakes118.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

ac7e35bcbfd470a51f449556aa1fbe9e_JaffaCakes118.exe

pid process

3040 ac7e35bcbfd470a51f449556aa1fbe9e_JaffaCakes118.exe
3040 ac7e35bcbfd470a51f449556aa1fbe9e_JaffaCakes118.exe

pid	process
3040	ac7e35bcbfd470a51f449556aa1fbe9e_JaffaCakes118.exe
3040	ac7e35bcbfd470a51f449556aa1fbe9e_JaffaCakes118.exe

pid	process
3040	ac7e35bcbfd470a51f449556aa1fbe9e_JaffaCakes118.exe
3040	ac7e35bcbfd470a51f449556aa1fbe9e_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\ac7e35bcbfd470a51f449556aa1fbe9e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ac7e35bcbfd470a51f449556aa1fbe9e_JaffaCakes118.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:3040

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dcGF4As\Mx5hgpIDbd.zip
Filesize
254KB

MD5
86b0479d2d1047587ef5fea75d3cd04b

SHA1
6f2e2dfc2236de169ac9463c873a4dce05efdd10

SHA256
5e562996ce427edb6e842f8d397286a4e6a0f48d1edfab87e23e28fa29c1f78e

SHA512
1576fb93fb60ac2c21f0dfc03549dea4ee34cf3f32d50d25dc71026e5ce4477bbef2c225eb275fb307ebee231b50728d4f642914c9156a3169a86e3969836c1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcGF4As\_Files\_Files\DisconnectResolve.txt
Filesize
211KB

MD5
a1a8bcec5d4d03ae98a092547a227e42

SHA1
ce7d9144290d66487d97e835974473f7adc16c3d

SHA256
d2d3aef4fdb44221b2a7aa7dab2e9a2821f1d0997f8394aca162e971f47fa185

SHA512
44ac6fc364bdcbe66655d74bdb3df15ec97da0c9371165f2c4f662e2f23d6955a8926468e0d6f330a37a23ba9f75aa2b1d89f604f06ff2313bbd0a2c4998af70

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcGF4As\_Files\_Information.txt
Filesize
1KB

MD5
cb7c2f96ac9ceda7972a7b108ec36c18

SHA1
112e5e25055fd57904e1cd61edd1259ffab767bc

SHA256
5be664d3ac70bfea76d33582e51310c499e4f34132a66e5572bdc8889edb9849

SHA512
edbd5d047894e1f5200364790e1e9963aeb7ae08f03f5c17b0067ffa8ef8354a379817edd83a552578698c9eda08a02611c9eb877328a508ab0eb8258ffb212a

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcGF4As\_Files\_Information.txt
Filesize
1KB

MD5
ca509c986ff543f6c0bc1044f9566c0e

SHA1
124a356c7e75d0b32dfd1656da066519d730d96c

SHA256
b0d340ae598f3a98ee47f0892f6de6c23174d47b0418879d2fa316d49cf86012

SHA512
56076245d707bc69ccc0c460e5bd1c18b2b4175910d2edf2a0b6e152cd46beb70dff728f4669e3dd84a1c1ef7e9432dd27e511d78aac58991c98f6d452afacd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcGF4As\_Files\_Information.txt
Filesize
3KB

MD5
58e240902f203259f4c12094e16eb655

SHA1
6fb2b9033b728e2078a26e1b71007cf0af330ab2

SHA256
760fe02fb817b1195740c0689fb9425c07f4d5d59f123587d44aa5546473489e

SHA512
71e1facd83c8c390f7371ec70dc9207555973a68f49c4bacec9cc2d7ee82f96dfd508780933e074e2744577d98d1cff6cdc2002a1e056834a93362feedd78572

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcGF4As\_Files\_Information.txt
Filesize
4KB

MD5
1e1457d6e22336c280456233ea8620b7

SHA1
76664d224ecbda493205efc7e4c13e44550a3ff1

SHA256
88bb41d01c34efe403faca125092f3539d0753869c93b89385eafe8d605c2bb9

SHA512
ca217138d1373767892808d44c22af6c1ad6e212fce40d4e3f7206f2e24dedd5b2b93766c2b0a7439cef367cebdeaffd3dd0918552440272a507c8463a5c11e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcGF4As\_Files\_Screen_Desktop.jpeg
Filesize
49KB

MD5
3c196c2048a0e206cdf3bae853a5a113

SHA1
3cfc47a6a9d69b4d2b0f9bc182acaff0259743a1

SHA256
3ae40938df7a330dbe2809d4fec6b71be69cf587f8884c50005d8c0d66549cbb

SHA512
7d7467bbea83e20daaddf4d7782d1021f27201a3adcd62f47af74ef9252c0d20d0becce13a7b558d5c64649bb846954ddd8fbb685b2b3a89470fb303c1ecf954

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcGF4As\files_\system_info.txt
Filesize
1KB

MD5
397273bb2b942a8303f66e429b1d1d7e

SHA1
a0fa8b2cccf15e7c90e8078d3cfbf37609993f8e

SHA256
849e2e481b4b26418a8e9eefc2f811663af5b4e9b0babac4323579714e5cfe1a

SHA512
62e28bf326db59f9e4ab2478f35ba5246d3a768aed89c74edd260271886d8f2947418011547bcc0ba06efe425986b94831aab3d5cb73b6ae8927f6d5522accc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcGF4As\files_\system_info.txt
Filesize
7KB

MD5
976121a882a2338c206dd024996fb5df

SHA1
2e1114f78b2b1a5babcd114d181e5c93549101ae

SHA256
ed8fe63bab82c2b7c5039cfc98e1494c3440296f7983bd20a9b21f4a65d10d11

SHA512
5094577e48e064807222052d7d2d5a660edff5e09aa0731ab98d42ef879b035c14184d5cb23668662c0b8e1d03dfd4bd88d2e608e6284eda2f23b0035e603023

Download Submit
memory/3040-8-0x0000000000720000-0x0000000000C2B000-memory.dmp

Filesize
5.0MB

Download
memory/3040-234-0x0000000000720000-0x0000000000C2B000-memory.dmp

Filesize
5.0MB

Download
memory/3040-7-0x0000000000720000-0x0000000000C2B000-memory.dmp

Filesize
5.0MB

Download
memory/3040-5-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

Filesize
4KB

Download
memory/3040-6-0x0000000000721000-0x000000000077C000-memory.dmp

Filesize
364KB

Download
memory/3040-2-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

Filesize
4KB

Download
memory/3040-3-0x0000000004D90000-0x0000000004D91000-memory.dmp

Filesize
4KB

Download
memory/3040-4-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/3040-227-0x0000000000720000-0x0000000000C2B000-memory.dmp

Filesize
5.0MB

Download
memory/3040-228-0x0000000000720000-0x0000000000C2B000-memory.dmp

Filesize
5.0MB

Download
memory/3040-230-0x0000000000720000-0x0000000000C2B000-memory.dmp

Filesize
5.0MB

Download
memory/3040-231-0x0000000000720000-0x0000000000C2B000-memory.dmp

Filesize
5.0MB

Download
memory/3040-232-0x0000000000720000-0x0000000000C2B000-memory.dmp

Filesize
5.0MB

Download
memory/3040-0-0x0000000000720000-0x0000000000C2B000-memory.dmp

Filesize
5.0MB

Download
memory/3040-1-0x0000000077154000-0x0000000077156000-memory.dmp

Filesize
8KB

Download
memory/3040-237-0x0000000000720000-0x0000000000C2B000-memory.dmp

Filesize
5.0MB

Download
memory/3040-239-0x0000000000720000-0x0000000000C2B000-memory.dmp

Filesize
5.0MB

Download
memory/3040-242-0x0000000000720000-0x0000000000C2B000-memory.dmp

Filesize
5.0MB

Download
memory/3040-243-0x0000000000720000-0x0000000000C2B000-memory.dmp

Filesize
5.0MB

Download
memory/3040-246-0x0000000000720000-0x0000000000C2B000-memory.dmp

Filesize
5.0MB

Download
memory/3040-248-0x0000000000720000-0x0000000000C2B000-memory.dmp

Filesize
5.0MB

Download
memory/3040-250-0x0000000000720000-0x0000000000C2B000-memory.dmp

Filesize
5.0MB

Download
memory/3040-252-0x0000000000720000-0x0000000000C2B000-memory.dmp

Filesize
5.0MB

Download
memory/3040-253-0x0000000000720000-0x0000000000C2B000-memory.dmp

Filesize
5.0MB

Download
memory/3040-256-0x0000000000720000-0x0000000000C2B000-memory.dmp

Filesize
5.0MB

Download