cryptbot | 8d321c9812c60b1b23a5103e408031bd856b78cd9c3bca192c7cc8dd8251e9f4

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
15-06-2024 05:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad0357b8ef3b2baf040f7994958603af_JaffaCakes118.exe
Size

4.3MB
MD5

ad0357b8ef3b2baf040f7994958603af
SHA1

21f22b4e46cf31e335cdb16a7b2ddc3b421236f7
SHA256

8d321c9812c60b1b23a5103e408031bd856b78cd9c3bca192c7cc8dd8251e9f4
SHA512

32e3b5429fe436c8e7786292aad4bf224249e38e927e8b6f7e67ae56d2de951b6486cbf9646b9f5b69eab89f31e799181615109e9b2b5f881780ea1656fcde0f
SSDEEP

98304:fyNX95V/PUPcXKqQPnLNY8PH/IocL83y9wOOy+bTcJMj5CXHJXi5RVN9i:fyNX68Kq0L28PfIo13pEk5iZh

Score

10^/10

cryptbot discovery spyware stealer

Malware Config

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 14 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2780-240-0x000000013FB90000-0x000000014023B000-memory.dmp	family_cryptbot
behavioral1/memory/2780-241-0x000000013FB90000-0x000000014023B000-memory.dmp	family_cryptbot
behavioral1/memory/2780-242-0x000000013FB90000-0x000000014023B000-memory.dmp	family_cryptbot
behavioral1/memory/2780-244-0x000000013FB90000-0x000000014023B000-memory.dmp	family_cryptbot
behavioral1/memory/2780-245-0x000000013FB90000-0x000000014023B000-memory.dmp	family_cryptbot
behavioral1/memory/2780-247-0x000000013FB90000-0x000000014023B000-memory.dmp	family_cryptbot
behavioral1/memory/2780-248-0x000000013FB90000-0x000000014023B000-memory.dmp	family_cryptbot
behavioral1/memory/2780-250-0x000000013FB90000-0x000000014023B000-memory.dmp	family_cryptbot
behavioral1/memory/2780-251-0x000000013FB90000-0x000000014023B000-memory.dmp	family_cryptbot
behavioral1/memory/2780-253-0x000000013FB90000-0x000000014023B000-memory.dmp	family_cryptbot
behavioral1/memory/2780-254-0x000000013FB90000-0x000000014023B000-memory.dmp	family_cryptbot
behavioral1/memory/2780-256-0x000000013FB90000-0x000000014023B000-memory.dmp	family_cryptbot
behavioral1/memory/2780-257-0x000000013FB90000-0x000000014023B000-memory.dmp	family_cryptbot
behavioral1/memory/2780-259-0x000000013FB90000-0x000000014023B000-memory.dmp	family_cryptbot

Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

1.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1.exe
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1.exe
Executes dropped EXE 1 IoCs

Processes:

1.exe

pid process

2780 1.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1.exe

pid	process
2780	1.exe

Loads dropped DLL 4 IoCs

Processes:

ad0357b8ef3b2baf040f7994958603af_JaffaCakes118.exe

pid	process
1952	ad0357b8ef3b2baf040f7994958603af_JaffaCakes118.exe
1952	ad0357b8ef3b2baf040f7994958603af_JaffaCakes118.exe
1952	ad0357b8ef3b2baf040f7994958603af_JaffaCakes118.exe
1952	ad0357b8ef3b2baf040f7994958603af_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service
T1102

Processes:

flow ioc

3 iplogger.org

flow	ioc
3	iplogger.org

Drops file in Program Files directory 3 IoCs

Processes:

ad0357b8ef3b2baf040f7994958603af_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files (x86)\Paluba\fets\1.exe	ad0357b8ef3b2baf040f7994958603af_JaffaCakes118.exe
File created	C:\Program Files (x86)\Paluba\fets\Setup1.exe	ad0357b8ef3b2baf040f7994958603af_JaffaCakes118.exe
File created	C:\Program Files (x86)\Paluba\fets\Setup1.vbs	ad0357b8ef3b2baf040f7994958603af_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	1.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

1.exe

pid process

2780 1.exe
2780 1.exe

pid	process
2780	1.exe
2780	1.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

ad0357b8ef3b2baf040f7994958603af_JaffaCakes118.exe

description	pid	process	target process
PID 1952 wrote to memory of 2248	1952	ad0357b8ef3b2baf040f7994958603af_JaffaCakes118.exe	CScript.exe
PID 1952 wrote to memory of 2248	1952	ad0357b8ef3b2baf040f7994958603af_JaffaCakes118.exe	CScript.exe
PID 1952 wrote to memory of 2248	1952	ad0357b8ef3b2baf040f7994958603af_JaffaCakes118.exe	CScript.exe
PID 1952 wrote to memory of 2248	1952	ad0357b8ef3b2baf040f7994958603af_JaffaCakes118.exe	CScript.exe
PID 1952 wrote to memory of 2248	1952	ad0357b8ef3b2baf040f7994958603af_JaffaCakes118.exe	CScript.exe
PID 1952 wrote to memory of 2248	1952	ad0357b8ef3b2baf040f7994958603af_JaffaCakes118.exe	CScript.exe
PID 1952 wrote to memory of 2248	1952	ad0357b8ef3b2baf040f7994958603af_JaffaCakes118.exe	CScript.exe
PID 1952 wrote to memory of 2780	1952	ad0357b8ef3b2baf040f7994958603af_JaffaCakes118.exe	1.exe
PID 1952 wrote to memory of 2780	1952	ad0357b8ef3b2baf040f7994958603af_JaffaCakes118.exe	1.exe
PID 1952 wrote to memory of 2780	1952	ad0357b8ef3b2baf040f7994958603af_JaffaCakes118.exe	1.exe
PID 1952 wrote to memory of 2780	1952	ad0357b8ef3b2baf040f7994958603af_JaffaCakes118.exe	1.exe

C:\Users\Admin\AppData\Local\Temp\ad0357b8ef3b2baf040f7994958603af_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ad0357b8ef3b2baf040f7994958603af_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1952

C:\Windows\SysWOW64\CScript.exe
"C:\Windows\system32\CScript.exe" "C:\Program Files (x86)\Paluba\fets\Setup1.vbs" //e:vbscript //B //NOLOGO
2⤵
PID:2248

C:\Program Files (x86)\Paluba\fets\1.exe
"C:\Program Files (x86)\Paluba\fets\1.exe"
2⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:2780

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Paluba\fets\Setup1.vbs
Filesize
126B

MD5
3ffc26d751f79fb801ecbb715885e852

SHA1
f54da1552aabfbf68ef07fa98234a8a1ff789a16

SHA256
8816d2a6adff6e256c6f478c46b283991feeb28dedc384914fe35f14f673d5d6

SHA512
08e00923d92f9141ec09ed420738126883772e359e6fc2e703a293020d0bb42b915d2a9961ba03676ab2ad43d8f4563b46778e119f22007073b1d9f1124c0d24

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfb0V7RMV\WgVMBtjeprl.zip
Filesize
23KB

MD5
1a1de47582013a8844b9d58d03f6b0b9

SHA1
440823f230be6fbc716d9e804dcc417405bfad82

SHA256
4ef9b19196a7e0fc029fe13632fb71062c045581602ba94c1397162671a04159

SHA512
c4c2c96186db1b10e9ded8f21a62af921937bc5b7cf99f7b53ff9efadedaf80734bd18cb8b0ddf184ac26c3be2e72762e98d22fd1930e3d89c1cc37eb97d3129

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfb0V7RMV\_Files\_Information.txt
Filesize
1KB

MD5
6177a958da6b074e8a3e7e52e1eee9fa

SHA1
25a144e51f877ec04d1ee5f66d9984efe4e16a25

SHA256
cc914c13827824706b2292a77148612dc87e410e87114b2aa1527018558cbb8d

SHA512
145e0de99a36a148d3be5226e91148111f4751ae3b5f01baf553f07a8ffa91b48e6b510ae9d7166c0bd4a64ed4f0a0037fee9f5cabdaa8667bb26f94a3eee6ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfb0V7RMV\_Files\_Information.txt
Filesize
1KB

MD5
807b72ad4df893990d7c56944a2d27cc

SHA1
bfd19c3b6c1e2a851117dc090f70f119176f4e58

SHA256
14204fc84eccea61933563f5e6ad0a4eb1f37cd2ce5319f0b265415d87e0f145

SHA512
c51d30436237531f813105fe563de32178aa742f3bc52c6f6231e592a30fcd4220a11136c80bb266eaa2f98cba339b1b9caf1927704de4ba11c7d72c0ee0edac

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfb0V7RMV\_Files\_Information.txt
Filesize
2KB

MD5
8d592698b12904a86adbd6c35a95db98

SHA1
3da5c476d044c3f6850fcc9e4f90e1cf441d85a9

SHA256
e77685dfdf6a141460594b761c0d10f5e985b7d9490e8cd092121343e4190daf

SHA512
148ec48dbc9745913765194154df9b482baf1828ec595facac3f3334066d70a0a72bce0df9df36ff948ecfbbbabffa22a3055ef7370fcf235be83d1105233bfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfb0V7RMV\_Files\_Information.txt
Filesize
3KB

MD5
17b32bb8d7cf25469496e005c0ca6d35

SHA1
a02e02edd1dae7aa9eee7eeccd91597caa1d9175

SHA256
53c2cb407e20ffa7c243d7e85756342edf1046e0fcb30b6d03f5664ffffe65b8

SHA512
8146958895835f768e0ec78f941034d72e586144d7ae66e5760b13b74b996e755983aac8ec6eaa82f214c20f70e6202520f92655ef6ab1f526007a481746c1b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfb0V7RMV\_Files\_Information.txt
Filesize
3KB

MD5
6a7671d3e75adc0959f4bbe77e7d7d53

SHA1
8c032245207b147b8bbf32bea9e22e9f12f5140f

SHA256
aead7eb68fcdf8fed1e621c8815350b3c7fe0d99daa83d1b1fda4251fc62c25f

SHA512
7b72634d4ae46c94f164d43bebb15a0e9ceb78d0dacc3dadff54a91a704b7fa980c8d9e9665aa4f5d2f82258363c7ca9f984a8c963d6cf28f073cf125b03fd6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfb0V7RMV\_Files\_Information.txt
Filesize
4KB

MD5
f559e83386556d9021fa749e115face2

SHA1
457ef9296a69ec24fa6f7f7a0ba34cd90083a561

SHA256
427410673008e85971268721a54496d039a8a4536cce098a16f03631d47157b9

SHA512
0cac507ff7db99644db6b41d862fa07e7f00d1b5a93fab98a241cfea00df09374350b0e55703969e4de518793a806c57af1fcc785f5b66ae417dd2e27f3cab37

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfb0V7RMV\_Files\_Screen_Desktop.jpeg
Filesize
31KB

MD5
49a9f9a0c20fc943650f877b0b7ce9dd

SHA1
ca14089ab427d813416163b2c4fc05ce6fa6b096

SHA256
4674d443db8a349ee6f605f23a8ea0adf0a9ecc339f8c14bc979242ffa3583f5

SHA512
14744e2ea4f2f5cef831a4183785ed3130f1eb95e0889f24bdcfa892cb1014f235383d62bebe58ade1e9b702ce055a5adca5b2dc5257ac4d22ea43a770f87e65

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfb0V7RMV\files_\system_info.txt
Filesize
2KB

MD5
56df0f1ff3f8fd4ef0a5e8fb95979ebe

SHA1
b15ca63b7d3c7c9ee23d66c2e2e46a6036b797b9

SHA256
ef23335282c37cbf8c2a027219bf88f125f89a78270171174148ab4000c3c308

SHA512
3e7df7c13631752655987e921f25be7b32c2fe8b06d7a73b2d1c5dc20ad18335704256df6c44cff385f705ffbb877f961cb30af461e50cf48cde33052b6b2697

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfb0V7RMV\files_\system_info.txt
Filesize
3KB

MD5
88c6b732b8bfdfd756558c4458ca61ac

SHA1
06e8bff31580a859b0ae1095c3b939076b70695e

SHA256
3c2ea70ce623e3c7575f05dfe443f9241bdccef8f4126146467cf96b6c36b5a9

SHA512
0b331cd405e6794726579591d8d451cc4bfc6f283c486422befe9a78a32610ebb0970174db4875bed6b948fb2e5187fcd63d437384aeb27a1639c64d12b2713f

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfb0V7RMV\files_\system_info.txt
Filesize
4KB

MD5
477d95b37e688c7521242c5c72b6bb86

SHA1
c8b59519e2af92b2042c03a829e0e1c56fbf419e

SHA256
fac876aa7a9b20e1a7221c1a9021954d2e30381aaee34252fa559e79d3a5c2b0

SHA512
df459d2feac319922ba165d04fc12ed7e7953c1bd9a27f05965e1fa80437a1e75c7522001897501e370c3b00ecdcf34153ce57cdc8969264ef3fcdee7b9761ed

Download Submit
\Program Files (x86)\Paluba\fets\1.exe
Filesize
2.6MB

MD5
e1188dcf1d263848bbc3a9e0e000fa5d

SHA1
30ec0f03ff134f6835e5a1f9ac50d2f1f203f3b9

SHA256
143baeea153f94dec6b4ae148ce7f7db97b1aa8d034803a945e069143504263e

SHA512
021f52ab015eabe04443efe38d848760d971352a422c93ead6ca15566d377e015ff16decd45c62047eeaf76a13959956127d4763b59190d777e8d6249f3b6adf

Download Submit
\Users\Admin\AppData\Local\Temp\nst20EA.tmp\UAC.dll
Filesize
14KB

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
\Users\Admin\AppData\Local\Temp\nst20EA.tmp\nsExec.dll
Filesize
6KB

MD5
132e6153717a7f9710dcea4536f364cd

SHA1
e39bc82c7602e6dd0797115c2bd12e872a5fb2ab

SHA256
d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2

SHA512
9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1

Download Submit
memory/1952-19-0x0000000003140000-0x00000000037EB000-memory.dmp

Filesize
6.7MB

Download
memory/1952-22-0x0000000003140000-0x00000000037EB000-memory.dmp

Filesize
6.7MB

Download
memory/2780-245-0x000000013FB90000-0x000000014023B000-memory.dmp

Filesize
6.7MB

Download
memory/2780-248-0x000000013FB90000-0x000000014023B000-memory.dmp

Filesize
6.7MB

Download
memory/2780-241-0x000000013FB90000-0x000000014023B000-memory.dmp

Filesize
6.7MB

Download
memory/2780-242-0x000000013FB90000-0x000000014023B000-memory.dmp

Filesize
6.7MB

Download
memory/2780-244-0x000000013FB90000-0x000000014023B000-memory.dmp

Filesize
6.7MB

Download
memory/2780-21-0x000000013FB90000-0x000000014023B000-memory.dmp

Filesize
6.7MB

Download
memory/2780-247-0x000000013FB90000-0x000000014023B000-memory.dmp

Filesize
6.7MB

Download
memory/2780-240-0x000000013FB90000-0x000000014023B000-memory.dmp

Filesize
6.7MB

Download
memory/2780-23-0x00000000770A0000-0x00000000770A2000-memory.dmp

Filesize
8KB

Download
memory/2780-250-0x000000013FB90000-0x000000014023B000-memory.dmp

Filesize
6.7MB

Download
memory/2780-251-0x000000013FB90000-0x000000014023B000-memory.dmp

Filesize
6.7MB

Download
memory/2780-253-0x000000013FB90000-0x000000014023B000-memory.dmp

Filesize
6.7MB

Download
memory/2780-254-0x000000013FB90000-0x000000014023B000-memory.dmp

Filesize
6.7MB

Download
memory/2780-256-0x000000013FB90000-0x000000014023B000-memory.dmp

Filesize
6.7MB

Download
memory/2780-257-0x000000013FB90000-0x000000014023B000-memory.dmp

Filesize
6.7MB

Download
memory/2780-259-0x000000013FB90000-0x000000014023B000-memory.dmp

Filesize
6.7MB

Download