cryptbot | 8d321c9812c60b1b23a5103e408031bd856b78cd9c3bca192c7cc8dd8251e9f4

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 05:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad0357b8ef3b2baf040f7994958603af_JaffaCakes118.exe
Size

4.3MB
MD5

ad0357b8ef3b2baf040f7994958603af
SHA1

21f22b4e46cf31e335cdb16a7b2ddc3b421236f7
SHA256

8d321c9812c60b1b23a5103e408031bd856b78cd9c3bca192c7cc8dd8251e9f4
SHA512

32e3b5429fe436c8e7786292aad4bf224249e38e927e8b6f7e67ae56d2de951b6486cbf9646b9f5b69eab89f31e799181615109e9b2b5f881780ea1656fcde0f
SSDEEP

98304:fyNX95V/PUPcXKqQPnLNY8PH/IocL83y9wOOy+bTcJMj5CXHJXi5RVN9i:fyNX68Kq0L28PfIo13pEk5iZh

Score

10^/10

cryptbot discovery spyware stealer

Malware Config

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 14 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3904-232-0x00007FF65D8A0000-0x00007FF65DF4B000-memory.dmp	family_cryptbot
behavioral2/memory/3904-233-0x00007FF65D8A0000-0x00007FF65DF4B000-memory.dmp	family_cryptbot
behavioral2/memory/3904-234-0x00007FF65D8A0000-0x00007FF65DF4B000-memory.dmp	family_cryptbot
behavioral2/memory/3904-237-0x00007FF65D8A0000-0x00007FF65DF4B000-memory.dmp	family_cryptbot
behavioral2/memory/3904-239-0x00007FF65D8A0000-0x00007FF65DF4B000-memory.dmp	family_cryptbot
behavioral2/memory/3904-241-0x00007FF65D8A0000-0x00007FF65DF4B000-memory.dmp	family_cryptbot
behavioral2/memory/3904-242-0x00007FF65D8A0000-0x00007FF65DF4B000-memory.dmp	family_cryptbot
behavioral2/memory/3904-244-0x00007FF65D8A0000-0x00007FF65DF4B000-memory.dmp	family_cryptbot
behavioral2/memory/3904-246-0x00007FF65D8A0000-0x00007FF65DF4B000-memory.dmp	family_cryptbot
behavioral2/memory/3904-249-0x00007FF65D8A0000-0x00007FF65DF4B000-memory.dmp	family_cryptbot
behavioral2/memory/3904-250-0x00007FF65D8A0000-0x00007FF65DF4B000-memory.dmp	family_cryptbot
behavioral2/memory/3904-253-0x00007FF65D8A0000-0x00007FF65DF4B000-memory.dmp	family_cryptbot
behavioral2/memory/3904-255-0x00007FF65D8A0000-0x00007FF65DF4B000-memory.dmp	family_cryptbot
behavioral2/memory/3904-256-0x00007FF65D8A0000-0x00007FF65DF4B000-memory.dmp	family_cryptbot

Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

1.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1.exe
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1.exe
Executes dropped EXE 1 IoCs

Processes:

1.exe

pid process

3904 1.exe
Loads dropped DLL 2 IoCs

Processes:

ad0357b8ef3b2baf040f7994958603af_JaffaCakes118.exe

pid process

4764 ad0357b8ef3b2baf040f7994958603af_JaffaCakes118.exe
4764 ad0357b8ef3b2baf040f7994958603af_JaffaCakes118.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service
T1102

Processes:

flow ioc

2 iplogger.org

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1.exe

pid	process
3904	1.exe

pid	process
4764	ad0357b8ef3b2baf040f7994958603af_JaffaCakes118.exe
4764	ad0357b8ef3b2baf040f7994958603af_JaffaCakes118.exe

flow	ioc
2	iplogger.org

Drops file in Program Files directory 3 IoCs

Processes:

ad0357b8ef3b2baf040f7994958603af_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files (x86)\Paluba\fets\1.exe	ad0357b8ef3b2baf040f7994958603af_JaffaCakes118.exe
File created	C:\Program Files (x86)\Paluba\fets\Setup1.exe	ad0357b8ef3b2baf040f7994958603af_JaffaCakes118.exe
File created	C:\Program Files (x86)\Paluba\fets\Setup1.vbs	ad0357b8ef3b2baf040f7994958603af_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	1.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

1.exe

pid process

3904 1.exe
3904 1.exe

pid	process
3904	1.exe
3904	1.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

ad0357b8ef3b2baf040f7994958603af_JaffaCakes118.exe

description	pid	process	target process
PID 4764 wrote to memory of 3556	4764	ad0357b8ef3b2baf040f7994958603af_JaffaCakes118.exe	CScript.exe
PID 4764 wrote to memory of 3556	4764	ad0357b8ef3b2baf040f7994958603af_JaffaCakes118.exe	CScript.exe
PID 4764 wrote to memory of 3556	4764	ad0357b8ef3b2baf040f7994958603af_JaffaCakes118.exe	CScript.exe
PID 4764 wrote to memory of 3904	4764	ad0357b8ef3b2baf040f7994958603af_JaffaCakes118.exe	1.exe
PID 4764 wrote to memory of 3904	4764	ad0357b8ef3b2baf040f7994958603af_JaffaCakes118.exe	1.exe

C:\Users\Admin\AppData\Local\Temp\ad0357b8ef3b2baf040f7994958603af_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ad0357b8ef3b2baf040f7994958603af_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4764

C:\Windows\SysWOW64\CScript.exe
"C:\Windows\system32\CScript.exe" "C:\Program Files (x86)\Paluba\fets\Setup1.vbs" //e:vbscript //B //NOLOGO
2⤵
PID:3556

C:\Program Files (x86)\Paluba\fets\1.exe
"C:\Program Files (x86)\Paluba\fets\1.exe"
2⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:3904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4028,i,13281073920029625837,8253721632651544158,262144 --variations-seed-version --mojo-platform-channel-handle=4164 /prefetch:8
1⤵
PID:868

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Paluba\fets\1.exe
Filesize
2.6MB

MD5
e1188dcf1d263848bbc3a9e0e000fa5d

SHA1
30ec0f03ff134f6835e5a1f9ac50d2f1f203f3b9

SHA256
143baeea153f94dec6b4ae148ce7f7db97b1aa8d034803a945e069143504263e

SHA512
021f52ab015eabe04443efe38d848760d971352a422c93ead6ca15566d377e015ff16decd45c62047eeaf76a13959956127d4763b59190d777e8d6249f3b6adf

Download Submit
C:\Program Files (x86)\Paluba\fets\Setup1.vbs
Filesize
126B

MD5
3ffc26d751f79fb801ecbb715885e852

SHA1
f54da1552aabfbf68ef07fa98234a8a1ff789a16

SHA256
8816d2a6adff6e256c6f478c46b283991feeb28dedc384914fe35f14f673d5d6

SHA512
08e00923d92f9141ec09ed420738126883772e359e6fc2e703a293020d0bb42b915d2a9961ba03676ab2ad43d8f4563b46778e119f22007073b1d9f1124c0d24

Download Submit
C:\Users\Admin\AppData\Local\Temp\HYtojOYcS\4oLDYjxj7Lg7K.zip
Filesize
40KB

MD5
11fe1e8e93b617cc7aee865a6d9096b6

SHA1
8a7576772469aad3a991ad5dea9624767a991850

SHA256
bb8f61554e6b5f5bed06a9e4ab7b57dcafec744cc4426ffd2b1b961f0580eaeb

SHA512
92dfb44a9763b9b4a93ca9d0df633e172ce405c6ca711a116e709bf36c2e0d253122ae04dea69748ddb88d91537f6fabeb6daa5469eef78a8e091e0f569eadfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\HYtojOYcS\_Files\_Information.txt
Filesize
1KB

MD5
af1f39e6573178edb734b61d0c6bb60d

SHA1
84da5fe2c7b3b8dcf279a23b4d20b45c3fbd7fe4

SHA256
35db64723968950c065475800def6d808cf67ad9350602b4a1c740b50d99c1f6

SHA512
316af076acf47096fcf823e565c7c1a01142fc966bda2062aa3663fd8a262e5c0035f518b1e81d751c0183cebc8d1d735c490df45d0010c1f7044aa0dc5b1f7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\HYtojOYcS\_Files\_Information.txt
Filesize
5KB

MD5
28ce6280d7223a328d9c8dce5f0e18ed

SHA1
f15416aa0062bc0de42a771bfb7333d36e335749

SHA256
856b473ed6056d88a0911db9dca9f49d093220684ef6bac980d87c71612268ec

SHA512
2bb66b0521f7eb9e713c3312e518164620c95192874a66681559460f1dbe4e61b9dedca9f7c98b90bc9ee73e21c535121068fbb3a896b2fff076b2dd2cdfb872

Download Submit
C:\Users\Admin\AppData\Local\Temp\HYtojOYcS\_Files\_Screen_Desktop.jpeg
Filesize
46KB

MD5
fdb32489e7a78673cdd2c231cb27ad10

SHA1
fb99761d022ffc05fc99e09fd4aa2e47ab3c7a31

SHA256
a6de962a6443c990b2fc2b2e242588e988968bfad91d0456c0f278dadd0f9b05

SHA512
3bbf9ac87155125110dcd6ca409f30f3dd2fd2b26dad21f0f682f5a8ae7fc47a2ebff32e0418fff7cf359210bddb699720c8857341100029959b1a2b4220be10

Download Submit
C:\Users\Admin\AppData\Local\Temp\HYtojOYcS\files_\system_info.txt
Filesize
1KB

MD5
4356742b4d67653c29b8fe60f172a0f4

SHA1
7c2551b859526a63a7a4710c9cbcd756d7940242

SHA256
7d80667f734c6aae3b1d8ebe99572296644a624b9fd337f4d76234c17445e5ea

SHA512
ca741c0fa29118ebeb5fcb6794ef48acbe74c2de479b0b63d43f98feb0a244fb954512c07c52194d4186850103e3745392d6f838667108a3fe8aafe858caa9ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\HYtojOYcS\files_\system_info.txt
Filesize
7KB

MD5
ece4527bc9a9f72d77abfa8dd465e507

SHA1
5b3aa496590ac86d46765871c7e0090f681429dc

SHA256
ebb594dae57ab81504574aa10c79732ea48c949b3c6c6c777a6d9efbc0ea6c20

SHA512
4f279d6b489ea05cc6c5a6eb8ae1d1d1a28fb810b81c19fff785223f2caa1aa451300bc0604fec74673cd062efd4fb9b915116754e4dd0c69771c6e461e4ae76

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslE1B6.tmp\UAC.dll
Filesize
14KB

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslE1B6.tmp\nsExec.dll
Filesize
6KB

MD5
132e6153717a7f9710dcea4536f364cd

SHA1
e39bc82c7602e6dd0797115c2bd12e872a5fb2ab

SHA256
d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2

SHA512
9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1

Download Submit
memory/3904-233-0x00007FF65D8A0000-0x00007FF65DF4B000-memory.dmp

Filesize
6.7MB

Download
memory/3904-241-0x00007FF65D8A0000-0x00007FF65DF4B000-memory.dmp

Filesize
6.7MB

Download
memory/3904-17-0x00007FF65D8A0000-0x00007FF65DF4B000-memory.dmp

Filesize
6.7MB

Download
memory/3904-234-0x00007FF65D8A0000-0x00007FF65DF4B000-memory.dmp

Filesize
6.7MB

Download
memory/3904-237-0x00007FF65D8A0000-0x00007FF65DF4B000-memory.dmp

Filesize
6.7MB

Download
memory/3904-18-0x00007FFEA50F0000-0x00007FFEA50F2000-memory.dmp

Filesize
8KB

Download
memory/3904-239-0x00007FF65D8A0000-0x00007FF65DF4B000-memory.dmp

Filesize
6.7MB

Download
memory/3904-232-0x00007FF65D8A0000-0x00007FF65DF4B000-memory.dmp

Filesize
6.7MB

Download
memory/3904-242-0x00007FF65D8A0000-0x00007FF65DF4B000-memory.dmp

Filesize
6.7MB

Download
memory/3904-244-0x00007FF65D8A0000-0x00007FF65DF4B000-memory.dmp

Filesize
6.7MB

Download
memory/3904-246-0x00007FF65D8A0000-0x00007FF65DF4B000-memory.dmp

Filesize
6.7MB

Download
memory/3904-249-0x00007FF65D8A0000-0x00007FF65DF4B000-memory.dmp

Filesize
6.7MB

Download
memory/3904-250-0x00007FF65D8A0000-0x00007FF65DF4B000-memory.dmp

Filesize
6.7MB

Download
memory/3904-253-0x00007FF65D8A0000-0x00007FF65DF4B000-memory.dmp

Filesize
6.7MB

Download
memory/3904-255-0x00007FF65D8A0000-0x00007FF65DF4B000-memory.dmp

Filesize
6.7MB

Download
memory/3904-256-0x00007FF65D8A0000-0x00007FF65DF4B000-memory.dmp

Filesize
6.7MB

Download