cryptbot | f0f167b361376dc23b604f18e3642c459368c71e8e030e00170d5db431ceb45c

Analysis

max time kernel
147s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27-06-2024 06:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

150cc6fff4a7fca07ff09a3e37fb7828_JaffaCakes118.exe
Size

1.7MB
MD5

150cc6fff4a7fca07ff09a3e37fb7828
SHA1

0a77ae0762093dedebf497aae917c1bd29ec6407
SHA256

f0f167b361376dc23b604f18e3642c459368c71e8e030e00170d5db431ceb45c
SHA512

8246091ed11c659f7f8a3f5cf4df448d6632e62644662fddef29301f6ad82ba7c409682e238fec6bd07e95e17f5318b3351cb0e529b8b542ef126985bc070afd
SSDEEP

49152:YmS7T6hb8lMKMDQzPFRUmN1lU5XUM8y+90O:C7TQb8+KbzPFRUm9U5kdP

Score

10^/10

cryptbot discovery persistence spyware stealer

Malware Config

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4412-25-0x00000000007D0000-0x00000000008B3000-memory.dmp	family_cryptbot
behavioral1/memory/4412-27-0x00000000007D0000-0x00000000008B3000-memory.dmp	family_cryptbot
behavioral1/memory/4412-26-0x00000000007D0000-0x00000000008B3000-memory.dmp	family_cryptbot

Manipulates Digital Signatures 1 TTPs 3 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

Processes:

certutil.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION"	certutil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION"	certutil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7\Name = "szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL"	certutil.exe

Executes dropped EXE 2 IoCs

Processes:

Impaziente.comImpaziente.com

pid process

5108 Impaziente.com
4412 Impaziente.com
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
5108	Impaziente.com
4412	Impaziente.com

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

150cc6fff4a7fca07ff09a3e37fb7828_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	150cc6fff4a7fca07ff09a3e37fb7828_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Impaziente.com

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Impaziente.com
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Impaziente.com

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

832 PING.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Impaziente.com

pid process

4412 Impaziente.com
4412 Impaziente.com

pid	process
832	PING.EXE

pid	process
4412	Impaziente.com
4412	Impaziente.com

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

150cc6fff4a7fca07ff09a3e37fb7828_JaffaCakes118.execmd.execmd.exeImpaziente.com

description	pid	process	target process
PID 2328 wrote to memory of 2100	2328	150cc6fff4a7fca07ff09a3e37fb7828_JaffaCakes118.exe	cmd.exe
PID 2328 wrote to memory of 2100	2328	150cc6fff4a7fca07ff09a3e37fb7828_JaffaCakes118.exe	cmd.exe
PID 2328 wrote to memory of 2100	2328	150cc6fff4a7fca07ff09a3e37fb7828_JaffaCakes118.exe	cmd.exe
PID 2328 wrote to memory of 2064	2328	150cc6fff4a7fca07ff09a3e37fb7828_JaffaCakes118.exe	cmd.exe
PID 2328 wrote to memory of 2064	2328	150cc6fff4a7fca07ff09a3e37fb7828_JaffaCakes118.exe	cmd.exe
PID 2328 wrote to memory of 2064	2328	150cc6fff4a7fca07ff09a3e37fb7828_JaffaCakes118.exe	cmd.exe
PID 2064 wrote to memory of 1472	2064	cmd.exe	certutil.exe
PID 2064 wrote to memory of 1472	2064	cmd.exe	certutil.exe
PID 2064 wrote to memory of 1472	2064	cmd.exe	certutil.exe
PID 2064 wrote to memory of 2824	2064	cmd.exe	cmd.exe
PID 2064 wrote to memory of 2824	2064	cmd.exe	cmd.exe
PID 2064 wrote to memory of 2824	2064	cmd.exe	cmd.exe
PID 2824 wrote to memory of 1008	2824	cmd.exe	findstr.exe
PID 2824 wrote to memory of 1008	2824	cmd.exe	findstr.exe
PID 2824 wrote to memory of 1008	2824	cmd.exe	findstr.exe
PID 2824 wrote to memory of 992	2824	cmd.exe	certutil.exe
PID 2824 wrote to memory of 992	2824	cmd.exe	certutil.exe
PID 2824 wrote to memory of 992	2824	cmd.exe	certutil.exe
PID 2824 wrote to memory of 5108	2824	cmd.exe	Impaziente.com
PID 2824 wrote to memory of 5108	2824	cmd.exe	Impaziente.com
PID 2824 wrote to memory of 5108	2824	cmd.exe	Impaziente.com
PID 2824 wrote to memory of 832	2824	cmd.exe	PING.EXE
PID 2824 wrote to memory of 832	2824	cmd.exe	PING.EXE
PID 2824 wrote to memory of 832	2824	cmd.exe	PING.EXE
PID 5108 wrote to memory of 4412	5108	Impaziente.com	Impaziente.com
PID 5108 wrote to memory of 4412	5108	Impaziente.com	Impaziente.com
PID 5108 wrote to memory of 4412	5108	Impaziente.com	Impaziente.com

C:\Users\Admin\AppData\Local\Temp\150cc6fff4a7fca07ff09a3e37fb7828_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\150cc6fff4a7fca07ff09a3e37fb7828_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2328

C:\Windows\SysWOW64\cmd.exe
cmd /c NNEC
2⤵
PID:2100

C:\Windows\SysWOW64\cmd.exe
cmd /c certutil -decode Pensa.wms Amo.xlsm & cmd < Amo.xlsm
2⤵
- Suspicious use of WriteProcessMemory
PID:2064

C:\Windows\SysWOW64\certutil.exe
certutil -decode Pensa.wms Amo.xlsm
3⤵
- Manipulates Digital Signatures
PID:1472

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Suspicious use of WriteProcessMemory
PID:2824

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^rPyEJrQNgnNYOJGHLllEjPZqOOhyalmXfkvNlTpNlvGFYUgFTTjIkzZgQtPVPLctYQJChSvRqbxPpzwTmHjmXQLVjoXyrgXm$" Bonta.dll
4⤵
PID:1008

C:\Windows\SysWOW64\certutil.exe
certutil -decode Cancellata.pdf v
4⤵
PID:992

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Impaziente.com
Impaziente.com v
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5108

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Impaziente.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Impaziente.com v
5⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:4412

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
4⤵
- Runs ping.exe
PID:832

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Amo.xlsm
Filesize
103KB

MD5
b1569f5b72901aa0c93e8b12bc8d4735

SHA1
40fb7e32396524b39734e121d9a6f38b04813465

SHA256
8e8ef98552fe9397b33c194be13c6162a37e7d763d4eae354e427fbaa9628b42

SHA512
6e249e280b5eb010aa1b634b086cd8a7e1d05c06bb2d19f31bbda27842ac04a4841a5703abc118bb5391bbf823c712f3cca4412712f7367fd607ff8e0b706723

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Andiate.jpg
Filesize
888KB

MD5
b2552098717ccc7b6712cd59fd2a8642

SHA1
0b69645cf69af1932a2af8e2b0c6c826e1d65fda

SHA256
9a279bffce95308df7e8e0a5bd788c5785d82f5002f455f5f3ea298e30d4339a

SHA512
9d93ea0b4639cc79af9f25d4f00211719d06b97a47bc45be2071089bf49c4cba9ec8c6f2a5f033fe6fc89eb71cbe6d049e58ca35ff97c8f4e9aea52ec03c8f35

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bonta.dll
Filesize
921KB

MD5
26899137853937bb8068032b77b8ff24

SHA1
5848cf42dd20054ec8d1d5e4a74cc100904ced3d

SHA256
59d9b2a6684a4b7d88fd25b0ae80c267db667172b8e87531a7de29a1a9f356a9

SHA512
ecd1c36bcfbd12a063cd1e9f8e1015b1fa5e88749c29852f24efe9b1dbe7f96769bfba2d07cd3efc24bfeade3a1bbacdece85510607e0f931d1ed5eb9bd99d81

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Cancellata.pdf
Filesize
540KB

MD5
aaaf75ec5a1703205397df5c268153a0

SHA1
c55b053bc37ef5025766ed4c8d27d666e83d6ac9

SHA256
b549a3ce1f9349fcc17843c6d2997a07b41de74ee91a85311462304d8fea503c

SHA512
0ae29a091071485d3da3a9a042b96d77a3699a4a08a1d0f6e61baa8008f4a10f49631ed209f321876c66e19453475224540524b1e251ef4d0c580f89b65ec451

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Impaziente.com
Filesize
921KB

MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pensa.wms
Filesize
143KB

MD5
104094356b76688e39c145e72ae47c1f

SHA1
7ad4a21e54df68a654d60bd376737074a8b46d12

SHA256
ced57416210a03c632d11634c839da10e9d696742bdecc37435f9bea6eca9003

SHA512
5837a50aea46b5ea70e156350ed9a8ba692a92b4ca67cfacebcf04757c08bb397a0018f4e440a88da559c4c38bbe46c6238b3b37411256f11a3cb7b774eefb64

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v
Filesize
391KB

MD5
cd5dd08e9bccf743f473866f2a1332cc

SHA1
4b04a9646493eb634791882af5821f2bf2f1a521

SHA256
27b93f39c6d6f3edda2e7bdaa5743c93d073d86bad715e7f9b37a20da1d925b6

SHA512
03631e23b2963056bbd72080b0e00530ab57de6c6f45870f4ce8e16ea2cb4d585d9f7153886778d4edebf5f22fe54956f2c4b45c88e08024b09846e73a16a83f

Download Submit
C:\Users\Admin\AppData\Local\Temp\PZIhmWab\VKtRCMuEVHo.zip
Filesize
50KB

MD5
6fe743809fcc9b680bf2930213797cbb

SHA1
246a09fa1f1fd2e104c56b1d72ee17586c367767

SHA256
f025d880ac63e25bfe0581e7d7cec7f9f70726931a2b3c2ed85d75d328e84ee7

SHA512
90e945c23caacd771281accf475dc9d3bb6d8ee82f5961084c769767ddab19fabe1e2406d77fa577c64c1b45aea2c642856264969552f8de0a0d53082475ae35

Download Submit
C:\Users\Admin\AppData\Local\Temp\PZIhmWab\_Files\_Information.txt
Filesize
1KB

MD5
e0242ec428528589d0d9b488b28239a3

SHA1
8fd4c95da5245df6d0b98f081864b83bf8a39476

SHA256
484a6d347f7e788b6e307de23faec849de41f7c0f4e8b3dd217395bce48bc3e2

SHA512
a9f2661226c57d7423ea86107d731f2a4d0f00816213abbd69a00b1587f58ce0a20d3e96b125088b31cd364ff84d656cf243e1325becb3997c97e472538a85e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\PZIhmWab\_Files\_Information.txt
Filesize
4KB

MD5
504fa615607fb2d5d5ec37852be6e329

SHA1
30c5ca2c4e51439be0be3a71b98aa2a4174a1185

SHA256
06abeb6154914433deb2c57c472f9a2f5fd009d47383e04d7899e60a6bfe25b1

SHA512
9572850dea72a420971204e2e453f04dc947383b08e40e728acf7513a94b33d7ac79bdaa99ada72ab0f99913e1881b7cdd7bf900552dace95db11edec2b9beb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\PZIhmWab\_Files\_Screen_Desktop.jpeg
Filesize
55KB

MD5
dbb379b477ccffcb80ca2e949fd5eaf4

SHA1
279aba95f06ea96a3a0b3e06d82c949c3fba4506

SHA256
4a767e85d33d0b34a85b69c61d5b8a18b6c3de180fc72ccd3c67d41801d3e941

SHA512
a5d9ddcfe0ff61b69ed12ade80589260f26c876e6f865a6a8b0db55d4d7a327330f53372e8663b645d1abcf235c65375f6fb6e5f368739775aaea1b1e7374fba

Download Submit
C:\Users\Admin\AppData\Local\Temp\PZIhmWab\files_\system_info.txt
Filesize
7KB

MD5
87c6551d95a344121da2059e242754aa

SHA1
5048c66d9c53ff9a7159b2ae66e075891da04905

SHA256
f06b7cf4e70f2f763c8e64abd7c5ffd2725eaf4755ed6d02f7638e38e916d11a

SHA512
f802f840d4e94af2863eaa8ad286cf971f1608e2ea88fe720960cbdc178afa980b6eab242d2a1f38da025b47edb5467bc5e4bf611cdd6eacf645e815937351eb

Download Submit
memory/4412-24-0x00000000007D0000-0x00000000008B3000-memory.dmp

Filesize
908KB

Download
memory/4412-26-0x00000000007D0000-0x00000000008B3000-memory.dmp

Filesize
908KB

Download
memory/4412-27-0x00000000007D0000-0x00000000008B3000-memory.dmp

Filesize
908KB

Download
memory/4412-25-0x00000000007D0000-0x00000000008B3000-memory.dmp

Filesize
908KB

Download
memory/4412-23-0x00000000007D0000-0x00000000008B3000-memory.dmp

Filesize
908KB

Download
memory/4412-22-0x00000000007D0000-0x00000000008B3000-memory.dmp

Filesize
908KB

Download