cryptbot | 86a67fa63d48d6a4ffb95f26a3c0a2ffcb9819422766c94a3a3d6b45944f7c62

Analysis

max time kernel
149s
max time network
146s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
07-04-2024 11:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e4dbf85869e7764aaf5032599c98d3c9_JaffaCakes118.exe
Size

1.4MB
MD5

e4dbf85869e7764aaf5032599c98d3c9
SHA1

1e937f87fdccbe88fad3236bca8705f4ded8c4ac
SHA256

86a67fa63d48d6a4ffb95f26a3c0a2ffcb9819422766c94a3a3d6b45944f7c62
SHA512

7b1a0b968b671547ef66a79c989dfd9dc5aaf7bca957c64af5e149467846ea682d83066e91e662ddec2326decab673be48810014b14647cce104ee6dbadfe2e3
SSDEEP

24576:U9VubLNAafeunjgHujoVvRWrW+neNZeA23/wHPISs2YB2jh2Nl5Zgrqd/7KA0pG:KubvGujgHuEVvzYej0oHPM2RkNlcm57X

Score

10^/10

cryptbot discovery persistence spyware stealer

Malware Config

Extracted

Family

cryptbot

lyspoh51.top

morecj05.top

Attributes

payload_url
http://damyeb07.top/download.php?file=lv.exe

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2824-28-0x0000000003A00000-0x0000000003AA3000-memory.dmp	family_cryptbot
behavioral1/memory/2824-29-0x0000000003A00000-0x0000000003AA3000-memory.dmp	family_cryptbot
behavioral1/memory/2824-30-0x0000000003A00000-0x0000000003AA3000-memory.dmp	family_cryptbot
behavioral1/memory/2824-31-0x0000000003A00000-0x0000000003AA3000-memory.dmp	family_cryptbot
behavioral1/memory/2824-251-0x0000000003A00000-0x0000000003AA3000-memory.dmp	family_cryptbot

Executes dropped EXE 2 IoCs

Processes:

Naufrago.exe.comNaufrago.exe.com

pid process

2584 Naufrago.exe.com
2824 Naufrago.exe.com
Loads dropped DLL 2 IoCs

Processes:

cmd.exeNaufrago.exe.com

pid process

2884 cmd.exe
2584 Naufrago.exe.com
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2884	cmd.exe
2584	Naufrago.exe.com

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

e4dbf85869e7764aaf5032599c98d3c9_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e4dbf85869e7764aaf5032599c98d3c9_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Naufrago.exe.com

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Naufrago.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Naufrago.exe.com

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2636 PING.EXE

pid	process
2636	PING.EXE

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

Naufrago.exe.comNaufrago.exe.com

pid	process
2584	Naufrago.exe.com
2584	Naufrago.exe.com
2584	Naufrago.exe.com
2824	Naufrago.exe.com
2824	Naufrago.exe.com
2824	Naufrago.exe.com
2824	Naufrago.exe.com
2824	Naufrago.exe.com

Suspicious use of SendNotifyMessage 6 IoCs

Processes:

Naufrago.exe.comNaufrago.exe.com

pid process

2584 Naufrago.exe.com
2584 Naufrago.exe.com
2584 Naufrago.exe.com
2824 Naufrago.exe.com
2824 Naufrago.exe.com
2824 Naufrago.exe.com

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

e4dbf85869e7764aaf5032599c98d3c9_JaffaCakes118.execmd.execmd.exeNaufrago.exe.com

description	pid	process	target process
PID 2068 wrote to memory of 2176	2068	e4dbf85869e7764aaf5032599c98d3c9_JaffaCakes118.exe	dllhost.exe
PID 2068 wrote to memory of 2176	2068	e4dbf85869e7764aaf5032599c98d3c9_JaffaCakes118.exe	dllhost.exe
PID 2068 wrote to memory of 2176	2068	e4dbf85869e7764aaf5032599c98d3c9_JaffaCakes118.exe	dllhost.exe
PID 2068 wrote to memory of 2176	2068	e4dbf85869e7764aaf5032599c98d3c9_JaffaCakes118.exe	dllhost.exe
PID 2068 wrote to memory of 1804	2068	e4dbf85869e7764aaf5032599c98d3c9_JaffaCakes118.exe	cmd.exe
PID 2068 wrote to memory of 1804	2068	e4dbf85869e7764aaf5032599c98d3c9_JaffaCakes118.exe	cmd.exe
PID 2068 wrote to memory of 1804	2068	e4dbf85869e7764aaf5032599c98d3c9_JaffaCakes118.exe	cmd.exe
PID 2068 wrote to memory of 1804	2068	e4dbf85869e7764aaf5032599c98d3c9_JaffaCakes118.exe	cmd.exe
PID 1804 wrote to memory of 2884	1804	cmd.exe	cmd.exe
PID 1804 wrote to memory of 2884	1804	cmd.exe	cmd.exe
PID 1804 wrote to memory of 2884	1804	cmd.exe	cmd.exe
PID 1804 wrote to memory of 2884	1804	cmd.exe	cmd.exe
PID 2884 wrote to memory of 2532	2884	cmd.exe	findstr.exe
PID 2884 wrote to memory of 2532	2884	cmd.exe	findstr.exe
PID 2884 wrote to memory of 2532	2884	cmd.exe	findstr.exe
PID 2884 wrote to memory of 2532	2884	cmd.exe	findstr.exe
PID 2884 wrote to memory of 2584	2884	cmd.exe	Naufrago.exe.com
PID 2884 wrote to memory of 2584	2884	cmd.exe	Naufrago.exe.com
PID 2884 wrote to memory of 2584	2884	cmd.exe	Naufrago.exe.com
PID 2884 wrote to memory of 2584	2884	cmd.exe	Naufrago.exe.com
PID 2884 wrote to memory of 2636	2884	cmd.exe	PING.EXE
PID 2884 wrote to memory of 2636	2884	cmd.exe	PING.EXE
PID 2884 wrote to memory of 2636	2884	cmd.exe	PING.EXE
PID 2884 wrote to memory of 2636	2884	cmd.exe	PING.EXE
PID 2584 wrote to memory of 2824	2584	Naufrago.exe.com	Naufrago.exe.com
PID 2584 wrote to memory of 2824	2584	Naufrago.exe.com	Naufrago.exe.com
PID 2584 wrote to memory of 2824	2584	Naufrago.exe.com	Naufrago.exe.com
PID 2584 wrote to memory of 2824	2584	Naufrago.exe.com	Naufrago.exe.com

C:\Users\Admin\AppData\Local\Temp\e4dbf85869e7764aaf5032599c98d3c9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e4dbf85869e7764aaf5032599c98d3c9_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2068

C:\Windows\SysWOW64\dllhost.exe
dllhost.exe
2⤵
PID:2176

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Ore.mid
2⤵
- Suspicious use of WriteProcessMemory
PID:1804

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2884

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^TsnBsoCmfklVmpndLzwEdrlekuDBjXalIgQvIAieVclRTWGoGGYRoMDPicdkEqjaSqjkaeIlkZIUTaofmxVFYAeWKwgjlWbVpRYTJcQDYOGorJVOjwLltGzsYdAsNcZfCNKexfFtDaGlU$" Implorando.mid
4⤵
PID:2532

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Naufrago.exe.com
Naufrago.exe.com G
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2584

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Naufrago.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Naufrago.exe.com G
5⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2824

C:\Windows\SysWOW64\PING.EXE
ping BISMIZHX -n 30
4⤵
- Runs ping.exe
PID:2636

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Implorando.mid
Filesize
872KB

MD5
37ff73dabe362f9298351c8693cb8725

SHA1
30344545902a4e23fb4313bd93d16205536f55eb

SHA256
c294a1bb47c7f107272d37b86c758039920f066701ba06b439646385b621214f

SHA512
31f52019c81b2fee5ab2def4c0801f07a16ea58b9b326921f164095f3c34df644d7a3a27dd1a8772e173f73a717c7fa724b399883ae6f43b4678d87d157e99a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ore.mid
Filesize
660B

MD5
3eb2d46a619ae2119e3aae57ff87a051

SHA1
cdae20ad65fe853a7f5193d30b4ed541291d10b2

SHA256
45b63d95d59e900b9d0a065694ecd5049d822f768a7324962a3fb8d8c14d447f

SHA512
e975d17b44def8a837fb6c8e6284a4630e8f2eb3ba08144dda44ed42c9a05e26e977e1b6e0e3c38037a080a731f0c2490d03e1485069b52da992da6429423349

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sorso.mid
Filesize
700KB

MD5
912beeb3b0a46f21952b72dbcd598c58

SHA1
adf632d0da955983b00c25a25a0f3ef8e4e9cdbd

SHA256
2e08a01b1806b7eb7a945043a1e20fd0a4cd182fa5a06b02169dcfea3f10c871

SHA512
3264d65f58ec079a9dc42608e270e709e898cee88bb9c0eaa3a3d8a7b084b51a62d1c12a0ec27740a1f3d4f472f7ad1451048e71bc73e7cf82e3e1891415ca6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Specie.mid
Filesize
634KB

MD5
f27f237a4cb2dc1778854ad6b0aa4072

SHA1
afc03486054cd003a21e2b0be2535a4859befaa2

SHA256
221e356e2c0892ad0b209edb29f17dd147ea7a3f8cf6b4e36160b23030d24685

SHA512
d7595174e5be53518d9d4d793c8a53e5528b2affaceb2e8b1e77e0762693ef39fc79af176f2e27d83599a66dc621ab2fcb3e68abd5924c4f69af16695c55d771

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mxn2qoZBOg6v\V6j6Ttk3PW1n.zip
Filesize
35KB

MD5
c96fc6ceb0d5fd83c94eab88c80f2deb

SHA1
90e676dd7e4ea6cc4dd91e46a110209eac571da5

SHA256
8386b256feca3362013a24a919f55480c93437276bb287f0e2469ddbf4e460f0

SHA512
620bc0e2fd7178a3d2ef98304d2b7664e8460fc904344727aaf2ab94b2b155f9f9d33158cd8924796b865da0b7349386f02125760c0f5eefec971e335c445a04

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mxn2qoZBOg6v\_Files\_Information.txt
Filesize
4KB

MD5
9c976198b46e261f4a2d90858b569440

SHA1
2b17f69f3d5df21e0681be85fad1cc8b78c34104

SHA256
e1f23b289643cccbd38aa6ddf737514dec67fdcab8c4def72e9cfd05632cc912

SHA512
37a1a063d80ad66b31d693b3654d0b96f5898810fb2845c14536a1901df2fcd847d646343c3db8580a3f90997949c80d317c952d4d86a49a72f190864ea92b6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mxn2qoZBOg6v\_Files\_Information.txt
Filesize
1KB

MD5
797b178e73c5e7b2ffd610cc3a7373b7

SHA1
3a17be106a598486a03841f2d688981d260713f9

SHA256
b60b779faee9a86fd25942e41d6bb1213b65457d3d65be6e33b84a8c6859b08b

SHA512
56d5ae7e1056c9d7f482a307960fc1b1075edc0e66d78689edcc3b8c452410f32b3310a7bc623ca499195906ad3fcd3a42680626a5f324c47f0bfa1fec51357d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mxn2qoZBOg6v\_Files\_Information.txt
Filesize
1KB

MD5
cb0ab4452d85bb224b7189bab67a9274

SHA1
4da143c04ff0d66e403f52f66c0e5c9f64f9c989

SHA256
34619f7d32b90e660dc444327fa1ee73b7eaf5d3760be7509f6ce0bea9282105

SHA512
d60efd2d694ffc3974603b6d73ec856f5bf50720a180b63f36df4c5fc44d7240770339a750df1ec35e7addbba4114caf5c29f1a7fb3cc3f92e93a371f8374276

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mxn2qoZBOg6v\_Files\_Information.txt
Filesize
3KB

MD5
bb9b581c2fbc2b72c74495bfb47b986d

SHA1
c9743c0071bcf79d36d58674e7c623511002ccbc

SHA256
9b063d27f485eab6d65de047689f8c81f3c14847a9c343f5ecf68378ae90d172

SHA512
3397d79cb7b562e4476fcf585b92295f276e40152f12ad746d00dcf38cbef5a280f68cc0207afc972712fb52183068acc13b565f66dd4171581a4756122b547c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mxn2qoZBOg6v\_Files\_Information.txt
Filesize
3KB

MD5
e60b41e21bb02e6114db037f8f99ec4d

SHA1
40ed8d60b0b4dbf4af55c5f77445db512082906c

SHA256
39da526e49d7d5fe313992d333e41114319e8843b23dad7f9ec88d63c3058ebe

SHA512
47cd926c9b8b0d560637a5a77c1705c809bdb6aaacdac39e72cb1659544b7206244cc29f21df38e13f296e06eb375dae3b6096e818a23d3b1312b5c775b9e1e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mxn2qoZBOg6v\_Files\_Information.txt
Filesize
3KB

MD5
14fb441953acb09cb5ce030e9be95fbf

SHA1
e52c32b89070381557cd34c846feaaf478a36f0e

SHA256
1c72daa2cb576dab4cba074f918322b989ea7e4c2ed670b7e199b6cf410081f2

SHA512
308003098ce5ed1bfbac08f89190dd25f6a1e44e24434178addc06a9fd7e0b4a250358eeed10e0c0f459afbda383fe92b46aab69f92a521d2e6d30c6bb85cd29

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mxn2qoZBOg6v\_Files\_Screen_Desktop.jpeg
Filesize
43KB

MD5
e7af687d22eb0a2c5dae6461ec751ca1

SHA1
b369230b1d0cc456bcac0fe525a07f34cc89e964

SHA256
b506018534e59859f2a11f7d7b428252d216f8553373e39000b7d7519a119980

SHA512
72062c5f68e222cd394c74e8c4d49aa7ef65e479456b3c6e39880fd85e3a2377b0b22c7a0e316fe2175252e220b68d0e1441e0aa25ab21f12f9c5b4523c2e9bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mxn2qoZBOg6v\files_\system_info.txt
Filesize
1KB

MD5
774096e43d36f4a1767d1f25ef0cd760

SHA1
b8cd6b11c72c1a24b2aba6e8494606a92ce53ab4

SHA256
b4fe09719caf2773392bda9f0d868515cce47d303464221bb8ec0dfac2a37eb4

SHA512
b4fbb711520aed472cd7cacefd757f0a5f649d2c07d4cfb86d5ec561a2c01aa7d5156bc005fcc0499ddaa33e1b6bd546397a03e438ae430b558c2bf3858c2406

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mxn2qoZBOg6v\files_\system_info.txt
Filesize
8KB

MD5
f5add35924bbaf994b98a34eb0ed2ecd

SHA1
d49fb95b70d6138d4b312daa4f4b9012ada6702c

SHA256
752957e28739c1a45d10ff1327cde5fd21e77391346aa98e1cc3862b1e04601d

SHA512
7ed0232b11409527683b03d5966d53b21383cdea08f6955719e4917da67d303fb4d0e425a60ade35800410e9566b0d3f951a57c355096e169c05dd19996ae4e7

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Naufrago.exe.com
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
memory/2824-25-0x0000000003A00000-0x0000000003AA3000-memory.dmp

Filesize
652KB

Download
memory/2824-32-0x0000000000C00000-0x0000000000C01000-memory.dmp

Filesize
4KB

Download
memory/2824-31-0x0000000003A00000-0x0000000003AA3000-memory.dmp

Filesize
652KB

Download
memory/2824-30-0x0000000003A00000-0x0000000003AA3000-memory.dmp

Filesize
652KB

Download
memory/2824-29-0x0000000003A00000-0x0000000003AA3000-memory.dmp

Filesize
652KB

Download
memory/2824-28-0x0000000003A00000-0x0000000003AA3000-memory.dmp

Filesize
652KB

Download
memory/2824-27-0x0000000003A00000-0x0000000003AA3000-memory.dmp

Filesize
652KB

Download
memory/2824-26-0x0000000003A00000-0x0000000003AA3000-memory.dmp

Filesize
652KB

Download
memory/2824-251-0x0000000003A00000-0x0000000003AA3000-memory.dmp

Filesize
652KB

Download
memory/2824-252-0x0000000000C00000-0x0000000000C01000-memory.dmp

Filesize
4KB

Download
memory/2824-24-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download