cryptbot | 86a67fa63d48d6a4ffb95f26a3c0a2ffcb9819422766c94a3a3d6b45944f7c62

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07-04-2024 11:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e4dbf85869e7764aaf5032599c98d3c9_JaffaCakes118.exe
Size

1.4MB
MD5

e4dbf85869e7764aaf5032599c98d3c9
SHA1

1e937f87fdccbe88fad3236bca8705f4ded8c4ac
SHA256

86a67fa63d48d6a4ffb95f26a3c0a2ffcb9819422766c94a3a3d6b45944f7c62
SHA512

7b1a0b968b671547ef66a79c989dfd9dc5aaf7bca957c64af5e149467846ea682d83066e91e662ddec2326decab673be48810014b14647cce104ee6dbadfe2e3
SSDEEP

24576:U9VubLNAafeunjgHujoVvRWrW+neNZeA23/wHPISs2YB2jh2Nl5Zgrqd/7KA0pG:KubvGujgHuEVvzYej0oHPM2RkNlcm57X

Score

10^/10

cryptbot discovery persistence spyware stealer

Malware Config

Extracted

Family

cryptbot

lyspoh51.top

morecj05.top

Attributes

payload_url
http://damyeb07.top/download.php?file=lv.exe

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1016-25-0x0000000004730000-0x00000000047D3000-memory.dmp	family_cryptbot
behavioral2/memory/1016-26-0x0000000004730000-0x00000000047D3000-memory.dmp	family_cryptbot
behavioral2/memory/1016-27-0x0000000004730000-0x00000000047D3000-memory.dmp	family_cryptbot
behavioral2/memory/1016-29-0x0000000004730000-0x00000000047D3000-memory.dmp	family_cryptbot
behavioral2/memory/1016-237-0x0000000004730000-0x00000000047D3000-memory.dmp	family_cryptbot

Executes dropped EXE 2 IoCs

Processes:

Naufrago.exe.comNaufrago.exe.com

pid process

3732 Naufrago.exe.com
1016 Naufrago.exe.com
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

e4dbf85869e7764aaf5032599c98d3c9_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e4dbf85869e7764aaf5032599c98d3c9_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Naufrago.exe.com

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Naufrago.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Naufrago.exe.com

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

756 PING.EXE

pid	process
756	PING.EXE

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

Naufrago.exe.comNaufrago.exe.com

pid	process
3732	Naufrago.exe.com
3732	Naufrago.exe.com
3732	Naufrago.exe.com
1016	Naufrago.exe.com
1016	Naufrago.exe.com
1016	Naufrago.exe.com
1016	Naufrago.exe.com
1016	Naufrago.exe.com

Suspicious use of SendNotifyMessage 6 IoCs

Processes:

Naufrago.exe.comNaufrago.exe.com

pid process

3732 Naufrago.exe.com
3732 Naufrago.exe.com
3732 Naufrago.exe.com
1016 Naufrago.exe.com
1016 Naufrago.exe.com
1016 Naufrago.exe.com

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

e4dbf85869e7764aaf5032599c98d3c9_JaffaCakes118.execmd.execmd.exeNaufrago.exe.com

description	pid	process	target process
PID 1760 wrote to memory of 2112	1760	e4dbf85869e7764aaf5032599c98d3c9_JaffaCakes118.exe	dllhost.exe
PID 1760 wrote to memory of 2112	1760	e4dbf85869e7764aaf5032599c98d3c9_JaffaCakes118.exe	dllhost.exe
PID 1760 wrote to memory of 2112	1760	e4dbf85869e7764aaf5032599c98d3c9_JaffaCakes118.exe	dllhost.exe
PID 1760 wrote to memory of 4832	1760	e4dbf85869e7764aaf5032599c98d3c9_JaffaCakes118.exe	cmd.exe
PID 1760 wrote to memory of 4832	1760	e4dbf85869e7764aaf5032599c98d3c9_JaffaCakes118.exe	cmd.exe
PID 1760 wrote to memory of 4832	1760	e4dbf85869e7764aaf5032599c98d3c9_JaffaCakes118.exe	cmd.exe
PID 4832 wrote to memory of 3836	4832	cmd.exe	cmd.exe
PID 4832 wrote to memory of 3836	4832	cmd.exe	cmd.exe
PID 4832 wrote to memory of 3836	4832	cmd.exe	cmd.exe
PID 3836 wrote to memory of 1104	3836	cmd.exe	findstr.exe
PID 3836 wrote to memory of 1104	3836	cmd.exe	findstr.exe
PID 3836 wrote to memory of 1104	3836	cmd.exe	findstr.exe
PID 3836 wrote to memory of 3732	3836	cmd.exe	Naufrago.exe.com
PID 3836 wrote to memory of 3732	3836	cmd.exe	Naufrago.exe.com
PID 3836 wrote to memory of 3732	3836	cmd.exe	Naufrago.exe.com
PID 3836 wrote to memory of 756	3836	cmd.exe	PING.EXE
PID 3836 wrote to memory of 756	3836	cmd.exe	PING.EXE
PID 3836 wrote to memory of 756	3836	cmd.exe	PING.EXE
PID 3732 wrote to memory of 1016	3732	Naufrago.exe.com	Naufrago.exe.com
PID 3732 wrote to memory of 1016	3732	Naufrago.exe.com	Naufrago.exe.com
PID 3732 wrote to memory of 1016	3732	Naufrago.exe.com	Naufrago.exe.com

C:\Users\Admin\AppData\Local\Temp\e4dbf85869e7764aaf5032599c98d3c9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e4dbf85869e7764aaf5032599c98d3c9_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\SysWOW64\dllhost.exe
dllhost.exe
2⤵
PID:2112

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Ore.mid
2⤵
- Suspicious use of WriteProcessMemory
PID:4832

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Suspicious use of WriteProcessMemory
PID:3836

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^TsnBsoCmfklVmpndLzwEdrlekuDBjXalIgQvIAieVclRTWGoGGYRoMDPicdkEqjaSqjkaeIlkZIUTaofmxVFYAeWKwgjlWbVpRYTJcQDYOGorJVOjwLltGzsYdAsNcZfCNKexfFtDaGlU$" Implorando.mid
4⤵
PID:1104

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Naufrago.exe.com
Naufrago.exe.com G
4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3732

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Naufrago.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Naufrago.exe.com G
5⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1016

C:\Windows\SysWOW64\PING.EXE
ping JKRSODLE -n 30
4⤵
- Runs ping.exe
PID:756

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Implorando.mid
Filesize
872KB

MD5
37ff73dabe362f9298351c8693cb8725

SHA1
30344545902a4e23fb4313bd93d16205536f55eb

SHA256
c294a1bb47c7f107272d37b86c758039920f066701ba06b439646385b621214f

SHA512
31f52019c81b2fee5ab2def4c0801f07a16ea58b9b326921f164095f3c34df644d7a3a27dd1a8772e173f73a717c7fa724b399883ae6f43b4678d87d157e99a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Naufrago.exe.com
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ore.mid
Filesize
660B

MD5
3eb2d46a619ae2119e3aae57ff87a051

SHA1
cdae20ad65fe853a7f5193d30b4ed541291d10b2

SHA256
45b63d95d59e900b9d0a065694ecd5049d822f768a7324962a3fb8d8c14d447f

SHA512
e975d17b44def8a837fb6c8e6284a4630e8f2eb3ba08144dda44ed42c9a05e26e977e1b6e0e3c38037a080a731f0c2490d03e1485069b52da992da6429423349

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sorso.mid
Filesize
700KB

MD5
912beeb3b0a46f21952b72dbcd598c58

SHA1
adf632d0da955983b00c25a25a0f3ef8e4e9cdbd

SHA256
2e08a01b1806b7eb7a945043a1e20fd0a4cd182fa5a06b02169dcfea3f10c871

SHA512
3264d65f58ec079a9dc42608e270e709e898cee88bb9c0eaa3a3d8a7b084b51a62d1c12a0ec27740a1f3d4f472f7ad1451048e71bc73e7cf82e3e1891415ca6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Specie.mid
Filesize
634KB

MD5
f27f237a4cb2dc1778854ad6b0aa4072

SHA1
afc03486054cd003a21e2b0be2535a4859befaa2

SHA256
221e356e2c0892ad0b209edb29f17dd147ea7a3f8cf6b4e36160b23030d24685

SHA512
d7595174e5be53518d9d4d793c8a53e5528b2affaceb2e8b1e77e0762693ef39fc79af176f2e27d83599a66dc621ab2fcb3e68abd5924c4f69af16695c55d771

Download Submit
C:\Users\Admin\AppData\Local\Temp\eSYrcY3L8\SrsEDIIIKy1s.zip
Filesize
38KB

MD5
5cbac01d7a5b5234e22598806bc4167e

SHA1
97b07909deacedc4a7358c671b2fbafd60aa959f

SHA256
6fa028c64fb149f8506ca925da81a26506e2a4dff296d0cf0b1a7c3e95c9919b

SHA512
1f6daeb08887c146f84804737c974a4f9bedf0daeb9db3ae24f4333a6b2ba10c8dd1335924266c525c28dbcb50ca47dfb426aa116e351cf9fac5918ad40f2faa

Download Submit
C:\Users\Admin\AppData\Local\Temp\eSYrcY3L8\_Files\_Information.txt
Filesize
1KB

MD5
42b8dd9045a86263fdd1f4ff120bf313

SHA1
3e5a1ea44bc1aaa03aee2a17dc4aebb63aac34bf

SHA256
17c4cc6e4ec8b37329bf4da887da7430be297a7830289d68aaa9d5e9b5c8538b

SHA512
5761fc3fff34e0c33d59c9908ba23787349646010b7760db6cdba14cd783ac132ddae86b82d066f0e73b40319a026c018fcc9c1b119ea0d4dd34c327609cbee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\eSYrcY3L8\_Files\_Information.txt
Filesize
1KB

MD5
c29ac03a8080df3921a6ab57a5e944c6

SHA1
3a73e63b957088423895bf1835c8c8334a6ed4f3

SHA256
90bae1f593ba794b8dad4cd296ed942b74df53348761178553ed01ff61adb113

SHA512
92fd3b0936cb9dd3919470d8851a07060782d8d5034d8df12eb5f82690e0fb58f92386010107cc5ba0fb1b1604932570b0cafe2235d9afbab58d163c3e565905

Download Submit
C:\Users\Admin\AppData\Local\Temp\eSYrcY3L8\_Files\_Information.txt
Filesize
4KB

MD5
c5ab7db085873c20ccc960b1e76b887e

SHA1
2c8d036ab3005c65483bb7f0cc70231ec7ef39f3

SHA256
f13051ef79e5e8dd8c1612205a76d40f781b85cd1f2b5c5e83ca9cb6a0f902a4

SHA512
843b106287d7bd71ac86d57c4ffb88cf8ed0afc7bb5752b6e9e95fd8d4b4f3da0f44f2a4719be6ef0ed3d4f08628f1f655a1b9b1943c70debd7e10ae5719e0b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\eSYrcY3L8\_Files\_Screen_Desktop.jpeg
Filesize
44KB

MD5
0303babcb80b13d3ca35b991c5448f35

SHA1
07edff1569d4abb4f1a867e815c1bd7f28b0fc49

SHA256
a9819d1527d11a8895a658d9c621c3014209d4e68bf49a4b355e123f8c9c04f8

SHA512
158e0015389f3e71895cbb7d82fa745f6bb0bee06fe8b078651f9cd6c82e9d02d09cf0aea25c8c8d0105e7b8a567f93bd5d4e5548252b49736ce2f5c8e5b9384

Download Submit
C:\Users\Admin\AppData\Local\Temp\eSYrcY3L8\files_\system_info.txt
Filesize
700B

MD5
d297a59d81fa4818d0750c3ac9ca4681

SHA1
5f8517dc4bb72d645423c6c0fc76852b0e53e747

SHA256
48aeb56c7b802cedc1ffda5e2bc92eb7207905523e0fc5089cc7dbc9985277fa

SHA512
802b2065d06669f97dbf1130bdb23d7c6d346fda9aab6b19dd18748cb97fedb6d3e1c22d3d29f1d3c45fff0316b469d358a1932f482feb10f99f2496174c6861

Download Submit
C:\Users\Admin\AppData\Local\Temp\eSYrcY3L8\files_\system_info.txt
Filesize
1KB

MD5
7bbdfd1954cb544f3129fd123ce28903

SHA1
fe34f21ee42bac249137daf5f57d80a5d23ea213

SHA256
0e056bdfe93b56170076e833d1af75eb6f387904a043f57fb5f89386b5a023c6

SHA512
3c09e138a1b22858f8175970930da6c52d68c6c27fbe47d30f274c0668c0eb4a2a88b4399379d25e83ecbf1394408a2ee19583965585477bf83e0333bbc99fdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\eSYrcY3L8\files_\system_info.txt
Filesize
4KB

MD5
7d525a7b191e1df275453cb95dfb8bcf

SHA1
d53cf2d8c00514e4536fa799bd8ec9a2eee2057b

SHA256
492cd428f647e0fbf40b1ed39540f91cfed1a3e8889004a1f17e5e79b5080510

SHA512
32cce8cda98f58d60bc0e5ab2d028f8aebe7202c60952f58039a24493f339df2b38cde7be9eb8898eec6d8e14b4841b521093d86592a6af28dcf3199d2d074cc

Download Submit
memory/1016-21-0x0000000002090000-0x0000000002091000-memory.dmp

Filesize
4KB

Download
memory/1016-29-0x0000000004730000-0x00000000047D3000-memory.dmp

Filesize
652KB

Download
memory/1016-27-0x0000000004730000-0x00000000047D3000-memory.dmp

Filesize
652KB

Download
memory/1016-26-0x0000000004730000-0x00000000047D3000-memory.dmp

Filesize
652KB

Download
memory/1016-25-0x0000000004730000-0x00000000047D3000-memory.dmp

Filesize
652KB

Download
memory/1016-24-0x0000000004730000-0x00000000047D3000-memory.dmp

Filesize
652KB

Download
memory/1016-23-0x0000000004730000-0x00000000047D3000-memory.dmp

Filesize
652KB

Download
memory/1016-22-0x0000000004730000-0x00000000047D3000-memory.dmp

Filesize
652KB

Download
memory/1016-237-0x0000000004730000-0x00000000047D3000-memory.dmp

Filesize
652KB

Download