cryptbot | fcd0904bb17ffe18d018643fc90e7e02889c529b529a8a88e7c527403874379f

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08/04/2024, 21:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e882a1dd4b17dc254c6480775eacc7bc_JaffaCakes118.exe
Size

1.7MB
MD5

e882a1dd4b17dc254c6480775eacc7bc
SHA1

0f0b5c5dbc4cd3e02009f774e352808712ed607b
SHA256

fcd0904bb17ffe18d018643fc90e7e02889c529b529a8a88e7c527403874379f
SHA512

bb9675f4a9b37e63163c9d810baa3ed1ec3a192b117543aad85ff9a04b07d6aedd80a6d090e623dd583838287f1aa8f0731627f838508a4dbe4bf044c01857fe
SSDEEP

49152:fUKc27m5MIBgW8kLYhNI55KYCOqSwh7Q:fUKcTeIJMk+L9

Score

10^/10

cryptbot discovery persistence spyware stealer

Malware Config

Extracted

Family

cryptbot

smainz71.top

moriwi07.top

Attributes

payload_url
http://guruzo10.top/download.php?file=lv.exe

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 5 IoCs

resource	yara_rule
behavioral1/memory/3180-25-0x0000000004790000-0x0000000004875000-memory.dmp	family_cryptbot
behavioral1/memory/3180-26-0x0000000004790000-0x0000000004875000-memory.dmp	family_cryptbot
behavioral1/memory/3180-27-0x0000000004790000-0x0000000004875000-memory.dmp	family_cryptbot
behavioral1/memory/3180-29-0x0000000004790000-0x0000000004875000-memory.dmp	family_cryptbot
behavioral1/memory/3180-239-0x0000000004790000-0x0000000004875000-memory.dmp	family_cryptbot

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	Contenuti.exe.com

Executes dropped EXE 2 IoCs

pid	Process
216	Contenuti.exe.com
3180	Contenuti.exe.com

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e882a1dd4b17dc254c6480775eacc7bc_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Contenuti.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Contenuti.exe.com

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
5540	timeout.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1300	PING.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3180	Contenuti.exe.com
3180	Contenuti.exe.com

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 3828	2432	e882a1dd4b17dc254c6480775eacc7bc_JaffaCakes118.exe	86
PID 2432 wrote to memory of 3828	2432	e882a1dd4b17dc254c6480775eacc7bc_JaffaCakes118.exe	86
PID 2432 wrote to memory of 3828	2432	e882a1dd4b17dc254c6480775eacc7bc_JaffaCakes118.exe	86
PID 2432 wrote to memory of 4104	2432	e882a1dd4b17dc254c6480775eacc7bc_JaffaCakes118.exe	88
PID 2432 wrote to memory of 4104	2432	e882a1dd4b17dc254c6480775eacc7bc_JaffaCakes118.exe	88
PID 2432 wrote to memory of 4104	2432	e882a1dd4b17dc254c6480775eacc7bc_JaffaCakes118.exe	88
PID 4104 wrote to memory of 4948	4104	cmd.exe	91
PID 4104 wrote to memory of 4948	4104	cmd.exe	91
PID 4104 wrote to memory of 4948	4104	cmd.exe	91
PID 4948 wrote to memory of 3612	4948	cmd.exe	92
PID 4948 wrote to memory of 3612	4948	cmd.exe	92
PID 4948 wrote to memory of 3612	4948	cmd.exe	92
PID 4948 wrote to memory of 216	4948	cmd.exe	93
PID 4948 wrote to memory of 216	4948	cmd.exe	93
PID 4948 wrote to memory of 216	4948	cmd.exe	93
PID 4948 wrote to memory of 1300	4948	cmd.exe	95
PID 4948 wrote to memory of 1300	4948	cmd.exe	95
PID 4948 wrote to memory of 1300	4948	cmd.exe	95
PID 216 wrote to memory of 3180	216	Contenuti.exe.com	96
PID 216 wrote to memory of 3180	216	Contenuti.exe.com	96
PID 216 wrote to memory of 3180	216	Contenuti.exe.com	96
PID 3180 wrote to memory of 3156	3180	Contenuti.exe.com	105
PID 3180 wrote to memory of 3156	3180	Contenuti.exe.com	105
PID 3180 wrote to memory of 3156	3180	Contenuti.exe.com	105
PID 3156 wrote to memory of 5540	3156	cmd.exe	107
PID 3156 wrote to memory of 5540	3156	cmd.exe	107
PID 3156 wrote to memory of 5540	3156	cmd.exe	107

C:\Users\Admin\AppData\Local\Temp\e882a1dd4b17dc254c6480775eacc7bc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e882a1dd4b17dc254c6480775eacc7bc_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Windows\SysWOW64\cmd.exe
  cmd /c fbqepGCFd
  2⤵
  PID:3828
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cmd < Ora.xlm
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4104
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4948
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^ypKmqhzNtgipnhvcXHdLgDGTtnRWNRxncoyJrSGvOuHalJqFxChtNsjCDRxCvvZjUINdoMayqTWiVgIcnkBkEfKrVDukbtqaixbBVJbHlirTxyGfpYtl$" Inespresso.xlm
      4⤵
      PID:3612
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Contenuti.exe.com
      Contenuti.exe.com T
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:216
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Contenuti.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Contenuti.exe.com T
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Checks processor information in registry
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:3180
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\ceEvUqANHQa & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Contenuti.exe.com"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3156
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        7⤵
        Delays execution with timeout.exe
        
        PID:5540
  - - C:\Windows\SysWOW64\PING.EXE
      ping SLVJLBBW -n 30
      4⤵
      Runs ping.exe
      PID:1300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Contenuti.exe.com

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Inespresso.xlm

Filesize
872KB

MD5
cf31bde37831552fab013aaf8c9f4be6

SHA1
159fc03c0d082e6c110afa148e7300354015100c

SHA256
bd6b8c5d28904d2b863702b1903f7a916b1233675e3b2a57330855de90e335cd

SHA512
b3e543eef5d17165aed0b608a32c66149660bdf763f507063304e893d74132e167e3e28df8ff32a0e6dce01d3843a5a5c14a0c6754e131cf82c6efe618ed0c1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nemica.xlm

Filesize
894KB

MD5
a04bbed6affbcb15ccce225509cd9ca1

SHA1
a7db9bd56c0abeb9c15fc0deae26c445db95073f

SHA256
27f09926063ca744ba9f0afb85d45df7b4165f757a1ec88a6f68411591c9e005

SHA512
963ef7669e8b1b3eed613da2edd00abb54d5854d2ec93eafcfafa2eaa9f4766b72edecc37134f59727fe1622b59f435583bcc3eecae500cc1e6a2b703f870aa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ora.xlm

Filesize
456B

MD5
18b24f12fdd4bd6d5efb8cfbdb678913

SHA1
f5c907df748cce46ed713cae112c5db4a36ba040

SHA256
560533a9c03a9ec0befcfe79bbda4af6302b57a567eff87f0a8b74043b427340

SHA512
c2d019d4e6fbdf22809914d8cd15570f9ac64c0f5cb3bdcbcbb346fa3c1082a564926ceb058337f32c6897f0a620203f2d296bae65516a3dc5436cac2098781a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sara.xlm

Filesize
648KB

MD5
ba75521f7c6ecec854204a48473fbdca

SHA1
c07e7a94203325034a513e93edd5da776e6546a2

SHA256
1b20777078d78e8af6cce703229ee3a1d890f5a91e192923a4ef9c6b64336b25

SHA512
41cb3346993b18a17d395bad25291882cdd2d4b91dce587c4397a8d952e71f6593b13d1c73d6b578c54ac9ba50b93e6c4f4d8247cfc5b5f0546de8f8c94f4a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ceEvUqANHQa\EVJNID~1.ZIP

Filesize
40KB

MD5
4d86940d91070313f465526ca582dd57

SHA1
b9d5bb06d10d0bb267945670ccb9bce661af0c38

SHA256
c552c88246e87d6cc15544d9a33b678bd2da1d5f30a36a1e669067e5863397b6

SHA512
8f02f9ff8040e9d4cbc2b9021e2682cc0bfbc032504a4c164cbdf5207851bd7bcd30662714e8d7f4820b14596dea740bebe2b02fa1735b8ca356a8890e32bd50

Download Submit
C:\Users\Admin\AppData\Local\Temp\ceEvUqANHQa\PQUSCQ~1.ZIP

Filesize
40KB

MD5
9d3c64c98ce87a92bc88eb0b8868208e

SHA1
4131eeec9e24acb29799d3294f9616c95dd91574

SHA256
3c1c2de7869f5db81fac2ac54f716bf8eac9a3e57a0534142ce66e059b070aab

SHA512
4d487205fea3bfac7143a0f88a9e3ce73615a9c9d73d2d982c7510b33fea1a663b2caa16c8402bee5760357201705a87536885e2d745278467147c10967fbb28

Download Submit
C:\Users\Admin\AppData\Local\Temp\ceEvUqANHQa\_Files\_INFOR~1.TXT

Filesize
7KB

MD5
2359c7bc266b4f649602610d51a0ae72

SHA1
94c97d3ec07bf67e46d90587f784e51ab7b7092f

SHA256
6b5212bcdbd9c1484a88b14a694c3c82bbfe60dd65a3b742adc695fe01714a67

SHA512
29054b059b50511237941d18e88ae528b1494463ad9d55f7e3a9dbbaa4772c0cc9c8d2445669a5f528d4603a7262e722437a49fbf6b5bfec715d698492b99baf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ceEvUqANHQa\_Files\_Information.txt

Filesize
3KB

MD5
7350001064ece918075091c50e619d1f

SHA1
c62368a21dc00606444ca7cd8a0c0bdba0914d71

SHA256
0a4080249968f9c7ba10bc379935a8717d4716a98a2e970ca11fca7699d044fe

SHA512
aed56d238869ad7179bf91ccc835db86cf50505622138cf37cdec094676e742f2e2d36bafea28752cf7b7698011c54e0617cd434c0f0ab1e95c66ce0afbb1ddc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ceEvUqANHQa\_Files\_Information.txt

Filesize
4KB

MD5
b80dbcce75dc3d35631c5e86b11470b5

SHA1
92221e1420bd40aa49ebc36734d80f16c65ccbcb

SHA256
35c14e2799810a322e292d7ac473f87089eef36b924e8055967b920b86f9281b

SHA512
8302c04bd93587f4bc5ea9dbfd818a93c6be656d3ecded6549f20501cafa0f4a4fae86fd81d3a95126353c4e7a16c06cb23d0bbbdba1014a38ec8cec54b00c5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ceEvUqANHQa\_Files\_Screen_Desktop.jpeg

Filesize
46KB

MD5
20abcb798df72082d69bf1e23d335785

SHA1
3e47d560d1a781a6f50b9e1d3672da3fcfc79a84

SHA256
8b8fa0747ae14a052b332476cb3c6bd15bd5c225875ee99869411a14437c4a81

SHA512
8d28233eaaced2e6dff3a07b836e69b42e91ac80f094b7ad7c3ff12b9f2b47d9665ad02fd2272bcb94037b7deaaf055e4f165f3aa3516127451cfe38f1167d7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ceEvUqANHQa\files_\system_info.txt

Filesize
1KB

MD5
b60c0505e541b266cfec3728ed559c91

SHA1
cdb9e8ccdba571950c80ee3d52baa1277e82cb46

SHA256
a94d168c3f68a6c7290ca1bad3a32a4a039a9bfe6d04bfedd250a9a24b6e3530

SHA512
8c5296f78973088367706c4a976c65d81b2d9ac225c7d8d5a6c38660e0310bf7931c513c4da1aa0e6fdbaa0fd9b2f937280cd86f541b747115a34046b9082245

Download Submit
C:\Users\Admin\AppData\Local\Temp\ceEvUqANHQa\files_\system_info.txt

Filesize
7KB

MD5
6a13454c9c0e1c3daad66903b0ed0102

SHA1
0c04346a43bc61446596ac57fc8921863a645146

SHA256
5aa8a7429789a7862cac23cfa9e3929adb2f5b70885f73d4836eb42ce2229502

SHA512
a05e8f4ed5160163e3ece84ded338a32ba38f0e1eb5cf2fcb81c1a2f80d37683c15df4a9e0b6227328248966ef5f3f4ac9394f8caaa72886ff2a146d47ff8e15

Download Submit
memory/3180-21-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

Filesize
4KB

Download
memory/3180-29-0x0000000004790000-0x0000000004875000-memory.dmp

Filesize
916KB

Download
memory/3180-27-0x0000000004790000-0x0000000004875000-memory.dmp

Filesize
916KB

Download
memory/3180-26-0x0000000004790000-0x0000000004875000-memory.dmp

Filesize
916KB

Download
memory/3180-25-0x0000000004790000-0x0000000004875000-memory.dmp

Filesize
916KB

Download
memory/3180-239-0x0000000004790000-0x0000000004875000-memory.dmp

Filesize
916KB

Download
memory/3180-24-0x0000000004790000-0x0000000004875000-memory.dmp

Filesize
916KB

Download
memory/3180-23-0x0000000004790000-0x0000000004875000-memory.dmp

Filesize
916KB

Download
memory/3180-22-0x0000000004790000-0x0000000004875000-memory.dmp

Filesize
916KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads