cryptbot | c6145d071ca19409a854d7c94cd3da92a50db5561a747ea29fda9e7a734678f1

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08-04-2024 02:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e667be12287ccb2fddbc1644e0b4ec76_JaffaCakes118.exe
Size

768KB
MD5

e667be12287ccb2fddbc1644e0b4ec76
SHA1

7b4a31d9d7cef13d648b3fa51c547fcb23c66b8d
SHA256

c6145d071ca19409a854d7c94cd3da92a50db5561a747ea29fda9e7a734678f1
SHA512

82ecef0e88aca89efac381dde32f201553b8a770e480ba9c851c493fd6fa2e10a4eac933581b0e61269a3f653748a8688c87493a316a3de84ae0081cfaa4cd59
SSDEEP

12288:k0B3qFl33VV2yJYhm1M4GBJQnX1cOW1y40KJnmSjLbzAqMCvKOnxEuui:nBKf20wmy4IZv1V06nmSLzAzF8xEX

Score

10^/10

cryptbot discovery spyware stealer

Malware Config

Extracted

Family

cryptbot

ewadmw53.top

morexn05.top

Attributes

payload_url
http://winorm07.top/download.php?file=lv.exe

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4848-2-0x0000000005000000-0x00000000050E1000-memory.dmp	family_cryptbot
behavioral2/memory/4848-3-0x0000000000400000-0x00000000032BC000-memory.dmp	family_cryptbot
behavioral2/memory/4848-228-0x0000000000400000-0x00000000032BC000-memory.dmp	family_cryptbot
behavioral2/memory/4848-230-0x0000000005000000-0x00000000050E1000-memory.dmp	family_cryptbot

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e667be12287ccb2fddbc1644e0b4ec76_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	e667be12287ccb2fddbc1644e0b4ec76_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4016 4848 WerFault.exe e667be12287ccb2fddbc1644e0b4ec76_JaffaCakes118.exe

pid	pid_target	process	target process
4016	4848	WerFault.exe	e667be12287ccb2fddbc1644e0b4ec76_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e667be12287ccb2fddbc1644e0b4ec76_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	e667be12287ccb2fddbc1644e0b4ec76_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	e667be12287ccb2fddbc1644e0b4ec76_JaffaCakes118.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

964 timeout.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

e667be12287ccb2fddbc1644e0b4ec76_JaffaCakes118.exe

pid process

4848 e667be12287ccb2fddbc1644e0b4ec76_JaffaCakes118.exe
4848 e667be12287ccb2fddbc1644e0b4ec76_JaffaCakes118.exe

pid	process
964	timeout.exe

pid	process
4848	e667be12287ccb2fddbc1644e0b4ec76_JaffaCakes118.exe
4848	e667be12287ccb2fddbc1644e0b4ec76_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

e667be12287ccb2fddbc1644e0b4ec76_JaffaCakes118.execmd.exe

description	pid	process	target process
PID 4848 wrote to memory of 1360	4848	e667be12287ccb2fddbc1644e0b4ec76_JaffaCakes118.exe	cmd.exe
PID 4848 wrote to memory of 1360	4848	e667be12287ccb2fddbc1644e0b4ec76_JaffaCakes118.exe	cmd.exe
PID 4848 wrote to memory of 1360	4848	e667be12287ccb2fddbc1644e0b4ec76_JaffaCakes118.exe	cmd.exe
PID 1360 wrote to memory of 964	1360	cmd.exe	timeout.exe
PID 1360 wrote to memory of 964	1360	cmd.exe	timeout.exe
PID 1360 wrote to memory of 964	1360	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\e667be12287ccb2fddbc1644e0b4ec76_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e667be12287ccb2fddbc1644e0b4ec76_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4848

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\apHveiPeFIWsF & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\e667be12287ccb2fddbc1644e0b4ec76_JaffaCakes118.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1360

C:\Windows\SysWOW64\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 1304
2⤵
- Program crash
PID:4016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4848 -ip 4848
1⤵
PID:4844

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\apHveiPeFIWsF\BFONLK~1.ZIP
Filesize
867KB

MD5
6fd2c5feb27cd81752775996baa918a9

SHA1
147bb5dde0a65da47318a05e0aeb914537482598

SHA256
4f6fed26c1e9a71143d4784a609ffea61ecd6b94ae577379b7a9e5cb8b3bc0f6

SHA512
a4d839135dc40d438ed99e4264c1e4f14258ed3bd83b45bd0722035d94edb36e2a5f6997c8b32546868d7ea95a6bf9a987a76f1ff9e8219615a507fd87468269

Download Submit
C:\Users\Admin\AppData\Local\Temp\apHveiPeFIWsF\WPMQBA~1.ZIP
Filesize
867KB

MD5
570212bf3a8ec7407c5ca1b8af51742d

SHA1
5b91b6cbd61a99bf3c665a213a1b070fe340a7f7

SHA256
6a7ff2880eae8f2f2b0bfec0f5a6bdd281d163aef2b69b0facca5f3cdb81bbbc

SHA512
4bf4928e568fefd7fbaf547e7d8b15652cb4287720d237fa20d6ec886f1a262b4b7c1759f18af385bb76b1501377bbf5ecf5a6770731e77f203ecda130b3d29a

Download Submit
C:\Users\Admin\AppData\Local\Temp\apHveiPeFIWsF\_Files\_Files\GrantSubmit.txt
Filesize
822KB

MD5
6a0587c3738a8137627530eeda52c628

SHA1
15ec1915cdf9983ec505d493420d70b1f1163c20

SHA256
d608b8002a27a6b9e522846a82812e20d511e376509f35232215e2314fab336c

SHA512
5669fb2b5e0990acbb5d719df4d2963fc5ee993de1557335cdbcbcb8aa96c5a13b6a01c7c57f7727d285183a6273ee4802886c126b4a7689ab5864e91ee3ab6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\apHveiPeFIWsF\_Files\_Information.txt
Filesize
2KB

MD5
b2d9e0df087e2b5ba8b95ad1875670a2

SHA1
297f4f55504e087fa56558417644681928fd2947

SHA256
ce7a7b988c8fc923610e15c9298e1a6f21b5bbd8439b7f6983b86f5a241c487f

SHA512
0bd459b2d4aa3fc0962da9a7f56b1de08d1d3ac682b8a86dd601c9c5f6278ef93fef292c0ce51132b81232deb989214be9c335029a82192dcc7d75dbbede7caf

Download Submit
C:\Users\Admin\AppData\Local\Temp\apHveiPeFIWsF\_Files\_Information.txt
Filesize
7KB

MD5
dca3fcf4dfbe93b3c88e16ebc6dfb029

SHA1
94349eef2d9e17f3482a6dc87b80ffd610c17e9a

SHA256
8463ed6d872d7c23c517a71229197d61d4d2c315f37b8f320bd0ab15cb8d12d7

SHA512
db713843b7d5c385ab25ed65d3aa70287dbf496c341ea6f5a985773dce73383f4586018bc3738ca2c3a77e2987bd7ab37359099dc1110d180df98986c216114f

Download Submit
C:\Users\Admin\AppData\Local\Temp\apHveiPeFIWsF\_Files\_Screen_Desktop.jpeg
Filesize
49KB

MD5
9bbd99871a296abc9aeeaca810f62ead

SHA1
7ab634eda3d96ef94b7400674eb971b93a2aee94

SHA256
58021ff051a65ebe183efee5a4fb1db9ada496894a767e592ae3552a30f6536f

SHA512
6e05c64a1d1d5b197af131d8aec868038b15402d1003d79379a47030a1291eb24c9e75ba4eeef93497422488f5bb764b0d8bcc1b1fe45ad16794fc4992d93c55

Download Submit
C:\Users\Admin\AppData\Local\Temp\apHveiPeFIWsF\files_\system_info.txt
Filesize
1KB

MD5
3e4e3fccf66716a3568f3f4e3a88ef0d

SHA1
2203b16103274c787ed6fdfb75a34c3ab5cdce7e

SHA256
1ad7bd5158fab69f8b7fec5fb926258b75217e74a6c7f00a1ce72a45a3f32fb0

SHA512
6dacb5713bc823187bc8dbabf0a53be10cce3ecef3d5c6152d474c8f8e8a952c3a04f3d93aa708a85b5c238ba0b54595c6ae4affb48545d0ed2c4d65bb99033f

Download Submit
C:\Users\Admin\AppData\Local\Temp\apHveiPeFIWsF\files_\system_info.txt
Filesize
2KB

MD5
9396f6843fe636d2f8aaf999cdfc170c

SHA1
f16246187604e6d0abe036253e0172772b4fe737

SHA256
6b2c883415524b7ec36e25e955cee43641355f755206a8651b3c467f96cf454a

SHA512
3282f5ba198e545aca2d440e5fe8c8661fe2d50cc74bf523d31d16134c6a60abf39710ec7a981e65ce44d1961bd67ea70203d5089604a3685051e403ad461dc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\apHveiPeFIWsF\files_\system_info.txt
Filesize
7KB

MD5
1651131e966f925ecc063e64db4d9162

SHA1
57384bc1f7637068c70f2372f043eb7976552bb5

SHA256
f788f010acb7d82f6ed69152464147cc30c2504df7f1cd2b88aa8d068c886ee0

SHA512
2dfa540d7577df58a244f25cdfce453eeaaf1b047c88a36684f55bdf8b115a9d4381c5ba4cf5eab2efd5dc473c8e9cd3bfdb3a6fccb4b40a4d76274a7a8f48a8

Download Submit
memory/4848-2-0x0000000005000000-0x00000000050E1000-memory.dmp

Filesize
900KB

Download
memory/4848-3-0x0000000000400000-0x00000000032BC000-memory.dmp

Filesize
46.7MB

Download
memory/4848-1-0x00000000032E0000-0x00000000033E0000-memory.dmp

Filesize
1024KB

Download
memory/4848-228-0x0000000000400000-0x00000000032BC000-memory.dmp

Filesize
46.7MB

Download
memory/4848-230-0x0000000005000000-0x00000000050E1000-memory.dmp

Filesize
900KB

Download