cryptbot | 7ef4fa243476257544a992beb265e6f26ea3a3f439488d27bd9700cae2199ae8

Analysis

max time kernel
147s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11-04-2024 04:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ecb1af6d6c9818c93ffb5c9a54ea9a8a_JaffaCakes118.exe
Size

1.6MB
MD5

ecb1af6d6c9818c93ffb5c9a54ea9a8a
SHA1

c74e20b6423d7536429ff8593c45ab6b999e473b
SHA256

7ef4fa243476257544a992beb265e6f26ea3a3f439488d27bd9700cae2199ae8
SHA512

4f5f1276b260face9b05a1c51eca4ec2d277303ffba6208ead7ed901299555705de8b50cff4dca4f2bd874d756e41a813503943c415e528d28607327b079037d
SSDEEP

49152:1YNosFaoyKxdY4nT+kWQZQtZOby7D/YPBVQ3IBbiLoSG:1K5a6dJPWQQtZO2PmBVQ3I1iLoZ

Score

10^/10

cryptbot discovery persistence spyware stealer

Malware Config

Extracted

Family

cryptbot

Attributes

payload_url
http://ewsjasew03.top/download.php?file=lv.exe

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/5060-26-0x0000000004030000-0x0000000004113000-memory.dmp	family_cryptbot
behavioral1/memory/5060-27-0x0000000004030000-0x0000000004113000-memory.dmp	family_cryptbot
behavioral1/memory/5060-28-0x0000000004030000-0x0000000004113000-memory.dmp	family_cryptbot
behavioral1/memory/5060-30-0x0000000004030000-0x0000000004113000-memory.dmp	family_cryptbot
behavioral1/memory/5060-238-0x0000000004030000-0x0000000004113000-memory.dmp	family_cryptbot

Manipulates Digital Signatures 1 TTPs 3 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

Processes:

certutil.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION"	certutil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION"	certutil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7\Name = "szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL"	certutil.exe

Executes dropped EXE 2 IoCs

Processes:

Illusione.comIllusione.com

pid process

2624 Illusione.com
5060 Illusione.com
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2624	Illusione.com
5060	Illusione.com

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ecb1af6d6c9818c93ffb5c9a54ea9a8a_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ecb1af6d6c9818c93ffb5c9a54ea9a8a_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Illusione.com

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Illusione.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Illusione.com

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4964 PING.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Illusione.com

pid process

5060 Illusione.com
5060 Illusione.com

pid	process
4964	PING.EXE

pid	process
5060	Illusione.com
5060	Illusione.com

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

ecb1af6d6c9818c93ffb5c9a54ea9a8a_JaffaCakes118.execmd.execmd.exeIllusione.com

description	pid	process	target process
PID 1840 wrote to memory of 2776	1840	ecb1af6d6c9818c93ffb5c9a54ea9a8a_JaffaCakes118.exe	cmd.exe
PID 1840 wrote to memory of 2776	1840	ecb1af6d6c9818c93ffb5c9a54ea9a8a_JaffaCakes118.exe	cmd.exe
PID 1840 wrote to memory of 2776	1840	ecb1af6d6c9818c93ffb5c9a54ea9a8a_JaffaCakes118.exe	cmd.exe
PID 1840 wrote to memory of 2796	1840	ecb1af6d6c9818c93ffb5c9a54ea9a8a_JaffaCakes118.exe	cmd.exe
PID 1840 wrote to memory of 2796	1840	ecb1af6d6c9818c93ffb5c9a54ea9a8a_JaffaCakes118.exe	cmd.exe
PID 1840 wrote to memory of 2796	1840	ecb1af6d6c9818c93ffb5c9a54ea9a8a_JaffaCakes118.exe	cmd.exe
PID 2796 wrote to memory of 2068	2796	cmd.exe	certutil.exe
PID 2796 wrote to memory of 2068	2796	cmd.exe	certutil.exe
PID 2796 wrote to memory of 2068	2796	cmd.exe	certutil.exe
PID 2796 wrote to memory of 4608	2796	cmd.exe	cmd.exe
PID 2796 wrote to memory of 4608	2796	cmd.exe	cmd.exe
PID 2796 wrote to memory of 4608	2796	cmd.exe	cmd.exe
PID 4608 wrote to memory of 1208	4608	cmd.exe	findstr.exe
PID 4608 wrote to memory of 1208	4608	cmd.exe	findstr.exe
PID 4608 wrote to memory of 1208	4608	cmd.exe	findstr.exe
PID 4608 wrote to memory of 2580	4608	cmd.exe	certutil.exe
PID 4608 wrote to memory of 2580	4608	cmd.exe	certutil.exe
PID 4608 wrote to memory of 2580	4608	cmd.exe	certutil.exe
PID 4608 wrote to memory of 2624	4608	cmd.exe	Illusione.com
PID 4608 wrote to memory of 2624	4608	cmd.exe	Illusione.com
PID 4608 wrote to memory of 2624	4608	cmd.exe	Illusione.com
PID 4608 wrote to memory of 4964	4608	cmd.exe	PING.EXE
PID 4608 wrote to memory of 4964	4608	cmd.exe	PING.EXE
PID 4608 wrote to memory of 4964	4608	cmd.exe	PING.EXE
PID 2624 wrote to memory of 5060	2624	Illusione.com	Illusione.com
PID 2624 wrote to memory of 5060	2624	Illusione.com	Illusione.com
PID 2624 wrote to memory of 5060	2624	Illusione.com	Illusione.com

C:\Users\Admin\AppData\Local\Temp\ecb1af6d6c9818c93ffb5c9a54ea9a8a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ecb1af6d6c9818c93ffb5c9a54ea9a8a_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1840

C:\Windows\SysWOW64\cmd.exe
cmd /c dOPsYvb
2⤵
PID:2776

C:\Windows\SysWOW64\cmd.exe
cmd /c certutil -decode Sorso.xltm Pallore.accde & cmd < Pallore.accde
2⤵
- Suspicious use of WriteProcessMemory
PID:2796

C:\Windows\SysWOW64\certutil.exe
certutil -decode Sorso.xltm Pallore.accde
3⤵
- Manipulates Digital Signatures
PID:2068

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Suspicious use of WriteProcessMemory
PID:4608

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^VagMWnXqBIFcKZdYcTQuiOWIjFBjSYnEBJsCtnoFZOuMjCNfLyEyGViicGmsXKiClqUqIOUWLkuzIlcJRjBNxaYFClubZRHgGDBk$" Sapro.vst
4⤵
PID:1208

C:\Windows\SysWOW64\certutil.exe
certutil -decode Subitanea.xlsx l
4⤵
PID:2580

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Illusione.com
Illusione.com l
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2624

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Illusione.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Illusione.com l
5⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:5060

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
4⤵
- Runs ping.exe
PID:4964

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BbXUcQOXvv\_Files\_Information.txt
Filesize
1KB

MD5
7f61405e530a5f92af91aafe78c7a832

SHA1
c48aad7627b70ca6beddb95c4e7a524ad555439d

SHA256
2d5758970fcefe9163fd23b83ed2af5d9856d090290d6df547599169fb25c69b

SHA512
d68a00a796b996c4436e1129d4af0f02d0b1ae492cf10276679232b9218efbd7c7a037f16a4fbfabca8f13d45fd42473144119db084b6dc2611dc37a0f3dfa6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\BbXUcQOXvv\_Files\_Information.txt
Filesize
2KB

MD5
2dcd09067b9dd838b91ee26ffed31faa

SHA1
720829e4b68925924372cb4e1aa48152451ec8a0

SHA256
319e4427d6e285e9577dddbb5dd0b55468aa7a422eb230a0e15f962bf87a54a6

SHA512
e798b92a09ba4380c0220406ebbb362c426557e246828a7aad4aa9590112f02b34958d0623d0db27768109547b8d3aefedfeaf0505e530d7c6eedb096ae27cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\BbXUcQOXvv\_Files\_Information.txt
Filesize
3KB

MD5
a15f4f7325b991615543a77a733b9ea4

SHA1
74540e2c5c6b07dd0966828fd11277fba660eabc

SHA256
15005f5afde11fe356d0585de77205931d31587c5c4e48a09c38d395abeb4e6f

SHA512
c3119ec32eb3af6a48e02600476b1f0dd62eb9d939ac61e7bdfa6ab5e2ec5c9746551988ca233cbe47e9d312d09fe6f2e48ee3923d568d09a9fee9f945f8813a

Download Submit
C:\Users\Admin\AppData\Local\Temp\BbXUcQOXvv\_Files\_Information.txt
Filesize
7KB

MD5
f46d4914e812b22645c09996eb1e80b6

SHA1
fe836a0a9f44639ac0683d066e68a929c46f988a

SHA256
6c473c10b1c79213b480ade4ed0b370600e33e27237075a6b3acbdccb736febc

SHA512
67d63bb27f59514b019ab45b268b0ca1af118fc548607fe293630735127e3aeb73e05ba96ad2a4e98d1fbfb206534e72ce5fec5e5302d15006333befa533aa28

Download Submit
C:\Users\Admin\AppData\Local\Temp\BbXUcQOXvv\_Files\_Screen_Desktop.jpeg
Filesize
49KB

MD5
9f318bf7dfae6defa2b788f23933434c

SHA1
c561a9b19870456d825724494a28a70826c4580b

SHA256
54c874b4611898dd5bda810f65730377c03eaa2f77e136d5a551ad4671914da4

SHA512
30e2cb574cc337ac8bcaf41bc7cdf048e2ad1c5c00aee0277ac73b7a0f8de13896dd115298986bc513db8a6f5d5e98edbc029fcb1f29770f09ba6c61cd71e9e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\BbXUcQOXvv\files_\system_info.txt
Filesize
1KB

MD5
bd94b87af60d4e77736a045cf78fc3b5

SHA1
edbfd0382f677706db71e7236932e76f8e69de8f

SHA256
dceb681a6456883581c0986d5a778a70bd5bf0454407ffac2580c4d4cbf041f3

SHA512
22328b7aa15709eb37f6c7cf9a0f442278887d3d39dfe34e2f31cedf5f0fd41935a9fffb6ec8da2fa13cdf03d70dd9224bc005ea7c2fea906430c1e58474b0b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\BbXUcQOXvv\files_\system_info.txt
Filesize
1KB

MD5
f8bf07e60b0c9b03569d732d41be8234

SHA1
06955567d8c016fef76ef1056e89ef30c49dd1f5

SHA256
04f575afce6355503b6fde2834bb42fca6ee1ce8c0a2f6aa9ffe5593126ecb3d

SHA512
184698e2d0fadcfe6a0bca6dc611bc00045f93097450d143b2e13c68c99d0a0a7befeaf5eec820d5443fcd75a25952e0e327be3fcac4d0363bbaf91b9beb5910

Download Submit
C:\Users\Admin\AppData\Local\Temp\BbXUcQOXvv\files_\system_info.txt
Filesize
4KB

MD5
24c1740722dab312b0079981abb726cb

SHA1
4962588ca76638cf85ff76b7938df719835f6677

SHA256
437dc2443e2af3ff803f4efcc74d7a86006403cae746b393143675e811bc4d3a

SHA512
f6f99922983feeb88c350133f130257106a181bff32b978f08d99e73dbbfd39803839a5c12a66ce808196b566899cd35656126735b87f9e8effec29c7bc82b46

Download Submit
C:\Users\Admin\AppData\Local\Temp\BbXUcQOXvv\oTmbnaTfduvJFo.zip
Filesize
43KB

MD5
755caabd67925aa3b2013e1fccba4a5c

SHA1
2f04be1f0feea48236919e422283225156f87086

SHA256
6f9e497694533b895b68de3f22d05fcbc09b35a8562993b4b39449f037948f6b

SHA512
cd4fad5c3082b0c8884e2fd0024a4b75d2e99bf3d692dfab84f916490fae2176f056157a518841933c766d3d90738fce7463e1103bd4195dba3742cbd0c5fbe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Aveva.vss
Filesize
888KB

MD5
970b6737c469629d6a289d1c1ff45a62

SHA1
c94b7d73545fcfebf16d74864816de0083448afc

SHA256
6d93374eed3e39ed112d76647c8df9a0a4651970d0dec309a1370483ddd06864

SHA512
eabe5c49d52a31cda5b25e3aa8d02ff8f12eec1f02eb07818fcda6f186f87aa23ded297193ef5dcdb56bff7ea6ea42750753685a66d95e6b40a92ab0d8b63016

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Illusione.com
Filesize
921KB

MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pallore.accde
Filesize
27KB

MD5
ff0a5d410cb9c7ac26fb826444110430

SHA1
999a5a7c1957091e2972974db59f02c7465e1d4a

SHA256
660bf9d18618e101d9f547ee57329731e8c36d9e6b41c22b8d2db5aceadf4e6c

SHA512
6958e216cb2b872f1df7626be10a097ef1ab8990a5cad354e2002f872acab0b162d55d882735c3f477a528cb41142f3254e68ae30b07a1ccf97e58c882c0c8cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sapro.vst
Filesize
921KB

MD5
524c5cb95000d79ff092ac1bbc834051

SHA1
9015a75614448901985a74caf632aca9742fb6f9

SHA256
797d9bb4e5dc777f4204fdb50ce85b3ed956e3e151c06e1d78d97663a81cd042

SHA512
6a9af9fc45e87ca35c447a409d554984820b11de2871b3ccfef9b46685055d979b17352b649dd6344f23566a1c1fe829c58994125c58b59622656dae0344a4e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sorso.xltm
Filesize
38KB

MD5
8ed844dfd87dade7cf42085edcbeed5b

SHA1
6a32bd4c765b720988105f155ff0f7ef24d4d635

SHA256
39960e1c7fe74e983fc1f3772a0fca8be5835d4928524dd56848b459c232756c

SHA512
26258c17fe26db165c583aa91ad33179dc5ed1069382e2dd25ed96b3061376e01bddf5dfc5ef1fdc3004741e87855bd31ddc99c0e0eb3732c575df402c1fd48c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Subitanea.xlsx
Filesize
655KB

MD5
6f738d19c97ad52482daaeb7dd740f56

SHA1
65c1a1e843906a8f557f9d83001d61925d9bc9d2

SHA256
85cd887056455ce2d4ac5ba252eec2baa91d1f0b75f30afec153bb02941fbb88

SHA512
01733aaa9a0234bedb3714e37fdf585e5b82ece6dc5a2ddc650c4a074fed94f0190fe538e097a8e69b5eba60764c726a5606f122dcba471e1a213baa56d13869

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l
Filesize
476KB

MD5
05eb879d18fb669c75062eef75a5c50d

SHA1
9aec8a888907ece2a20d184324d9d2f61b01e592

SHA256
911dd3e2748cea7b384f51b6c5d41a5d252533b32b299f4480ce23d3595f683d

SHA512
60c832b8a164a59535ace303bd55ecaca48c63d53c46be4e28e7a539f4fcc8327cae5cbeb529119edf862e521c52c3bc529bdd8c08070785847b333836af543b

Download Submit
memory/5060-28-0x0000000004030000-0x0000000004113000-memory.dmp

Filesize
908KB

Download
memory/5060-22-0x0000000001850000-0x0000000001851000-memory.dmp

Filesize
4KB

Download
memory/5060-23-0x0000000004030000-0x0000000004113000-memory.dmp

Filesize
908KB

Download
memory/5060-24-0x0000000004030000-0x0000000004113000-memory.dmp

Filesize
908KB

Download
memory/5060-30-0x0000000004030000-0x0000000004113000-memory.dmp

Filesize
908KB

Download
memory/5060-25-0x0000000004030000-0x0000000004113000-memory.dmp

Filesize
908KB

Download
memory/5060-27-0x0000000004030000-0x0000000004113000-memory.dmp

Filesize
908KB

Download
memory/5060-238-0x0000000004030000-0x0000000004113000-memory.dmp

Filesize
908KB

Download
memory/5060-26-0x0000000004030000-0x0000000004113000-memory.dmp

Filesize
908KB

Download