cryptbot | 6b9e4d4db87e97bddd7428853a603b4cf3de855b1016523bade50bc88904eca2

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
12-04-2024 00:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eeb62173d7b2f4d2719c16b1dc2809fe_JaffaCakes118.exe
Size

574KB
MD5

eeb62173d7b2f4d2719c16b1dc2809fe
SHA1

acc4c9e1901a3fb601ce2f4e002023a2d8f3d556
SHA256

6b9e4d4db87e97bddd7428853a603b4cf3de855b1016523bade50bc88904eca2
SHA512

445ba6a41c46bcc86a815a6e293e40e5c7d9fddf91aaf0995791c30f55b0ef1c4fbf45a7a969c07226dcf8c12f2349d355186d11e196345add842cd2f55c7925
SSDEEP

12288:1XW3sCPAMQi9JUK0cxlrS0R+gNrWL3hSh9ak87ti0WMRxwoO:1m8CPAduU5cxMHl3ho9ak87tdp

Score

10^/10

cryptbot discovery spyware stealer

Malware Config

Extracted

Family

cryptbot

haiezf32.top

morcyr03.top

Attributes

payload_url
http://zelstb04.top/download.php?file=lv.exe

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1712-2-0x00000000044E0000-0x0000000004580000-memory.dmp	family_cryptbot
behavioral1/memory/1712-3-0x0000000000400000-0x0000000002CC7000-memory.dmp	family_cryptbot
behavioral1/memory/1712-221-0x0000000000400000-0x0000000002CC7000-memory.dmp	family_cryptbot
behavioral1/memory/1712-226-0x00000000044E0000-0x0000000004580000-memory.dmp	family_cryptbot

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

eeb62173d7b2f4d2719c16b1dc2809fe_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	eeb62173d7b2f4d2719c16b1dc2809fe_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	eeb62173d7b2f4d2719c16b1dc2809fe_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

eeb62173d7b2f4d2719c16b1dc2809fe_JaffaCakes118.exe

pid process

1712 eeb62173d7b2f4d2719c16b1dc2809fe_JaffaCakes118.exe
1712 eeb62173d7b2f4d2719c16b1dc2809fe_JaffaCakes118.exe

pid	process
1712	eeb62173d7b2f4d2719c16b1dc2809fe_JaffaCakes118.exe
1712	eeb62173d7b2f4d2719c16b1dc2809fe_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\eeb62173d7b2f4d2719c16b1dc2809fe_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eeb62173d7b2f4d2719c16b1dc2809fe_JaffaCakes118.exe"
1⤵
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:1712

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4kK0dXGjUr\UO7choQq0SB.zip
Filesize
38KB

MD5
7050981893e7b9bb7fed74e98269cc3d

SHA1
923e9564aeca8a88fab16c455409fa19cc85002d

SHA256
92ef23152a72e67e913e6a93c567be5f38acd8bafc9bea197f59a84384c791e6

SHA512
5e4d549d160a2ec44d9a6c1cdd33ae1ccafdd5e63b36c321f2ff997e3d39e0786613dacef8c3694dae7d244ffba1501ddd54cdd598b47599eeccc4dec28b6593

Download Submit
C:\Users\Admin\AppData\Local\Temp\4kK0dXGjUr\_Files\_Information.txt
Filesize
1KB

MD5
19d2425b6ee2f716fd87f3cb2a1e4e48

SHA1
324c2fd9c85a81ffcbaf578cdc832b584a07c56a

SHA256
48ca06046f83b94366ddc9a643b78e1eef51cba468fdd0e15d0903c91f5ae0a3

SHA512
46ef339e635eb16482e8af26b024dd854fa1bd867c03ce9597d2733c9aa63a679d0e167ec4954f25bbfa276c4251f4d1ed3cf3b01ef5bc47624c4b56c0ae730e

Download Submit
C:\Users\Admin\AppData\Local\Temp\4kK0dXGjUr\_Files\_Information.txt
Filesize
3KB

MD5
19d7024a7af8e9ac227e3ff06ed4d974

SHA1
c37e94c646cdf9193f93e5a423f708a2b0de856e

SHA256
a52660697b3b2ed9c62038cc1a1eb1718c7c8e81df4ef0bc9c274f280893ee9a

SHA512
ab2a8ac35e2cb9bf1302638fba827a25bd27392033ffae156a5cb10d0511c787b2868143e6b5d3a819e3a5669636949afc547359b6d846d4f7baa2969209683d

Download Submit
C:\Users\Admin\AppData\Local\Temp\4kK0dXGjUr\_Files\_Information.txt
Filesize
3KB

MD5
8a1c99664cc67a2027f346bd7f02da38

SHA1
ea3cbc3a28dff54e8deca84c602650e7abeb8312

SHA256
cc9f199c396ad4e9b3bf5f81a0fe8e8b64c654346865f0fdb85d8aa42c9bf8e8

SHA512
a534d1435b6f890ee5014d96d192d58b5b596a86d6ba42236d67ae8a5e6f99fe4e8af64ab765907c64240b0f829c4591dc8a64f66c8449708cf2abded0cf45bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\4kK0dXGjUr\_Files\_Information.txt
Filesize
4KB

MD5
27ace02fa5b8743bf8f17fbc1c8ea0fa

SHA1
0606cb5ef4c26b12fe4f3a13bd9f5b6e08046717

SHA256
b4ebf11d989af8f6f948006d74f35df236767fb864916b87e628833c4edee677

SHA512
81ba6a74918518ec1330798d05ad42b1206c3d86240cac5ef28cf640be16eb1b66f68984cc1368bc49706d4d58fdda2c720a634957ea0446666bcbe5daae59c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\4kK0dXGjUr\_Files\_Screen_Desktop.jpeg
Filesize
45KB

MD5
2863ab06c8b35a11d16b2f7e6d8cd318

SHA1
d87c2a8b3c5ab8c8d7c80549028bfb3eb10d47fc

SHA256
c2881dc1190389cdc9e53116790877b0af4a1b969a461641dfc679c6d29c0cdc

SHA512
219de601c498a4f729da97fd2317925fe4668654d1796425c55ff597f88aa92d02edc0205dbc4a109eaacbdedf457a5fc823a814dd8843a97df43354f620b55b

Download Submit
C:\Users\Admin\AppData\Local\Temp\4kK0dXGjUr\files_\system_info.txt
Filesize
1KB

MD5
6d79e38ff784c5c61c7c49eb2f35779d

SHA1
12dcb6123795ed10d116228bcf1082a7fcfbf428

SHA256
9e29091b7873614c7fb7cb41961a7b75c91ae92301f08ba7c446b5e403da7e4c

SHA512
3a91c7da9a03ee9e5ed9944513f71d2cd58d2eda671b6cf49468049cf5ab4376d9a1c306b93dc6e09a81bf9061a8b18499b357866b84198662135bc178613d21

Download Submit
C:\Users\Admin\AppData\Local\Temp\4kK0dXGjUr\files_\system_info.txt
Filesize
3KB

MD5
917ad0bf2e7826ad4c61d297c27d77f5

SHA1
39e7327ae48b74abc6dd3a961b5d9f6afb589d43

SHA256
75b10822ce35475c817b761f43168c7228cbf21521288fbf0edde283694f0bfa

SHA512
2d4b5818315d6ba0c7da33ddac30eab849e74e49281913084f10fbc0f340bdf7b16ca02b22ad4a0771a6db3f9a5d425c919bf88e52e8da875cb5287bf33513bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\4kK0dXGjUr\files_\system_info.txt
Filesize
5KB

MD5
696ba71017f9f461dcf5b8221b64d31d

SHA1
5b95cbe174c864bbf7d85492d0bd1825c93521d1

SHA256
9f85420b37206bc868ffaab15edc58ecc82236427a50a24efcd2366a085744d6

SHA512
9d13a6945a1ab3e3430618047f2393f9b0a5114c1b4b455c91d026b8ba8363c252f48eb9e7d521f35978c76429e3c56354c450cdef50da8f7e377a2c7f18912e

Download Submit
memory/1712-4-0x0000000002D90000-0x0000000002D91000-memory.dmp

Filesize
4KB

Download
memory/1712-1-0x00000000002B0000-0x00000000003B0000-memory.dmp

Filesize
1024KB

Download
memory/1712-3-0x0000000000400000-0x0000000002CC7000-memory.dmp

Filesize
40.8MB

Download
memory/1712-221-0x0000000000400000-0x0000000002CC7000-memory.dmp

Filesize
40.8MB

Download
memory/1712-223-0x00000000002B0000-0x00000000003B0000-memory.dmp

Filesize
1024KB

Download
memory/1712-226-0x00000000044E0000-0x0000000004580000-memory.dmp

Filesize
640KB

Download
memory/1712-227-0x0000000002D90000-0x0000000002D91000-memory.dmp

Filesize
4KB

Download
memory/1712-2-0x00000000044E0000-0x0000000004580000-memory.dmp

Filesize
640KB

Download