cryptbot | 20f73e57b047b1b45f2537f0780b17cd5ad2324a60bacfd05ebf796f8ff51da3

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
16-04-2024 04:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f2bd0df5311675a26219beb6a7ecf4c3_JaffaCakes118.exe
Size

1.5MB
MD5

f2bd0df5311675a26219beb6a7ecf4c3
SHA1

a7bd8e4857dfbb5186f822868422a25628c8981c
SHA256

20f73e57b047b1b45f2537f0780b17cd5ad2324a60bacfd05ebf796f8ff51da3
SHA512

756052c3ddce25b2987464d01f2532ecd1b876ee279a2ac6c09cb725819bcfcb986dc1ad029747ccef27ab284c25c252151f9fb5ceecaa6b6d6fe7f7075bf14d
SSDEEP

24576:KGFBn/Vm6itNg/LpSxvsfC3KIZGhbOvYbCXOg8EpGw65lMuwDS14fbUaEmAlUEFn:FFBnNmlCjoxZZdvYbCXOTzwWvwG10bC+

Score

10^/10

cryptbot discovery persistence spyware stealer

Malware Config

Extracted

Family

cryptbot

ewazda75.top

moraiw07.top

Attributes

payload_url
http://winfyn10.top/download.php?file=lv.exe

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2152-25-0x0000000003E70000-0x0000000003F13000-memory.dmp	family_cryptbot
behavioral2/memory/2152-26-0x0000000003E70000-0x0000000003F13000-memory.dmp	family_cryptbot
behavioral2/memory/2152-27-0x0000000003E70000-0x0000000003F13000-memory.dmp	family_cryptbot
behavioral2/memory/2152-29-0x0000000003E70000-0x0000000003F13000-memory.dmp	family_cryptbot
behavioral2/memory/2152-243-0x0000000003E70000-0x0000000003F13000-memory.dmp	family_cryptbot

Executes dropped EXE 2 IoCs

Processes:

Obliare.exe.comObliare.exe.com

pid process

1188 Obliare.exe.com
2152 Obliare.exe.com
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1188	Obliare.exe.com
2152	Obliare.exe.com

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

f2bd0df5311675a26219beb6a7ecf4c3_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f2bd0df5311675a26219beb6a7ecf4c3_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Obliare.exe.com

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Obliare.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Obliare.exe.com

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2196 PING.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Obliare.exe.com

pid process

2152 Obliare.exe.com
2152 Obliare.exe.com

pid	process
2196	PING.EXE

pid	process
2152	Obliare.exe.com
2152	Obliare.exe.com

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

f2bd0df5311675a26219beb6a7ecf4c3_JaffaCakes118.execmd.execmd.exeObliare.exe.com

description	pid	process	target process
PID 3868 wrote to memory of 5068	3868	f2bd0df5311675a26219beb6a7ecf4c3_JaffaCakes118.exe	dllhost.exe
PID 3868 wrote to memory of 5068	3868	f2bd0df5311675a26219beb6a7ecf4c3_JaffaCakes118.exe	dllhost.exe
PID 3868 wrote to memory of 5068	3868	f2bd0df5311675a26219beb6a7ecf4c3_JaffaCakes118.exe	dllhost.exe
PID 3868 wrote to memory of 2108	3868	f2bd0df5311675a26219beb6a7ecf4c3_JaffaCakes118.exe	cmd.exe
PID 3868 wrote to memory of 2108	3868	f2bd0df5311675a26219beb6a7ecf4c3_JaffaCakes118.exe	cmd.exe
PID 3868 wrote to memory of 2108	3868	f2bd0df5311675a26219beb6a7ecf4c3_JaffaCakes118.exe	cmd.exe
PID 2108 wrote to memory of 856	2108	cmd.exe	cmd.exe
PID 2108 wrote to memory of 856	2108	cmd.exe	cmd.exe
PID 2108 wrote to memory of 856	2108	cmd.exe	cmd.exe
PID 856 wrote to memory of 4428	856	cmd.exe	findstr.exe
PID 856 wrote to memory of 4428	856	cmd.exe	findstr.exe
PID 856 wrote to memory of 4428	856	cmd.exe	findstr.exe
PID 856 wrote to memory of 1188	856	cmd.exe	Obliare.exe.com
PID 856 wrote to memory of 1188	856	cmd.exe	Obliare.exe.com
PID 856 wrote to memory of 1188	856	cmd.exe	Obliare.exe.com
PID 856 wrote to memory of 2196	856	cmd.exe	PING.EXE
PID 856 wrote to memory of 2196	856	cmd.exe	PING.EXE
PID 856 wrote to memory of 2196	856	cmd.exe	PING.EXE
PID 1188 wrote to memory of 2152	1188	Obliare.exe.com	Obliare.exe.com
PID 1188 wrote to memory of 2152	1188	Obliare.exe.com	Obliare.exe.com
PID 1188 wrote to memory of 2152	1188	Obliare.exe.com	Obliare.exe.com

C:\Users\Admin\AppData\Local\Temp\f2bd0df5311675a26219beb6a7ecf4c3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f2bd0df5311675a26219beb6a7ecf4c3_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3868

C:\Windows\SysWOW64\dllhost.exe
dllhost.exe
2⤵
PID:5068

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Tese.cda
2⤵
- Suspicious use of WriteProcessMemory
PID:2108

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Suspicious use of WriteProcessMemory
PID:856

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^SkrprNmxsapVXgwQJIfBGsUyrxvnNVjZIUgrROXCmqXbKCPONriyOFRAsXuJsqHvuphrqXYVLNeFxvcAEILJNukeeNMTIhknzBsAgMNPyjzqDkuV$" Far.cda
4⤵
PID:4428

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Obliare.exe.com
Obliare.exe.com q
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1188

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Obliare.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Obliare.exe.com q
5⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:2152

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 30
4⤵
- Runs ping.exe
PID:2196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1040 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
1⤵
PID:3180

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1sgwqg5\EQtOTjbkayaSca.zip
Filesize
252KB

MD5
db6c142a55f0a9a259e95c3eab1b45ac

SHA1
de8e619e661b329c1f618cb16864245ff211110c

SHA256
093ae3706deb63dc1a85be177f631e7fb3e8df52a4f9e681b2aa6f2601ada58c

SHA512
36aa1a2df335e91478fc431be768bc970e4a5d95ee00e1f15540938038691223a6a9a6e1a6ff46f5bfc0a88cbb2987ae90fa06941bf704ff3348b5396f99f402

Download Submit
C:\Users\Admin\AppData\Local\Temp\1sgwqg5\_Files\_Files\OutRestore.txt
Filesize
208KB

MD5
5122aaf43b327229ebb3082972f1b5ca

SHA1
da82ab8ea98a673d7417885b6577a46402fabacf

SHA256
bf53a60320b7a7c19019013ad73084023d47ddd95cd507295a3e0e0d4a5b564a

SHA512
f9b6ea25da1e344609e432ed73263ad63fe37b1716d6f20b3bf56c94349b6338557e7974bc0af9b4618ef6b316b3236773eb4b824e52206030528beaba57d247

Download Submit
C:\Users\Admin\AppData\Local\Temp\1sgwqg5\_Files\_Information.txt
Filesize
1KB

MD5
128958cfa4c06ddd467730e0c55653ff

SHA1
febf1f12dddc4fbff29940413fc30d3b094c5241

SHA256
9b7953da780b1273cbae924d33c911e4572119951ea77151d35b9c040ab25db6

SHA512
5d00d82a192e5fc9dd571afc210b82f7b7926dde5f1f84a2c0c72f0515a80eb74b9365fed4a6aff59dd7f03f4c33cbf5086aaf1604f3776808d97c573ee786dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\1sgwqg5\_Files\_Information.txt
Filesize
7KB

MD5
e474882696c7dd6af21fb68f2feb5cd2

SHA1
7c57c9451fa2f421f123f99731bb07c1dbe0ffc4

SHA256
7cf9360228574ee2f1c5ea1bb477bb82c3336dfd679b22a784b9b9cfc4744e67

SHA512
d0bd7b1f21c09af303166f019b1fab5d2d750da7aaba2b813d31d9afc3b5ef03d984302187523138017f9bab74953ec9b53c5a0dc7eef1884cbeba64ccbee9d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1sgwqg5\_Files\_Screen_Desktop.jpeg
Filesize
49KB

MD5
2065ecf197b8f43dc88410331c1ffdb2

SHA1
3386427c254d797970a1f3cbae8e1d4a5e0578b0

SHA256
023d9538a6120d40c845d5777ef9a2fa112a173af73409b2be9759a6e9b000de

SHA512
86e1aa22f888db245e45fd084c09a5870135ada1d3796a824010610a0228ba93ee58ba00e45020e4710f711696d742c3f920ed48c85b3415b9dba32b96d477dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\1sgwqg5\files_\system_info.txt
Filesize
698B

MD5
8232844a13abae5a3d7fa0945fdc91cc

SHA1
d0953f1dcc1be92192e8aec5447359b8fb9f4fd0

SHA256
d3d4ba1d058d381157497af3abb752d69f34bd13fcf00c0399bae67c74bd03fd

SHA512
fa92f7eb750e15dc89c435ac2edd19ca1fce3d3547169d2838d7e496a8e903734b3eeb73d4651acadf80e4383f472ec3485555942f57e5087fbe90b75a3292c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1sgwqg5\files_\system_info.txt
Filesize
1KB

MD5
cea2d71ece6389ff3d369eed35b999ba

SHA1
f48483538cbf38c519029e9eed40904862ae7343

SHA256
323edfbc4ec2137d1596888791fd457a5c022a720eeb10ebe1d9be77c3966aed

SHA512
1126b2a050ac211ade13090e75503c1b6fe4a7c26c332f4b523000b8a325fbbb6ed4744f219a37cd6fe5e4e6528616639b5b7d0a747b35d8003c7da880978ede

Download Submit
C:\Users\Admin\AppData\Local\Temp\1sgwqg5\files_\system_info.txt
Filesize
7KB

MD5
a94caf88b5b8ecd2c0246e0a4ad3d86a

SHA1
347b8083c90466f4b2678c2dc5f7bc97209ca0fd

SHA256
044a1cd8f9f64ecc628f62396cd49d898ecd9759e452e8852409b029633de3ae

SHA512
94d287ef51fbe4c11841808550bd9c51c3d9370f9ff721d49adc527723349093f1747b905ccf458aa4fffa3bb73822236fdd5e4120682362b8511a1bec85f459

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Far.cda
Filesize
872KB

MD5
e8965baeaf038d5abe64c8eb90cc3e19

SHA1
d1e45c2432106e09625c70f0d3c456fca26132ff

SHA256
b6d20957a61943a9bc2f6ace4170a5c631c774e35d22382cc6f60c39514ffbae

SHA512
1f4eda3751d27df9b702ce6a1c1471307a3e7947ff9959ea895fab19d34057e68868d6e93712bfe3aa4ef8cab663c13c51a04412de6173a7c4f87db5d4d1e333

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Obliare.exe.com
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sogni.cda
Filesize
634KB

MD5
33ea431acdc54eb20055057f41e6fc6e

SHA1
efdc7197e542a048873b464640abf48bde6e0855

SHA256
39afe9026b4c30249948f45bb4a1fcadba83642b5af0e7da03583ef58a8e10d1

SHA512
59b1dc7ca075c14520068bd9eadcbb6c561b182190671edc1b3f0426db7e4d95e4e950b1aa788b52386f96d2ddb523a6c447ddb6b6b8757fb16f0bec612e1567

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Splendore.cda
Filesize
745KB

MD5
1bbdc57424a53f6a10b2692db95066a8

SHA1
1ce47faa742a4312abd9ee1d6e67ad04b45afae2

SHA256
4ca0f711bdef0fdcd6dfc84fa03189555afe30e7c335a243e89bf702d9892e46

SHA512
9dc675231c47bcb3d60c054f72a1c198cc490f88ed49f781bb679166913694782b43d732107738fb99cb2a74c90fd84503c19dcb10a0971518061af8cc956d4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tese.cda
Filesize
459B

MD5
05e2ab200a15fe20d618c59990c8b9f3

SHA1
ceb19d0006b3372187582f880242fb718046fc8a

SHA256
bdc88dfbfe456b5b1c21bd69e8588654e7a7c2105f740cade301e0f91a5795db

SHA512
1a3f3538aaea1092ad6fe1c633f8dbe5e669cf88bf3f750c82d517713011387da3a76e4c8fd8c3a355decb4e1b532bb22f852e5ddb4b9d6b74c0090ab806d332

Download Submit
memory/2152-21-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download
memory/2152-29-0x0000000003E70000-0x0000000003F13000-memory.dmp

Filesize
652KB

Download
memory/2152-27-0x0000000003E70000-0x0000000003F13000-memory.dmp

Filesize
652KB

Download
memory/2152-26-0x0000000003E70000-0x0000000003F13000-memory.dmp

Filesize
652KB

Download
memory/2152-25-0x0000000003E70000-0x0000000003F13000-memory.dmp

Filesize
652KB

Download
memory/2152-24-0x0000000003E70000-0x0000000003F13000-memory.dmp

Filesize
652KB

Download
memory/2152-23-0x0000000003E70000-0x0000000003F13000-memory.dmp

Filesize
652KB

Download
memory/2152-243-0x0000000003E70000-0x0000000003F13000-memory.dmp

Filesize
652KB

Download
memory/2152-22-0x0000000003E70000-0x0000000003F13000-memory.dmp

Filesize
652KB

Download