cryptbot | 816a1b2e626d2819767b6667b7e9ce51f704d98899ff4dc2e74db2dc537b9f64

Analysis

max time kernel
143s
max time network
146s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01-05-2024 23:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0cd3d8724238e5bc80d2b890c56489ab_JaffaCakes118.exe
Size

2.3MB
MD5

0cd3d8724238e5bc80d2b890c56489ab
SHA1

cc6b11f8efe41593e7b9bf83af6c501ada065655
SHA256

816a1b2e626d2819767b6667b7e9ce51f704d98899ff4dc2e74db2dc537b9f64
SHA512

e24bcd0f26f6f82650c89d9e61335de3b040b7223c3a587b97f164d26012195920cc968920347b1a48e1178f56fc7ea27a7d8debe9fdf9b359af4413f25d24ae
SSDEEP

49152:udLroH9hYKB3ZkXUi934XElBgvAPJtyc+:uho91B3yXUKI0lX6c+

Score

10^/10

cryptbot discovery evasion spyware stealer

Malware Config

Extracted

Family

cryptbot

bibinene01.top

moraass05.top

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 17 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2928-4-0x0000000001370000-0x00000000018AB000-memory.dmp	family_cryptbot
behavioral1/memory/2928-222-0x0000000001370000-0x00000000018AB000-memory.dmp	family_cryptbot
behavioral1/memory/2928-224-0x0000000001370000-0x00000000018AB000-memory.dmp	family_cryptbot
behavioral1/memory/2928-225-0x0000000001370000-0x00000000018AB000-memory.dmp	family_cryptbot
behavioral1/memory/2928-226-0x0000000001370000-0x00000000018AB000-memory.dmp	family_cryptbot
behavioral1/memory/2928-228-0x0000000001370000-0x00000000018AB000-memory.dmp	family_cryptbot
behavioral1/memory/2928-230-0x0000000001370000-0x00000000018AB000-memory.dmp	family_cryptbot
behavioral1/memory/2928-233-0x0000000001370000-0x00000000018AB000-memory.dmp	family_cryptbot
behavioral1/memory/2928-235-0x0000000001370000-0x00000000018AB000-memory.dmp	family_cryptbot
behavioral1/memory/2928-238-0x0000000001370000-0x00000000018AB000-memory.dmp	family_cryptbot
behavioral1/memory/2928-240-0x0000000001370000-0x00000000018AB000-memory.dmp	family_cryptbot
behavioral1/memory/2928-242-0x0000000001370000-0x00000000018AB000-memory.dmp	family_cryptbot
behavioral1/memory/2928-244-0x0000000001370000-0x00000000018AB000-memory.dmp	family_cryptbot
behavioral1/memory/2928-247-0x0000000001370000-0x00000000018AB000-memory.dmp	family_cryptbot
behavioral1/memory/2928-249-0x0000000001370000-0x00000000018AB000-memory.dmp	family_cryptbot
behavioral1/memory/2928-251-0x0000000001370000-0x00000000018AB000-memory.dmp	family_cryptbot
behavioral1/memory/2928-253-0x0000000001370000-0x00000000018AB000-memory.dmp	family_cryptbot

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

0cd3d8724238e5bc80d2b890c56489ab_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 0cd3d8724238e5bc80d2b890c56489ab_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	0cd3d8724238e5bc80d2b890c56489ab_JaffaCakes118.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0cd3d8724238e5bc80d2b890c56489ab_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	0cd3d8724238e5bc80d2b890c56489ab_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0cd3d8724238e5bc80d2b890c56489ab_JaffaCakes118.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

0cd3d8724238e5bc80d2b890c56489ab_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Wine	0cd3d8724238e5bc80d2b890c56489ab_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

0cd3d8724238e5bc80d2b890c56489ab_JaffaCakes118.exe

pid process

2928 0cd3d8724238e5bc80d2b890c56489ab_JaffaCakes118.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2928	0cd3d8724238e5bc80d2b890c56489ab_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0cd3d8724238e5bc80d2b890c56489ab_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	0cd3d8724238e5bc80d2b890c56489ab_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	0cd3d8724238e5bc80d2b890c56489ab_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

0cd3d8724238e5bc80d2b890c56489ab_JaffaCakes118.exe

pid process

2928 0cd3d8724238e5bc80d2b890c56489ab_JaffaCakes118.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

0cd3d8724238e5bc80d2b890c56489ab_JaffaCakes118.exe

pid process

2928 0cd3d8724238e5bc80d2b890c56489ab_JaffaCakes118.exe
2928 0cd3d8724238e5bc80d2b890c56489ab_JaffaCakes118.exe

pid	process
2928	0cd3d8724238e5bc80d2b890c56489ab_JaffaCakes118.exe

pid	process
2928	0cd3d8724238e5bc80d2b890c56489ab_JaffaCakes118.exe
2928	0cd3d8724238e5bc80d2b890c56489ab_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\0cd3d8724238e5bc80d2b890c56489ab_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0cd3d8724238e5bc80d2b890c56489ab_JaffaCakes118.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2928

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hUoWjDDnyeog\Hvd04kNMOOW.zip
Filesize
36KB

MD5
e494d2b1f8a6fde589c3051d0616aa00

SHA1
0f147500f76bf6363ca9a9440b0d66d0535e7062

SHA256
8d5e4f43f9d9f9ae72478d2a007d346bdaab9a4b5698926b13418ebb8b4a3565

SHA512
4f64b6d3e9952ee124a13f7b02ef920a2da0b9290c24a769505ad695297936aa7b66a77e560feb03438db7474adfe90bf1de0e781fa0c539ee2a367b6a88f4d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\hUoWjDDnyeog\_Files\_Information.txt
Filesize
1KB

MD5
c81c74555d38b9bbbff944f68f938be5

SHA1
3066e1461e2031c4f4debc37a6c8d81ee2581d29

SHA256
5e2e617f2d9635329f319435e1eeb85c122ff4c51ff91a7c0cef39b30237088f

SHA512
f99e74e409ed7d2523fbf5242bc9f16e164f474739b609814bb380d6f3bbfb388ee80fbb3d58bc8001b1ffcb079497badc60b1f60a2f11b83c53f667a87b76df

Download Submit
C:\Users\Admin\AppData\Local\Temp\hUoWjDDnyeog\_Files\_Information.txt
Filesize
3KB

MD5
5759e2ea68413b555b065e6ec34baeb0

SHA1
ce4397671499c91e18696a8151ec943aeac59af0

SHA256
0176c9ba76565d1bb9369ac051c174c3e0221f5ed59bca7e61cb59526fb934a8

SHA512
04eed8c247c4d9da0747fb37e063c3e8158771f865fd75d472f51b3b097d1ec3bf2991bc9f0e7dfa507707e3b9e8bbfa595f07773299f3212a96b46e47b2931f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hUoWjDDnyeog\_Files\_Information.txt
Filesize
3KB

MD5
1f82b4bde851a1472d10ce25cd94a2b7

SHA1
f976ffe37a6a18dea2762d16c68f8d3c8505b518

SHA256
e50ab5c6b96b4c1e67076d6ad766fa08ebb064814afe11b8f36e30157c2baa47

SHA512
ae04e570b51babae76015a58792c5be79f5aa608e882d80ecb148012b697e5dd8c2f130f34d66897ceb8d85f4b5af563d6e666c96c48aac17406c6fd87e99e55

Download Submit
C:\Users\Admin\AppData\Local\Temp\hUoWjDDnyeog\_Files\_Information.txt
Filesize
4KB

MD5
0659bc8bad38b23806391b7d1ee22ce9

SHA1
bd3c827f4cf8618cac47ad6adcf5f03c9756e2ba

SHA256
dfbf11de32e1c6baee8d96716d5aba2a9b95d9a0db6812c49f1a690aa8c4a681

SHA512
a1b6f36fb5c7887e9f5229f19532c3ce80353c6bb99853e8165b7c2bb37aefaa6482b6193b9d3a7db746e526ed5b5297431cd5100fa9474673be55424fec0ee9

Download Submit
C:\Users\Admin\AppData\Local\Temp\hUoWjDDnyeog\_Files\_Screen_Desktop.jpeg
Filesize
43KB

MD5
e58ee8343d6c11b664c4eb8f3c990495

SHA1
3f1c8dd122fef9fcbea01a32e18579120f94497f

SHA256
969bd2ed828f3eba16b38b17b9211ea2bd816ce2a8aeff9e7f4515c92cfd997f

SHA512
50af2ece96726255d9576adbc578dbe673f88404e66c61a47ee513dd991be1fbe87e6259c0e54b6a7b5e953af3ed90359b0994cf9162ef77fd5f44966f0c716c

Download Submit
C:\Users\Admin\AppData\Local\Temp\hUoWjDDnyeog\files_\system_info.txt
Filesize
1KB

MD5
ceb7d001d1fac59c5ef772a810663e87

SHA1
aa675603ef5aac34b6857ce1a338a5cf2c80b63d

SHA256
d39369e399243d4661ed4bb6942a2224c948e13cf84bdfda9064071b8db5d896

SHA512
1b1abecc799bc5118b5380528584338bfb77e665401665e0098d9be5ed3ee78c0a1ef27012f2327baf5e34709285bd48df66e5b154386cda1eb79ba2c26320fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\hUoWjDDnyeog\files_\system_info.txt
Filesize
3KB

MD5
dacc76cf3ecb11d80a1970b0941005cb

SHA1
b3b3ba18f187eb024e4594d134ec6809f6931930

SHA256
63ceb78764edd37aef48db9ed7cbd087e46235e752d761a6b5afebeab084cca4

SHA512
fc6f439cf54948f4a6e88e33b34aed2dc19ad49aea32c05fd6a89283d3c97730b4d326ae2fbca76f29df0443269b9e4f4ce25c75fe5b446a99a427aa4455cc37

Download Submit
C:\Users\Admin\AppData\Local\Temp\hUoWjDDnyeog\files_\system_info.txt
Filesize
3KB

MD5
e12fccc9dde6b7714f0b2aecdba50ad6

SHA1
320aa5c020d8f32a6ea1bffab31e941c6a5f06c2

SHA256
373c7d6d8da394850e26cd4669ba8bd1a5dc94df05310fc72568799e018ed59d

SHA512
ddcfc08af67bbbd63ef7194707c54d321d2f3b655f2b3edf56167bcf4dcada9c00722129bf57721cdd95af021288a2b5847f57d6c37a2432e65bda548cf730fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\hUoWjDDnyeog\files_\system_info.txt
Filesize
4KB

MD5
e41c9f66e9d54d7351ab8f4e4eb5ce95

SHA1
f8a32cb2dea88eedb1580160c213de7ed3f2cb9d

SHA256
88fe45c555af56ebffffe3acc467318cc356b742f2aed8aec786ce27a22daa4f

SHA512
24c2e4a532f0a7d6a6147cf26da5c4673701b1792b37be5cd2fd51eaf008fa346fbae3d9bbc05380b6c2322d2c2efdbd44358f7943303698799dabd04d4895c1

Download Submit
memory/2928-222-0x0000000001370000-0x00000000018AB000-memory.dmp

Filesize
5.2MB

Download
memory/2928-233-0x0000000001370000-0x00000000018AB000-memory.dmp

Filesize
5.2MB

Download
memory/2928-3-0x0000000001370000-0x00000000018AB000-memory.dmp

Filesize
5.2MB

Download
memory/2928-2-0x0000000000A10000-0x0000000000F4B000-memory.dmp

Filesize
5.2MB

Download
memory/2928-0-0x0000000001370000-0x00000000018AB000-memory.dmp

Filesize
5.2MB

Download
memory/2928-224-0x0000000001370000-0x00000000018AB000-memory.dmp

Filesize
5.2MB

Download
memory/2928-225-0x0000000001370000-0x00000000018AB000-memory.dmp

Filesize
5.2MB

Download
memory/2928-226-0x0000000001370000-0x00000000018AB000-memory.dmp

Filesize
5.2MB

Download
memory/2928-1-0x0000000000A10000-0x0000000000F4B000-memory.dmp

Filesize
5.2MB

Download
memory/2928-228-0x0000000001370000-0x00000000018AB000-memory.dmp

Filesize
5.2MB

Download
memory/2928-230-0x0000000001370000-0x00000000018AB000-memory.dmp

Filesize
5.2MB

Download
memory/2928-4-0x0000000001370000-0x00000000018AB000-memory.dmp

Filesize
5.2MB

Download
memory/2928-235-0x0000000001370000-0x00000000018AB000-memory.dmp

Filesize
5.2MB

Download
memory/2928-238-0x0000000001370000-0x00000000018AB000-memory.dmp

Filesize
5.2MB

Download
memory/2928-240-0x0000000001370000-0x00000000018AB000-memory.dmp

Filesize
5.2MB

Download
memory/2928-242-0x0000000001370000-0x00000000018AB000-memory.dmp

Filesize
5.2MB

Download
memory/2928-244-0x0000000001370000-0x00000000018AB000-memory.dmp

Filesize
5.2MB

Download
memory/2928-247-0x0000000001370000-0x00000000018AB000-memory.dmp

Filesize
5.2MB

Download
memory/2928-249-0x0000000001370000-0x00000000018AB000-memory.dmp

Filesize
5.2MB

Download
memory/2928-251-0x0000000001370000-0x00000000018AB000-memory.dmp

Filesize
5.2MB

Download
memory/2928-253-0x0000000001370000-0x00000000018AB000-memory.dmp

Filesize
5.2MB

Download