cryptbot | cef1d3f10fdb50df41e0dcb5c77e45c4587adb76747259ce893ceabb863d9994

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 01:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d0d341d2d2f0f61a4c403b88085e3576_JaffaCakes118.exe
Size

4.2MB
MD5

d0d341d2d2f0f61a4c403b88085e3576
SHA1

bf8c04ebd83d850cfafce00c49b0ea2646acedee
SHA256

cef1d3f10fdb50df41e0dcb5c77e45c4587adb76747259ce893ceabb863d9994
SHA512

b35c7ccd2d7df90efe8457cfcfb8a13353216bb83c9900cdf64916e2956f0852d0272216679b10cd669db44db15c5fef0a6427bf3a2752cb585626144b0df95c
SSDEEP

49152:zOdVHtDhAcN9W4L0bXIOyyB85hOTm8z3th24azqaNBJkLy0vq3dsJ8zYNawVG9aE:CXNucUnyJ09h24azvFYyeU7kREDBZ

Score

10^/10

cryptbot credential_access discovery evasion spyware stealer

Malware Config

Extracted

Family

cryptbot

bibinene03.top

moraass05.top

Signatures

CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 20 IoCs

resource	yara_rule
behavioral2/memory/3716-31-0x0000000000890000-0x0000000000DD2000-memory.dmp	family_cryptbot
behavioral2/memory/3716-32-0x0000000000890000-0x0000000000DD2000-memory.dmp	family_cryptbot
behavioral2/memory/3716-140-0x0000000000890000-0x0000000000DD2000-memory.dmp	family_cryptbot
behavioral2/memory/3716-249-0x0000000000890000-0x0000000000DD2000-memory.dmp	family_cryptbot
behavioral2/memory/3716-250-0x0000000000890000-0x0000000000DD2000-memory.dmp	family_cryptbot
behavioral2/memory/3716-251-0x0000000000890000-0x0000000000DD2000-memory.dmp	family_cryptbot
behavioral2/memory/3716-253-0x0000000000890000-0x0000000000DD2000-memory.dmp	family_cryptbot
behavioral2/memory/3716-255-0x0000000000890000-0x0000000000DD2000-memory.dmp	family_cryptbot
behavioral2/memory/3716-258-0x0000000000890000-0x0000000000DD2000-memory.dmp	family_cryptbot
behavioral2/memory/3716-261-0x0000000000890000-0x0000000000DD2000-memory.dmp	family_cryptbot
behavioral2/memory/3716-264-0x0000000000890000-0x0000000000DD2000-memory.dmp	family_cryptbot
behavioral2/memory/3716-267-0x0000000000890000-0x0000000000DD2000-memory.dmp	family_cryptbot
behavioral2/memory/3716-270-0x0000000000890000-0x0000000000DD2000-memory.dmp	family_cryptbot
behavioral2/memory/3716-273-0x0000000000890000-0x0000000000DD2000-memory.dmp	family_cryptbot
behavioral2/memory/3716-276-0x0000000000890000-0x0000000000DD2000-memory.dmp	family_cryptbot
behavioral2/memory/3716-279-0x0000000000890000-0x0000000000DD2000-memory.dmp	family_cryptbot
behavioral2/memory/3716-284-0x0000000000890000-0x0000000000DD2000-memory.dmp	family_cryptbot
behavioral2/memory/3716-287-0x0000000000890000-0x0000000000DD2000-memory.dmp	family_cryptbot
behavioral2/memory/3716-288-0x0000000000890000-0x0000000000DD2000-memory.dmp	family_cryptbot
behavioral2/memory/3716-291-0x0000000000890000-0x0000000000DD2000-memory.dmp	family_cryptbot

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	5.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5.exe

Executes dropped EXE 1 IoCs

pid	Process
3716	5.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Wine	5.exe

Loads dropped DLL 3 IoCs

pid	Process
4908	d0d341d2d2f0f61a4c403b88085e3576_JaffaCakes118.exe
4908	d0d341d2d2f0f61a4c403b88085e3576_JaffaCakes118.exe
4908	d0d341d2d2f0f61a4c403b88085e3576_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3716	5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d0d341d2d2f0f61a4c403b88085e3576_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	5.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3716	5.exe
3716	5.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3716	5.exe
3716	5.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4908 wrote to memory of 3716	4908	d0d341d2d2f0f61a4c403b88085e3576_JaffaCakes118.exe	85
PID 4908 wrote to memory of 3716	4908	d0d341d2d2f0f61a4c403b88085e3576_JaffaCakes118.exe	85
PID 4908 wrote to memory of 3716	4908	d0d341d2d2f0f61a4c403b88085e3576_JaffaCakes118.exe	85

C:\Users\Admin\AppData\Local\Temp\d0d341d2d2f0f61a4c403b88085e3576_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d0d341d2d2f0f61a4c403b88085e3576_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4908
- C:\Users\Admin\AppData\Local\Temp\sib8724.tmp\0\5.exe
  "C:\Users\Admin\AppData\Local\Temp\sib8724.tmp\0\5.exe" /s
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:3716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsf8648.tmp\Sibuia.dll

Filesize
524KB

MD5
6a3c3c97e92a5949f88311e80268bbb5

SHA1
48c11e3f694b468479bc2c978749d27b5d03faa2

SHA256
7938db73242aafbe80915e4ca886d38be9b7e872b93bdae1e8ee6cf4a005b7d9

SHA512
6141886a889825ccdfa59a419f7670a34ef240c4f90a83bc17223c415f2fbd983280e98e67485710e449746b5bf3284907537bef6ab698a48954dd4910ddf693

Download Submit
C:\Users\Admin\AppData\Local\Temp\qeZmiszt1\PA5biTqYR.zip

Filesize
41KB

MD5
e431d352758f260b720fb5b7770ce2c7

SHA1
1797c4a250d3304360637afed071ce79c49b8f93

SHA256
b2c4b5c7d34c23de458456ff4279f0e990af0402534606a0778777a250a8525d

SHA512
47f94085dab3841f182b3552c466185b3722cb284c44851cb58ea1fcdca09c3d5c189dae959eb3354c2470998a0681555e3a3de30a423edcadf0d3ebc2aa9d26

Download Submit
C:\Users\Admin\AppData\Local\Temp\qeZmiszt1\_Files\_Information.txt

Filesize
7KB

MD5
4bd368aca3d7fba91d830eade3da6619

SHA1
d49f521dc61d9c769fa52e97da9194086da4cf4b

SHA256
212fb652dcdbab57b95e8a3e8c31c6abc3979a8877ced87c3bc34156a3bb2f64

SHA512
428e48824e41f3f0649970e6ed6a6d2da31d7d938724db3d2b864a90a5088400cc7ba2d95457cf575b133dfb629c1e5d7dc4fac161f3eee952c725cc54855b8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\qeZmiszt1\_Files\_Screen_Desktop.jpeg

Filesize
47KB

MD5
31c9f2cf83d0505d08e98a8b14c405c1

SHA1
d3b685372982721eb04868a354b072e64d01d583

SHA256
f009588fa20c9da403666797703bd8f3726f2ab57fb2b56886b416bb51644797

SHA512
9150c550d6402eb05fd900792c37054aece8436b6f4ba991b0da16b5af4054e128e4280f8ef3aaf80ea88956fed2edb934a77ee04cd7d76d073b882aebc9e5ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\qeZmiszt1\files_\system_info.txt

Filesize
684B

MD5
8000f437c9908150ad69673e44f4477b

SHA1
4ba18deacbf7f081be3f0eec5a2605a5116679ee

SHA256
7e44605748da7dca4797b675bc4c410ecf49e17a159d5a51defe4c91236a22db

SHA512
44c79967185ad60540afb67c5bf3e34cdeaa2861fa2f15243a7c053632484a2506bdb39875b1701dc439eb2a742c851d17501fb6d0f6071bd5ae8ec5aeb35244

Download Submit
C:\Users\Admin\AppData\Local\Temp\qeZmiszt1\files_\system_info.txt

Filesize
7KB

MD5
65d04c6a938bdd401dea064c96edb404

SHA1
03315ea5c82e1592d730e5ccabd1225ade0b8c7a

SHA256
078b75b33080114dd79b00797a598670a8c021242e3c2ae010966c77d0526746

SHA512
239ef0ce850ded5d0fa728ec492f78268a3f34a97a6c23374385e23ece47c6e7a6e2bc4b047b57fc7228e2d51a245be517c99488c26ef028fae4e45038f1fe2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qeZmiszt1\uKgdtibAjV8.zip

Filesize
41KB

MD5
1c5b2e2c9f98521a472dc08e6a59f1b2

SHA1
070d1085f30cbe12fba864a19720862100a33c1a

SHA256
3ae2484afcc63feb6c9a7b4f913a945de2a1930b06b03c46c13cf00aaff98fbd

SHA512
f77887bb7c055812dbf46165c80bdcadee535cba7bf5eba719c38b514d2d0bfd1ea492f5308348690d013ead261d452b78c83686ae76916e47783c68ed152e36

Download Submit
C:\Users\Admin\AppData\Local\Temp\sib8724.tmp\0\5.exe

Filesize
2.3MB

MD5
08caa80b61ee95e610a26d52820e3efd

SHA1
2dd92ecd34ada8962201929310e278346264b6b0

SHA256
8d5eb7cd6f951771498f4b92d148d6e1401631765996be53d9fd773589bcf2a0

SHA512
65dbc03fcb2762465f8e4448220915e85257a4d370cb14382c45e719cfa3cc2913bc0580b28d69f0ad380e5cf3a9afbcac207d59f3253e5ec6124b2495f69bdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\sib8724.tmp\SibClr.dll

Filesize
51KB

MD5
5ea6d2ffeb1be3fc0571961d0c4c2b5f

SHA1
902dfe9ae735c83fb0cb46b3e110bbf2aa80209e

SHA256
508336b6a7c3226738e74f6ce969e828da904ad9f7610b9112f883a316ee9222

SHA512
e81657087f451a37f06a07bf84175117fdaf75d5d8b84cbdc49497fcf88f96e259074518ea3037680d27c9eaeebd7a8df496297593fead88d7edea202a572585

Download Submit
memory/3716-30-0x0000000000891000-0x00000000008EC000-memory.dmp

Filesize
364KB

Download
memory/3716-267-0x0000000000890000-0x0000000000DD2000-memory.dmp

Filesize
5.3MB

Download
memory/3716-24-0x0000000000890000-0x0000000000DD2000-memory.dmp

Filesize
5.3MB

Download
memory/3716-29-0x00000000053A0000-0x00000000053A1000-memory.dmp

Filesize
4KB

Download
memory/3716-28-0x0000000005390000-0x0000000005391000-memory.dmp

Filesize
4KB

Download
memory/3716-27-0x0000000005380000-0x0000000005381000-memory.dmp

Filesize
4KB

Download
memory/3716-26-0x0000000005370000-0x0000000005371000-memory.dmp

Filesize
4KB

Download
memory/3716-31-0x0000000000890000-0x0000000000DD2000-memory.dmp

Filesize
5.3MB

Download
memory/3716-32-0x0000000000890000-0x0000000000DD2000-memory.dmp

Filesize
5.3MB

Download
memory/3716-291-0x0000000000890000-0x0000000000DD2000-memory.dmp

Filesize
5.3MB

Download
memory/3716-288-0x0000000000890000-0x0000000000DD2000-memory.dmp

Filesize
5.3MB

Download
memory/3716-140-0x0000000000890000-0x0000000000DD2000-memory.dmp

Filesize
5.3MB

Download
memory/3716-287-0x0000000000890000-0x0000000000DD2000-memory.dmp

Filesize
5.3MB

Download
memory/3716-284-0x0000000000890000-0x0000000000DD2000-memory.dmp

Filesize
5.3MB

Download
memory/3716-279-0x0000000000890000-0x0000000000DD2000-memory.dmp

Filesize
5.3MB

Download
memory/3716-276-0x0000000000890000-0x0000000000DD2000-memory.dmp

Filesize
5.3MB

Download
memory/3716-249-0x0000000000890000-0x0000000000DD2000-memory.dmp

Filesize
5.3MB

Download
memory/3716-250-0x0000000000890000-0x0000000000DD2000-memory.dmp

Filesize
5.3MB

Download
memory/3716-251-0x0000000000890000-0x0000000000DD2000-memory.dmp

Filesize
5.3MB

Download
memory/3716-253-0x0000000000890000-0x0000000000DD2000-memory.dmp

Filesize
5.3MB

Download
memory/3716-255-0x0000000000890000-0x0000000000DD2000-memory.dmp

Filesize
5.3MB

Download
memory/3716-273-0x0000000000890000-0x0000000000DD2000-memory.dmp

Filesize
5.3MB

Download
memory/3716-258-0x0000000000890000-0x0000000000DD2000-memory.dmp

Filesize
5.3MB

Download
memory/3716-261-0x0000000000890000-0x0000000000DD2000-memory.dmp

Filesize
5.3MB

Download
memory/3716-264-0x0000000000890000-0x0000000000DD2000-memory.dmp

Filesize
5.3MB

Download
memory/3716-25-0x00000000774B4000-0x00000000774B6000-memory.dmp

Filesize
8KB

Download
memory/3716-270-0x0000000000890000-0x0000000000DD2000-memory.dmp

Filesize
5.3MB

Download
memory/4908-14-0x0000000010C80000-0x0000000010C92000-memory.dmp

Filesize
72KB

Download
memory/4908-248-0x0000000073C90000-0x0000000074440000-memory.dmp

Filesize
7.7MB

Download
memory/4908-247-0x0000000073C9E000-0x0000000073C9F000-memory.dmp

Filesize
4KB

Download
memory/4908-15-0x0000000010CA0000-0x0000000010D5A000-memory.dmp

Filesize
744KB

Download
memory/4908-16-0x0000000073C90000-0x0000000074440000-memory.dmp

Filesize
7.7MB

Download
memory/4908-19-0x0000000073C90000-0x0000000074440000-memory.dmp

Filesize
7.7MB

Download
memory/4908-10-0x0000000073C9E000-0x0000000073C9F000-memory.dmp

Filesize
4KB

Download
memory/4908-23-0x0000000073C90000-0x0000000074440000-memory.dmp

Filesize
7.7MB

Download