cryptbot | 143baeea153f94dec6b4ae148ce7f7db97b1aa8d034803a945e069143504263e

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/09/2024, 21:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1188dcf1d263848bbc3a9e0e000fa5d_JaffaCakes118.exe
Size

2.6MB
MD5

e1188dcf1d263848bbc3a9e0e000fa5d
SHA1

30ec0f03ff134f6835e5a1f9ac50d2f1f203f3b9
SHA256

143baeea153f94dec6b4ae148ce7f7db97b1aa8d034803a945e069143504263e
SHA512

021f52ab015eabe04443efe38d848760d971352a422c93ead6ca15566d377e015ff16decd45c62047eeaf76a13959956127d4763b59190d777e8d6249f3b6adf
SSDEEP

49152:cvm6WWeedeXKl+GlMfZDebimoMpgeAwXYjb/D652jYdJT0:4mVWVfl+GqZDBmoDU9bT

Score

10^/10

cryptbot credential_access discovery spyware stealer

Malware Config

Signatures

CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 15 IoCs

resource	yara_rule
behavioral2/memory/2104-221-0x00007FF733B90000-0x00007FF73423B000-memory.dmp	family_cryptbot
behavioral2/memory/2104-222-0x00007FF733B90000-0x00007FF73423B000-memory.dmp	family_cryptbot
behavioral2/memory/2104-225-0x00007FF733B90000-0x00007FF73423B000-memory.dmp	family_cryptbot
behavioral2/memory/2104-228-0x00007FF733B90000-0x00007FF73423B000-memory.dmp	family_cryptbot
behavioral2/memory/2104-231-0x00007FF733B90000-0x00007FF73423B000-memory.dmp	family_cryptbot
behavioral2/memory/2104-234-0x00007FF733B90000-0x00007FF73423B000-memory.dmp	family_cryptbot
behavioral2/memory/2104-236-0x00007FF733B90000-0x00007FF73423B000-memory.dmp	family_cryptbot
behavioral2/memory/2104-240-0x00007FF733B90000-0x00007FF73423B000-memory.dmp	family_cryptbot
behavioral2/memory/2104-243-0x00007FF733B90000-0x00007FF73423B000-memory.dmp	family_cryptbot
behavioral2/memory/2104-246-0x00007FF733B90000-0x00007FF73423B000-memory.dmp	family_cryptbot
behavioral2/memory/2104-249-0x00007FF733B90000-0x00007FF73423B000-memory.dmp	family_cryptbot
behavioral2/memory/2104-256-0x00007FF733B90000-0x00007FF73423B000-memory.dmp	family_cryptbot
behavioral2/memory/2104-259-0x00007FF733B90000-0x00007FF73423B000-memory.dmp	family_cryptbot
behavioral2/memory/2104-262-0x00007FF733B90000-0x00007FF73423B000-memory.dmp	family_cryptbot
behavioral2/memory/2104-265-0x00007FF733B90000-0x00007FF73423B000-memory.dmp	family_cryptbot

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	e1188dcf1d263848bbc3a9e0e000fa5d_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	e1188dcf1d263848bbc3a9e0e000fa5d_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	e1188dcf1d263848bbc3a9e0e000fa5d_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	e1188dcf1d263848bbc3a9e0e000fa5d_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2104	e1188dcf1d263848bbc3a9e0e000fa5d_JaffaCakes118.exe
2104	e1188dcf1d263848bbc3a9e0e000fa5d_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\e1188dcf1d263848bbc3a9e0e000fa5d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e1188dcf1d263848bbc3a9e0e000fa5d_JaffaCakes118.exe"
1⤵
- Checks BIOS information in registry
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lElAGQT\LYuKIN7gQyBUn.zip

Filesize
427KB

MD5
ef39d9f088b14aea66982e6252ddd02a

SHA1
3ee53925c147facadf0f7a1b1e7cb2ce739028e1

SHA256
3c15e105093e5851f710a2393a83e85e769e49fce4829f8a77491f6d16eb1b01

SHA512
6a87aa883b9247f6fee09311850af214d23bb3d935ae4222d01511c05e3a807d1470778de33afc85443f470692038507051d1cab774f6cfd83a57396503ae575

Download Submit
C:\Users\Admin\AppData\Local\Temp\lElAGQT\_Files\_Files\BackupConvertTo.txt

Filesize
383KB

MD5
21ec50a35e89e56965263570ef6d8950

SHA1
efee43de7b95a11dab3e92769bfb761109f6bc77

SHA256
1fb4d65ef5dde3db00b63eb896a0cd9086ac77e93692de9dcbae0965d158a795

SHA512
b2c33bb53fff852841f9238ffec92ecdc4ee1f185f6a17deddfb85f0d13904fb607b880076648146cb1855d6ce053dbd356aeb9ac86643d1b3345f985250ae8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\lElAGQT\_Files\_Information.txt

Filesize
1KB

MD5
93c8d44f75df956bf5ae8e36d7d3d73b

SHA1
510d7467e06c17f0a5bbf10386a20c42c9ca231b

SHA256
45da420afba65541c35541654266e0c991dcb0c15faa05cd2900cf2b6052ac5e

SHA512
398df14be3fc1718302784139b520f78ba4e94a904eaf7b41f5bd1d77de24f8ba4d4bbc9ffa441d0cc7af6179d834e0a7e8eb2dc146dcaecd1df37eb7ee1afec

Download Submit
C:\Users\Admin\AppData\Local\Temp\lElAGQT\_Files\_Information.txt

Filesize
3KB

MD5
465987aca5b3f06c298356a809c17296

SHA1
e700c062e9567719a949fc0b7a3ef7b1df0b9d85

SHA256
982e0463890b4899904578e6687c312726fb4f39549eefcc84e424c3b782694d

SHA512
c8eba4524bf3fb7e66a904dbd5bc5123d4640ee0c0c7073f36d45e9a0c5d145f723a6895a1c3838ce7a5ee9d83bf18dfec80a8d3e6771eea047aec038a537b68

Download Submit
C:\Users\Admin\AppData\Local\Temp\lElAGQT\_Files\_Information.txt

Filesize
4KB

MD5
428b798bb55be0b9fb3daf642a07cdd3

SHA1
cb6224f62ba3e971c4e695e74d686b37cbe109d6

SHA256
450c157d9cfdc1027d9578e7391e35072798c9c706e7f464ae063f66f02d8479

SHA512
726e258c431764e127098eb223279f13b953e18d6cdfae000adb905ddfcad47008a829ed88efc32955b319f7a72d029eb90c9c411b8a6c1f30a8dfab3f4e0daf

Download Submit
C:\Users\Admin\AppData\Local\Temp\lElAGQT\_Files\_Screen_Desktop.jpeg

Filesize
48KB

MD5
9c6e892b4dc8b571c4fef4f3d13575a2

SHA1
0c49beb4508397a5b1ad9810346365e6f2394e5c

SHA256
35fbcbe18b080c23fd58c6361c1e0b269c5a22ad413c82d28af1afac03dd5f84

SHA512
3f6a13dc29e857022e95ff8088120c28c92e9f3f8eb0c13ea51c81c9809f6ec8b9c6fc7e2a602956ca72ec083961bed219ebb5e1bdcc0636bf38c8edaeda0080

Download Submit
C:\Users\Admin\AppData\Local\Temp\lElAGQT\files_\system_info.txt

Filesize
1KB

MD5
58f9702e93a3714d48b197d49c804326

SHA1
b713b7cf2e1c0d0c269a0c9ac4efa94f29975ab9

SHA256
34abc855df751419c95abe89d2df980ad6517225deec900158b11a4914ac243d

SHA512
d15345ec84e8ee8674cada3dabff032567b0ca906f27b2accceec60b76855bcefb2b0d1f3c27cfaf31bce37994f571893f52099e449f4d0bd01d4a6c6cb6be56

Download Submit
C:\Users\Admin\AppData\Local\Temp\lElAGQT\files_\system_info.txt

Filesize
1KB

MD5
6fcb726e7a3d92e2294bd932b78f4845

SHA1
98c67fb3e5a85e89b715e545ea0b6d892b99d08a

SHA256
cd5d1635dae8937fa67eec44c943bc871a7112001e8655c007e5447301896b8b

SHA512
e83322ad00f689766f1da4f77967fa6bbda8e4af359c95351a0c2742d2c77697b522a8a5164d94e043fbcf1c624589adbfa149a3943c06207be0d05aaf1eed7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\lElAGQT\files_\system_info.txt

Filesize
4KB

MD5
95e199dd39444110536951f2e52cbb49

SHA1
c1747a995b34ec96b7c13128e6951e71981f8822

SHA256
2454f3de714360915294f5ddb7cf98c1975977a0697e13e5dd188b1c0665d64d

SHA512
d3519da900be89b4d6104372613f5fbf865e8f6d8a21632fff222774607409d28c668b1eb1e6b3b83acd86bdcd4e1e69494ca6ea4ce3bbe7ae8430971579fb95

Download Submit
C:\Users\Admin\AppData\Local\Temp\lElAGQT\teaI3lvtGgW.zip

Filesize
427KB

MD5
3a5df278f861e84a88cfdb24805d154b

SHA1
59351b532b300a108383767b8ee0ceaa27c15697

SHA256
b8f17aef5d012438e3f8eb829544a71f94276cd33399489903b6e083629656c4

SHA512
95da6d85fa7c1e4a29abc915955b73df147b34582dbf879c086ae67c4bf7e7eeacc37b2ad7b0388381a4e03c896fc434ed273d273b6154201766a4c046c7536b

Download Submit
memory/2104-234-0x00007FF733B90000-0x00007FF73423B000-memory.dmp

Filesize
6.7MB

Download
memory/2104-243-0x00007FF733B90000-0x00007FF73423B000-memory.dmp

Filesize
6.7MB

Download
memory/2104-0-0x00007FF733B90000-0x00007FF73423B000-memory.dmp

Filesize
6.7MB

Download
memory/2104-225-0x00007FF733B90000-0x00007FF73423B000-memory.dmp

Filesize
6.7MB

Download
memory/2104-228-0x00007FF733B90000-0x00007FF73423B000-memory.dmp

Filesize
6.7MB

Download
memory/2104-231-0x00007FF733B90000-0x00007FF73423B000-memory.dmp

Filesize
6.7MB

Download
memory/2104-221-0x00007FF733B90000-0x00007FF73423B000-memory.dmp

Filesize
6.7MB

Download
memory/2104-236-0x00007FF733B90000-0x00007FF73423B000-memory.dmp

Filesize
6.7MB

Download
memory/2104-240-0x00007FF733B90000-0x00007FF73423B000-memory.dmp

Filesize
6.7MB

Download
memory/2104-222-0x00007FF733B90000-0x00007FF73423B000-memory.dmp

Filesize
6.7MB

Download
memory/2104-246-0x00007FF733B90000-0x00007FF73423B000-memory.dmp

Filesize
6.7MB

Download
memory/2104-249-0x00007FF733B90000-0x00007FF73423B000-memory.dmp

Filesize
6.7MB

Download
memory/2104-256-0x00007FF733B90000-0x00007FF73423B000-memory.dmp

Filesize
6.7MB

Download
memory/2104-1-0x00007FFB35B90000-0x00007FFB35B92000-memory.dmp

Filesize
8KB

Download
memory/2104-259-0x00007FF733B90000-0x00007FF73423B000-memory.dmp

Filesize
6.7MB

Download
memory/2104-262-0x00007FF733B90000-0x00007FF73423B000-memory.dmp

Filesize
6.7MB

Download
memory/2104-265-0x00007FF733B90000-0x00007FF73423B000-memory.dmp

Filesize
6.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads