Extracted

• • Target

    f7d357ad02e19287fbfdd8fc138a3662_JaffaCakes118

  • Size

    2.0MB

  • MD5

    f7d357ad02e19287fbfdd8fc138a3662

  • SHA1

    88ddb3cd546a4751d57fade705264d2b575ff35a

  • SHA256

    848ebc63155b66409cd11733c08ab85b1886009dfa895c7dc56c63079d23125f

  • SHA512

    873a7203e7c4ea6fdde068ab6d38d0355ea68820388bd92c33119082155d36d13f4cbbbc90aab9f1b4c4533e303e1b174b84c5f5bfe65dd2fbe154d13011abd4

  • SSDEEP

    49152:lG2PzG4mPIy8w8HU1fMZBYrKZzjsOA/D0JOssWpl:vPK4mPGw8HUVWBYrK1jOQ8Wp

  Score

  10^/10

  cryptbotdiscoveryevasionspywarestealer

  • CryptBot

    CryptBot is a C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot

  • CryptBot payload

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2