cryptbot | d147085a0bdc76c5bcd880e6163691b70c728afb6be1da952adf8ab98e43af06

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-10-2024 09:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e97bae99824a19e9bb834dc126c7aa8_JaffaCakes118.exe
Size

945KB
MD5

2e97bae99824a19e9bb834dc126c7aa8
SHA1

07c5ddb1652394f517603729e45aee7f74595b05
SHA256

d147085a0bdc76c5bcd880e6163691b70c728afb6be1da952adf8ab98e43af06
SHA512

8a957a8d0fd7984e4f4d680ba03891e99e3dc2c5520e3a56c02d9b1d5d048dbf3b3e4106e8accf1b9b682b2afe641282263d31ace03d2e5bda4c968535db9600
SSDEEP

24576:1mZprpe+ojcAVY0jJhrsrOhiXpIUHBBpziZMvLn:AZVs+8ckwOhjQHRPD

Score

10^/10

cryptbot discovery persistence spyware stealer

Malware Config

Signatures

CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

Executes dropped EXE 2 IoCs

pid	Process
2744	Che.exe.com
2588	Che.exe.com

Loads dropped DLL 2 IoCs

pid	Process
2900	cmd.exe
2744	Che.exe.com

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2e97bae99824a19e9bb834dc126c7aa8_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Che.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Che.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2e97bae99824a19e9bb834dc126c7aa8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2788	PING.EXE

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Che.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Che.exe.com

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2672	timeout.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2788	PING.EXE

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2744	Che.exe.com
2744	Che.exe.com
2744	Che.exe.com
2588	Che.exe.com
2588	Che.exe.com
2588	Che.exe.com

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
2744	Che.exe.com
2744	Che.exe.com
2744	Che.exe.com
2588	Che.exe.com
2588	Che.exe.com
2588	Che.exe.com

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 2688	2728	2e97bae99824a19e9bb834dc126c7aa8_JaffaCakes118.exe	30
PID 2728 wrote to memory of 2688	2728	2e97bae99824a19e9bb834dc126c7aa8_JaffaCakes118.exe	30
PID 2728 wrote to memory of 2688	2728	2e97bae99824a19e9bb834dc126c7aa8_JaffaCakes118.exe	30
PID 2728 wrote to memory of 2688	2728	2e97bae99824a19e9bb834dc126c7aa8_JaffaCakes118.exe	30
PID 2728 wrote to memory of 2732	2728	2e97bae99824a19e9bb834dc126c7aa8_JaffaCakes118.exe	31
PID 2728 wrote to memory of 2732	2728	2e97bae99824a19e9bb834dc126c7aa8_JaffaCakes118.exe	31
PID 2728 wrote to memory of 2732	2728	2e97bae99824a19e9bb834dc126c7aa8_JaffaCakes118.exe	31
PID 2728 wrote to memory of 2732	2728	2e97bae99824a19e9bb834dc126c7aa8_JaffaCakes118.exe	31
PID 2732 wrote to memory of 2900	2732	cmd.exe	33
PID 2732 wrote to memory of 2900	2732	cmd.exe	33
PID 2732 wrote to memory of 2900	2732	cmd.exe	33
PID 2732 wrote to memory of 2900	2732	cmd.exe	33
PID 2900 wrote to memory of 2884	2900	cmd.exe	34
PID 2900 wrote to memory of 2884	2900	cmd.exe	34
PID 2900 wrote to memory of 2884	2900	cmd.exe	34
PID 2900 wrote to memory of 2884	2900	cmd.exe	34
PID 2900 wrote to memory of 2744	2900	cmd.exe	35
PID 2900 wrote to memory of 2744	2900	cmd.exe	35
PID 2900 wrote to memory of 2744	2900	cmd.exe	35
PID 2900 wrote to memory of 2744	2900	cmd.exe	35
PID 2900 wrote to memory of 2788	2900	cmd.exe	36
PID 2900 wrote to memory of 2788	2900	cmd.exe	36
PID 2900 wrote to memory of 2788	2900	cmd.exe	36
PID 2900 wrote to memory of 2788	2900	cmd.exe	36
PID 2744 wrote to memory of 2588	2744	Che.exe.com	37
PID 2744 wrote to memory of 2588	2744	Che.exe.com	37
PID 2744 wrote to memory of 2588	2744	Che.exe.com	37
PID 2744 wrote to memory of 2588	2744	Che.exe.com	37
PID 2588 wrote to memory of 576	2588	Che.exe.com	38
PID 2588 wrote to memory of 576	2588	Che.exe.com	38
PID 2588 wrote to memory of 576	2588	Che.exe.com	38
PID 2588 wrote to memory of 576	2588	Che.exe.com	38
PID 576 wrote to memory of 2672	576	cmd.exe	40
PID 576 wrote to memory of 2672	576	cmd.exe	40
PID 576 wrote to memory of 2672	576	cmd.exe	40
PID 576 wrote to memory of 2672	576	cmd.exe	40

C:\Users\Admin\AppData\Local\Temp\2e97bae99824a19e9bb834dc126c7aa8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2e97bae99824a19e9bb834dc126c7aa8_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Windows\SysWOW64\dllhost.exe
  dllhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2688
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cmd < Hai.eps
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2900
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^LCUgQfWbXbFSARjphCwgKZjQDZqirXqlOZDlkdywbZFmWGowBPAMjIULdtKRfPxZbxrAgwXXvqRKxNTWRZGgbhXuyRTiFgMIFFwCDHNARDdjRlsDlOZdpuBpv$" Tue.eps
      4⤵
      System Location Discovery: System Language Discovery
      PID:2884
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Che.exe.com
      Che.exe.com s
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2744
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Che.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Che.exe.com s
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2588
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\pvOPDxxB & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Che.exe.com"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:576
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 4
        7⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2672
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Chi.eps

Filesize
1.0MB

MD5
27cf039f09bc4fac5b8ed4ba0b091bb2

SHA1
34100ba1224e8f9b5c2a0b9da297badc1e6be3f9

SHA256
364d5c36305e4fb9d6c39afcb86bae8d91e501c417807c8eedae13cc86a4072f

SHA512
b2a95a4df3e18c2ce3a26fc5d87f09cc366a6d60f0c13bda0df29550f81218e21a8e69741bdfc1e33f73656dbb096f7cb37f54c20900e405d50c58851da16a04

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Hai.eps

Filesize
438B

MD5
797fc3c9ce9b0cd090c2c5b67f11603f

SHA1
db95ba3fa87edbe658d0d8bd02e56d75740f9e2f

SHA256
f52a44d88ba65806ddf566f92ed7c5331ec05f0646c253ec0ba3fefb748e93df

SHA512
b75cfe2a26277863acb1377761cc05677b12771697313ee9af7b5be2acc6b89e77b45e9dcca3362b240a239eb39a55bb5939e19e55776a979dfe5b2e55ca0fec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tue.eps

Filesize
872KB

MD5
f0a3e365736c1f603095adb47c00787d

SHA1
3244b009cbe18066915c70a1582ee0630d949a4b

SHA256
c2d3c4d316536fd0dc1544bfd57ddcd8897bbd28dd0415ae55684b35134b4a36

SHA512
69f1753549e8eeca1fed1c19c8fa86807322c67e59cdcb05aa0c76de322a889b274c204533012a44df3cf9f66f41cdf8c249fd8f617b07387482cbeb609d8b56

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Che.exe.com

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
memory/2588-21-0x00000000041E0000-0x0000000004229000-memory.dmp

Filesize
292KB

Download
memory/2588-22-0x00000000041E0000-0x0000000004229000-memory.dmp

Filesize
292KB

Download
memory/2588-23-0x00000000041E0000-0x0000000004229000-memory.dmp

Filesize
292KB

Download
memory/2588-25-0x00000000041E0000-0x0000000004229000-memory.dmp

Filesize
292KB

Download
memory/2588-24-0x00000000041E0000-0x0000000004229000-memory.dmp

Filesize
292KB

Download
memory/2588-26-0x00000000041E0000-0x0000000004229000-memory.dmp

Filesize
292KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads