cryptbot | 46c2df358cebea0eed3ae32167c399a445ce0f106f473997775889f8ac2ca733

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
15-10-2024 01:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4538e3df24ed8b8cd6a3474b2f0e1f74_JaffaCakes118.exe
Size

621KB
MD5

4538e3df24ed8b8cd6a3474b2f0e1f74
SHA1

e3b567e2b004c3a637b04a082b0ebbf98d6d37e0
SHA256

46c2df358cebea0eed3ae32167c399a445ce0f106f473997775889f8ac2ca733
SHA512

2286929bf5a7aab9e9aa88573fcea5dfff97faba7dff4aa9ca3754b7e0df48a511b46f97a17e25286a19ecdfd750e1660d4b15146b2b5cb9779c7790db299027
SSDEEP

12288:8LtsJ0XDsa21ugSSbujX45JbdSxqly5WxX8Vbc:ZJ0XyCU5JbWf8X8VY

Score

10^/10

cryptbot discovery spyware stealer

Malware Config

Extracted

Family

cryptbot

lyssen62.top

morwaf06.top

Attributes

payload_url
http://damliq08.top/download.php?file=lv.exe

Signatures

CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 6 IoCs

resource	yara_rule
behavioral1/memory/2512-2-0x0000000000220000-0x00000000002C0000-memory.dmp	family_cryptbot
behavioral1/memory/2512-3-0x0000000000400000-0x00000000004A3000-memory.dmp	family_cryptbot
behavioral1/memory/2512-4-0x0000000000400000-0x0000000000951000-memory.dmp	family_cryptbot
behavioral1/memory/2512-222-0x0000000000220000-0x00000000002C0000-memory.dmp	family_cryptbot
behavioral1/memory/2512-224-0x0000000000400000-0x00000000004A3000-memory.dmp	family_cryptbot
behavioral1/memory/2512-223-0x0000000000400000-0x0000000000951000-memory.dmp	family_cryptbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4538e3df24ed8b8cd6a3474b2f0e1f74_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	4538e3df24ed8b8cd6a3474b2f0e1f74_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	4538e3df24ed8b8cd6a3474b2f0e1f74_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2512	4538e3df24ed8b8cd6a3474b2f0e1f74_JaffaCakes118.exe
2512	4538e3df24ed8b8cd6a3474b2f0e1f74_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\4538e3df24ed8b8cd6a3474b2f0e1f74_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4538e3df24ed8b8cd6a3474b2f0e1f74_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\qDhyrT3mzb\EZZBKlnnJa.zip

Filesize
26KB

MD5
03fe012e33249d1716e4831911e862fe

SHA1
78fe42d006c31c3e793baad89685ee3dbb8c47f8

SHA256
798e4719a1ab1385f93d34ac6e45dad76899c2b5a6c9f6db75b5474da265dc0f

SHA512
8edc25db2702810a5f6798fd7a9eb6cadd31ebaa68984225b150ab942a1d3410b08800bb05de4f16c2586d59642d323372136d35a0af3be014b39d48adcc44db

Download Submit
C:\Users\Admin\AppData\Local\Temp\qDhyrT3mzb\_Files\_Information.txt

Filesize
1KB

MD5
dbce2f054022fc32130bdf64aa8965bc

SHA1
ec815f1eb97e3d118d04fe37058a5fac91e82ea9

SHA256
6fb5149d7aa3f458de620611d8d4b9c354aa3e58a1afc249965040e3ae3a81cc

SHA512
c4c9f946eed2e9b72e0e13f1738b3f7a2e1cf58ec7bb28636e3d6999d59a12b2681e8bb274051ce6b8ee6320b8e3c4480fd67815d80532027dc7f989c0e9d129

Download Submit
C:\Users\Admin\AppData\Local\Temp\qDhyrT3mzb\_Files\_Information.txt

Filesize
2KB

MD5
ce22a94c38604ee6f542bed1c36820e1

SHA1
7948183e1da700f306ace4c343b491f7c31d0f28

SHA256
7724432fc06f179bfb51cbc7718db844ae8235b1ec9ead7372916448b7faa660

SHA512
0232b13348e2963535231a5b2e28f83bd80198cdf348b0ab0f13160e4b90f820d56b6bd3c240e6dc18229ecabd9e2e1e7d7478b6d21af09b474ed39166aefce0

Download Submit
C:\Users\Admin\AppData\Local\Temp\qDhyrT3mzb\_Files\_Information.txt

Filesize
3KB

MD5
21309454fe9bab0e01104e2ac0680b98

SHA1
5e9bdf27f6e7146e58267946e6019333c0128397

SHA256
eedcd79f2815d873ca5b6ee4de35edd128b1551c35cf40660328aff44ecc8b67

SHA512
7a219c3533d57305427e0163c3526c5dfabcc4734bee3c088d2a8ca5b5e483d0cb1e69a83362ec00562b43ce6a218a48fecfc9314086a2e5f6873fa14078cd25

Download Submit
C:\Users\Admin\AppData\Local\Temp\qDhyrT3mzb\_Files\_Information.txt

Filesize
3KB

MD5
14079b8770e0c66da4ccc9ee764d9719

SHA1
f964f6dfc43dd8d18eb5182fcf3a681a20bd968c

SHA256
d6dfb5128291a1056c45531984f0be71039aa35bdc63d64eb009d64c954d9352

SHA512
7d48ad8e293ec7bc4ba915593707bf8fe87fdd4850e35fbfbd06e89823748ef9c0ad341088d9b99e0c3590e2496db8f03ab6a037a0c4a2462d9e9c1bda9cc8db

Download Submit
C:\Users\Admin\AppData\Local\Temp\qDhyrT3mzb\_Files\_Information.txt

Filesize
4KB

MD5
a5ef91cacda5286e3b54b5620026a1ba

SHA1
ff68ad2f350e6aa5a2de96d02b618c5741a98ede

SHA256
d785cd2ffa2ddf1fdc166830d30c09945448eb1f08be53cb3fc75adddf413c3d

SHA512
cfb050d31082430a6c8cbf80887fa089ff850ae3d0d4d1b04e8235ea286fa56448b810b76edc6b0437ffba7565023dd26b3dfebec169bd09c39340b626a7474c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qDhyrT3mzb\_Files\_Screen_Desktop.jpeg

Filesize
34KB

MD5
d5677a2dc00688d2bbf5b419df79ffc5

SHA1
232a1f288bab81383dabded2bec6f9a65b2e59f6

SHA256
c827adc2782435956e75bec1d28b834699e15610b10a9b74c316beafa8efd2da

SHA512
c1a2f82034dc54157f3b5e4e82fe1b341efb61ea1fff4daf3b785e621dc61456e018216749caccb2fd1cc38b699bfb86c31314287731cfdc3c964617053ca453

Download Submit
C:\Users\Admin\AppData\Local\Temp\qDhyrT3mzb\files_\system_info.txt

Filesize
1KB

MD5
27ff27dd902984276b871c392fa39991

SHA1
3a7856f72cf02a84becd3bd7585bf3cc280d7009

SHA256
384f673260bc954f52e69fce1423606e27a2111b772e3aa99efe79e1e8697acf

SHA512
a5e6460cbd7408b823ea8268ec770ea11a768377a4085cce62df00f45796ce8bff4e240824d6bb464a2c9af3f7cf8a05af6e9b38a9cb5e7e56424a3c2e742d3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\qDhyrT3mzb\files_\system_info.txt

Filesize
3KB

MD5
b6ef8c3823d0a395f3d3670f599a3072

SHA1
22cca542ebfe24519a1b250bc58523bf2f9bd508

SHA256
3c842ee933e9876f019384c613688681bae635bcbdfbf0ea3a32c0105f637dd5

SHA512
3c4a3626568a29b5bb65befaf8f9e49dd46c981986c0700890f0df87498382f34a9365dce932802eba631d015838532333ea5e06c66fa578539349f5b0bdabc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\qDhyrT3mzb\files_\system_info.txt

Filesize
3KB

MD5
ae489714d60e8a46d70f77b8d7a03c7a

SHA1
e0a7e28917440c59f650c0e9f0e3a7b64316ec68

SHA256
40956abda0111d7ae27641823011fe9dea45522ded74bf8b704d1748c33b2c34

SHA512
1d300027e1869ae301e34058b816d9daf898fc6ee7d1a04a702bfa8ea3084ce7cf1bd0c0354f29e3b5d5f154b88583257220e06568d7de6ee8fbaf0456567b0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qDhyrT3mzb\files_\system_info.txt

Filesize
4KB

MD5
fba1773c1a562cfb159d1a0d859108d0

SHA1
bc8ccca2d1f973188b141a46e05580bfb236f9a0

SHA256
aca9ccb8736277d43ecee4bea9049caf10a24bcba9e944a9af2a6757892a2afa

SHA512
6cf35677e983676bd725fca4aac1af1e1f5227db096f92dfac038d30ba29e8a4a73212a445e17b874c6c02876c6a2d00dfd6398f4012a6e295fb8384f8a18f31

Download Submit
memory/2512-1-0x0000000000DA0000-0x0000000000EA0000-memory.dmp

Filesize
1024KB

Download
memory/2512-4-0x0000000000400000-0x0000000000951000-memory.dmp

Filesize
5.3MB

Download
memory/2512-3-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2512-221-0x0000000000DA0000-0x0000000000EA0000-memory.dmp

Filesize
1024KB

Download
memory/2512-222-0x0000000000220000-0x00000000002C0000-memory.dmp

Filesize
640KB

Download
memory/2512-224-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2512-223-0x0000000000400000-0x0000000000951000-memory.dmp

Filesize
5.3MB

Download
memory/2512-2-0x0000000000220000-0x00000000002C0000-memory.dmp

Filesize
640KB

Download