cryptbot | 46c2df358cebea0eed3ae32167c399a445ce0f106f473997775889f8ac2ca733

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-10-2024 01:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4538e3df24ed8b8cd6a3474b2f0e1f74_JaffaCakes118.exe
Size

621KB
MD5

4538e3df24ed8b8cd6a3474b2f0e1f74
SHA1

e3b567e2b004c3a637b04a082b0ebbf98d6d37e0
SHA256

46c2df358cebea0eed3ae32167c399a445ce0f106f473997775889f8ac2ca733
SHA512

2286929bf5a7aab9e9aa88573fcea5dfff97faba7dff4aa9ca3754b7e0df48a511b46f97a17e25286a19ecdfd750e1660d4b15146b2b5cb9779c7790db299027
SSDEEP

12288:8LtsJ0XDsa21ugSSbujX45JbdSxqly5WxX8Vbc:ZJ0XyCU5JbWf8X8VY

Score

10^/10

cryptbot discovery spyware stealer

Malware Config

Extracted

Family

cryptbot

lyssen62.top

morwaf06.top

Attributes

payload_url
http://damliq08.top/download.php?file=lv.exe

Signatures

CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 5 IoCs

resource	yara_rule
behavioral2/memory/4036-2-0x0000000000AB0000-0x0000000000B50000-memory.dmp	family_cryptbot
behavioral2/memory/4036-3-0x0000000000400000-0x00000000004A3000-memory.dmp	family_cryptbot
behavioral2/memory/4036-224-0x0000000000AB0000-0x0000000000B50000-memory.dmp	family_cryptbot
behavioral2/memory/4036-226-0x0000000000400000-0x00000000004A3000-memory.dmp	family_cryptbot
behavioral2/memory/4036-225-0x0000000000400000-0x0000000000951000-memory.dmp	family_cryptbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4538e3df24ed8b8cd6a3474b2f0e1f74_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	4538e3df24ed8b8cd6a3474b2f0e1f74_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	4538e3df24ed8b8cd6a3474b2f0e1f74_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4036	4538e3df24ed8b8cd6a3474b2f0e1f74_JaffaCakes118.exe
4036	4538e3df24ed8b8cd6a3474b2f0e1f74_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\4538e3df24ed8b8cd6a3474b2f0e1f74_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4538e3df24ed8b8cd6a3474b2f0e1f74_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:4036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\zQgoOUql7Iq\NrSHkZBtkk8h4.zip

Filesize
566KB

MD5
1726dc51ba498a9dcc3aa33e3b12e608

SHA1
4526890e543798556c5f97b6fed79818721ced1b

SHA256
0349015fcb3531f4b3e262b3deede27385f1475e4978a7c4c114b9b13758ccf5

SHA512
226c4757e894baf68b997df15f538d9a037630bbc6b43dcd9c4c3b92ed2195a8974f2f947f4a3910a507d91f1d9cce3822d13fac9d7b0c8296a3745508841396

Download Submit
C:\Users\Admin\AppData\Local\Temp\zQgoOUql7Iq\_Files\_Files\UnpublishExport.txt

Filesize
521KB

MD5
21902e28c6eceefe69e78892b2b6531d

SHA1
3304b6ce4ccc8aa5e6f15eb94344a22a2bd258f1

SHA256
4008bf60cf0dabc6876db549a9aaccbad33286fb3aaa192e268b10dc3d32e8d1

SHA512
39b358a2b1bde05f1203ff8cbf258a6d3286c8d100f81d642f59220b5cdc251837297fd3d5dce81291ae1f2b85f88e3b69a0869eb0678bbbf3ff157b9e73eaca

Download Submit
C:\Users\Admin\AppData\Local\Temp\zQgoOUql7Iq\_Files\_Information.txt

Filesize
7KB

MD5
1ba6aff2a33ff33c9dadf3ef93861019

SHA1
eb0e65d6c16dd7591e67b32ad653d010bb0fd659

SHA256
bf2e3bbdd212e25a6bba71a5018dc6faf82935fc142e5a85b0c73b1bed606359

SHA512
ee28966677db5aacec6740d64e8b771ad56ccc3547631a8d1164ad5fbc19bb9ebee72c0acb765ff334aabc15c45776553c634352d6d19cf258e51d0c4e923e6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zQgoOUql7Iq\_Files\_Screen_Desktop.jpeg

Filesize
50KB

MD5
5249231ed307045cdcbdb7068cfecaf1

SHA1
9cbc0c9a1b34c6621b4efdc6d6915c2e56eb20ed

SHA256
7bd9687eff553a0dd33f86c2294d769e926c89aecaab929b4bada5b5c6d62ffb

SHA512
a51781b32970a996ce97aa470b3c358255c7415fb348cd1aafab826bf6f0a11b62bdb107f48b752e9e02165dc4638012631372913f73113e5b2e9b952145fbac

Download Submit
C:\Users\Admin\AppData\Local\Temp\zQgoOUql7Iq\files_\system_info.txt

Filesize
1KB

MD5
ee9c86d49e72076b0058204b8354639a

SHA1
d9eb6059ca65a4423bfb27d91b4c3b0abc2902c0

SHA256
42bd0926edf3066a149aef57941d6b78972f19b6750f25e84da6d35e61f24b71

SHA512
300684240837c80a916248e11aded5928e5c1564d8b2690516b30aa1b675449eace451b9ee12230541354c05928cecce36a6afa651bae843f8b8636f5eabbb80

Download Submit
C:\Users\Admin\AppData\Local\Temp\zQgoOUql7Iq\files_\system_info.txt

Filesize
1KB

MD5
bdee90f2aab811dde98840ce5bd0537b

SHA1
9d93e0161032184469baea4599cfdea7cff01ece

SHA256
ac91f4ba4d2ee21feb8aa5ba9ff5e6207e8aa2e5e778f176fdba965db7021ac8

SHA512
3c436d7ef34f88137bb38dc138674af490a578766c45e5ae3fa67ee0ca5313c7f3f2061f87049d7bd090b73c731cbe59f6fe3e777502144e854cbd700881b77c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zQgoOUql7Iq\files_\system_info.txt

Filesize
4KB

MD5
7ecd72c79011236845e1437e3b2b122d

SHA1
4a3e87718aa75557993bf30b636fff1ba3a150c2

SHA256
74b4ae231e9e5c331b28c22ae19982397f9e9b410a7c8efadf625d08dc11f0ea

SHA512
a48df084f355145bba400cc2ef128c1c1fe9829e5909b9a3bf563c380cfcb81bce1a7994dbd647c0291052afacd98b0a1cfcbafb1eaa1aebed431d9f3662426a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zQgoOUql7Iq\files_\system_info.txt

Filesize
4KB

MD5
50af642bc155b31a944ff088b15e0db3

SHA1
19d9c86b20ddf67fa2f6ee4bbbd62004e9181462

SHA256
a102eef52a108df50576dd192e7a20bca164944326b3056e70ba337895b16fa5

SHA512
3b098db8a8af70e24f835a6592b615a75ef11cda3d4232f2f40f5ca92a012ec8cebc654db36ea8c2217e1744b75ee7b29a53e402a7b2642dde1c901d3aeb8098

Download Submit
C:\Users\Admin\AppData\Local\Temp\zQgoOUql7Iq\rIkHWGapybWp.zip

Filesize
566KB

MD5
4ed781005d254a4f8933017afd715bed

SHA1
82c71b0ccf1597924a090c1fc729f37d189f8233

SHA256
49f5faea939168bac470bb4cb5542bf1e37e9765c64f56d845e01bca7522eb94

SHA512
562ee19964d5087de884e6af5b0486bc64f30789dace979ca380fa0c7aae9df068d52bf7ebf8a58ee3387b837937027ef92c29687b153943806e0d4526ead9bb

Download Submit
memory/4036-1-0x0000000000C30000-0x0000000000D30000-memory.dmp

Filesize
1024KB

Download
memory/4036-3-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/4036-222-0x0000000000C30000-0x0000000000D30000-memory.dmp

Filesize
1024KB

Download
memory/4036-224-0x0000000000AB0000-0x0000000000B50000-memory.dmp

Filesize
640KB

Download
memory/4036-226-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/4036-225-0x0000000000400000-0x0000000000951000-memory.dmp

Filesize
5.3MB

Download
memory/4036-2-0x0000000000AB0000-0x0000000000B50000-memory.dmp

Filesize
640KB

Download