cryptbot | ac6ec77a1444f5de3ab2e46fe7757e0c68111c75b7170c1fc87343e46a78d939

General

Target

4b88ea5840bc2a0e537751c2a3bc7087_JaffaCakes118.exe
Size

327KB
MD5

4b88ea5840bc2a0e537751c2a3bc7087
SHA1

78888607d7ad9e4a21c4791f6428eda04daaf3b7
SHA256

ac6ec77a1444f5de3ab2e46fe7757e0c68111c75b7170c1fc87343e46a78d939
SHA512

bdd6b45f217d36e25da051442c24d92ff15a81b20ab40b9768c14f957995f1c613f64c991a950f7ada6057c67aea08e264cb5c94353f241f27dc66a915422699
SSDEEP

6144:dzeDa4vT2lsqGEPPGzOcOvOIy661R/yAz/odS/jPBVTh7RXda:dzeDa4ClsHzZMy31hHL/3NR

Score

10^/10

cryptbot discovery spyware stealer

Malware Config

Extracted

Family

cryptbot

C2

pacbry45.top

mortiq04.top

Attributes

payload_url
http://zukicv06.top/download.php?file=lv.exe

Signatures

CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4b88ea5840bc2a0e537751c2a3bc7087_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	4b88ea5840bc2a0e537751c2a3bc7087_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	4b88ea5840bc2a0e537751c2a3bc7087_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\4b88ea5840bc2a0e537751c2a3bc7087_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4b88ea5840bc2a0e537751c2a3bc7087_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:1040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\LDbwyfKAea\_Files\_Information.txt

Filesize
1KB

MD5
68c32297f6ee5c83b795ee6845cb0d9f

SHA1
a808108147c608889b3d018f33c8dc16b732a412

SHA256
4b8a4d6143750df68b4a7a85daf7b704d059061b95ba8de2745fef1f1ea2b853

SHA512
a4b93c412eefc2974ec2c9ccab57493aec1ddf0dcd1972cdeb24458d80dcf515717920f7fe7e0884130585b69dc659dd0bed11ab2f807c68596fde17f413d3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\LDbwyfKAea\_Files\_Information.txt

Filesize
5KB

MD5
4b484a75a5d005eef187970682ed2ef6

SHA1
1ffd59bce72d33bf1f36dfab8f07f1ca707d1a96

SHA256
03f213713045e3e2df2bf25db66a151e7cb60b5dbd0ab6cbfbb36f2c71f82fe3

SHA512
3a9b8ba60ab5097ae61a557303ebbc878a60715f3683202427a76385820dca54746fcd464decf826199e915e92f18d9d8dfc739a70e23a5b8cadb5700ec872e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\LDbwyfKAea\_Files\_Screen_Desktop.jpeg

Filesize
54KB

MD5
174dddad3db67eed339164267abb0e7d

SHA1
e0cc5998e543750db15113470ba04061c343537b

SHA256
c9e678157b9dd5425379f98d25dc8e405cf324197a25cf5a5babfd9ef6a3ab67

SHA512
f1ab842d70b2dd01391ab2b32443e32effba7b42361a8d46d275b5cf5b2148099f814e7537c87b890253f25ddb493ff57c89370afc9d85805c84e37b86504dc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\LDbwyfKAea\xqdeotQStEWHh.zip

Filesize
49KB

MD5
1963509b07b5531ce0762b708c4a46b1

SHA1
c9cf59b7e58cd908bd0de165b8c7c50f7d8e08f6

SHA256
775144951148c75a461db56450383cffd39bf473fec108a195e1dcaab9c93af8

SHA512
bec9df39982dce88aeb9f3e392949af92683124a4065ba8feeaaeb992f9a72552e8c521ab06bdceb5379008d7d1bac79b4a210a4136909fd4603b0902f71b11e

Download Submit
memory/1040-128-0x0000000000400000-0x0000000000882000-memory.dmp

Filesize
4.5MB

Download
memory/1040-130-0x0000000000400000-0x0000000000882000-memory.dmp

Filesize
4.5MB

Download
memory/1040-118-0x0000000000B70000-0x0000000000C70000-memory.dmp

Filesize
1024KB

Download
memory/1040-119-0x0000000000B20000-0x0000000000B67000-memory.dmp

Filesize
284KB

Download
memory/1040-121-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1040-120-0x0000000000400000-0x0000000000882000-memory.dmp

Filesize
4.5MB

Download
memory/1040-124-0x0000000000400000-0x0000000000882000-memory.dmp

Filesize
4.5MB

Download
memory/1040-2-0x0000000000B20000-0x0000000000B67000-memory.dmp

Filesize
284KB

Download
memory/1040-1-0x0000000000B70000-0x0000000000C70000-memory.dmp

Filesize
1024KB

Download
memory/1040-3-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1040-134-0x0000000000400000-0x0000000000882000-memory.dmp

Filesize
4.5MB

Download
memory/1040-137-0x0000000000400000-0x0000000000882000-memory.dmp

Filesize
4.5MB

Download
memory/1040-140-0x0000000000400000-0x0000000000882000-memory.dmp

Filesize
4.5MB

Download
memory/1040-144-0x0000000000400000-0x0000000000882000-memory.dmp

Filesize
4.5MB

Download
memory/1040-147-0x0000000000400000-0x0000000000882000-memory.dmp

Filesize
4.5MB

Download
memory/1040-151-0x0000000000400000-0x0000000000882000-memory.dmp

Filesize
4.5MB

Download
memory/1040-154-0x0000000000400000-0x0000000000882000-memory.dmp

Filesize
4.5MB

Download
memory/1040-156-0x0000000000400000-0x0000000000882000-memory.dmp

Filesize
4.5MB

Download
memory/1040-159-0x0000000000400000-0x0000000000882000-memory.dmp

Filesize
4.5MB

Download
memory/1040-163-0x0000000000400000-0x0000000000882000-memory.dmp

Filesize
4.5MB

Download

Analysis

Sharing