cryptbot | e2d38fff6489893582da7827bf3f5179f7ced39a1391f736ea55d86b695b8e82

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-10-2024 10:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51c9d8f09a73802a05455e7aa8fd9953_JaffaCakes118.exe
Size

1.4MB
MD5

51c9d8f09a73802a05455e7aa8fd9953
SHA1

6510caf6fe4f5069acde292851de1c259ffe1c3f
SHA256

e2d38fff6489893582da7827bf3f5179f7ced39a1391f736ea55d86b695b8e82
SHA512

3f865ce110a852cd0c1e88c4697d9c6fbd6fb403cf418a8f40a4375c6547d0069e40edbe04ced3c61d03c723167b8994dfcd3dcccccc5be6b9e94e8366025fd8
SSDEEP

24576:MNAdKxA6xbbGhL56y6kX7wHkQaa9aA7CEbAj6tP4lWqDCbtOgbSekUhKuzfv:3dKa6xfGhL54kDuaAm4w52lGXxgX

Score

10^/10

cryptbot discovery persistence spyware stealer

Malware Config

Signatures

CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1972-27-0x0000000003A30000-0x0000000003AD3000-memory.dmp	family_cryptbot
behavioral1/memory/1972-28-0x0000000003A30000-0x0000000003AD3000-memory.dmp	family_cryptbot
behavioral1/memory/1972-29-0x0000000003A30000-0x0000000003AD3000-memory.dmp	family_cryptbot

Executes dropped EXE 2 IoCs

Processes:

Vigilanza.exe.comVigilanza.exe.com

pid	Process
2024	Vigilanza.exe.com
1972	Vigilanza.exe.com

Loads dropped DLL 2 IoCs

Processes:

cmd.exeVigilanza.exe.com

pid	Process
1264	cmd.exe
2024	Vigilanza.exe.com

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

51c9d8f09a73802a05455e7aa8fd9953_JaffaCakes118.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	51c9d8f09a73802a05455e7aa8fd9953_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Vigilanza.exe.com51c9d8f09a73802a05455e7aa8fd9953_JaffaCakes118.exedllhost.execmd.execmd.exefindstr.exeVigilanza.exe.comPING.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Vigilanza.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	51c9d8f09a73802a05455e7aa8fd9953_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Vigilanza.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

PING.EXE

pid	Process
2496	PING.EXE

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Vigilanza.exe.com

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Vigilanza.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Vigilanza.exe.com

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
2496	PING.EXE

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

Vigilanza.exe.comVigilanza.exe.com

pid	Process
2024	Vigilanza.exe.com
2024	Vigilanza.exe.com
2024	Vigilanza.exe.com
1972	Vigilanza.exe.com
1972	Vigilanza.exe.com
1972	Vigilanza.exe.com
1972	Vigilanza.exe.com
1972	Vigilanza.exe.com

Suspicious use of SendNotifyMessage 6 IoCs

Processes:

Vigilanza.exe.comVigilanza.exe.com

pid	Process
2024	Vigilanza.exe.com
2024	Vigilanza.exe.com
2024	Vigilanza.exe.com
1972	Vigilanza.exe.com
1972	Vigilanza.exe.com
1972	Vigilanza.exe.com

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

51c9d8f09a73802a05455e7aa8fd9953_JaffaCakes118.execmd.execmd.exeVigilanza.exe.com

description	pid	Process	procid_target
PID 2276 wrote to memory of 2652	2276	51c9d8f09a73802a05455e7aa8fd9953_JaffaCakes118.exe	30
PID 2276 wrote to memory of 2652	2276	51c9d8f09a73802a05455e7aa8fd9953_JaffaCakes118.exe	30
PID 2276 wrote to memory of 2652	2276	51c9d8f09a73802a05455e7aa8fd9953_JaffaCakes118.exe	30
PID 2276 wrote to memory of 2652	2276	51c9d8f09a73802a05455e7aa8fd9953_JaffaCakes118.exe	30
PID 2276 wrote to memory of 776	2276	51c9d8f09a73802a05455e7aa8fd9953_JaffaCakes118.exe	31
PID 2276 wrote to memory of 776	2276	51c9d8f09a73802a05455e7aa8fd9953_JaffaCakes118.exe	31
PID 2276 wrote to memory of 776	2276	51c9d8f09a73802a05455e7aa8fd9953_JaffaCakes118.exe	31
PID 2276 wrote to memory of 776	2276	51c9d8f09a73802a05455e7aa8fd9953_JaffaCakes118.exe	31
PID 776 wrote to memory of 1264	776	cmd.exe	33
PID 776 wrote to memory of 1264	776	cmd.exe	33
PID 776 wrote to memory of 1264	776	cmd.exe	33
PID 776 wrote to memory of 1264	776	cmd.exe	33
PID 1264 wrote to memory of 2112	1264	cmd.exe	34
PID 1264 wrote to memory of 2112	1264	cmd.exe	34
PID 1264 wrote to memory of 2112	1264	cmd.exe	34
PID 1264 wrote to memory of 2112	1264	cmd.exe	34
PID 1264 wrote to memory of 2024	1264	cmd.exe	35
PID 1264 wrote to memory of 2024	1264	cmd.exe	35
PID 1264 wrote to memory of 2024	1264	cmd.exe	35
PID 1264 wrote to memory of 2024	1264	cmd.exe	35
PID 1264 wrote to memory of 2496	1264	cmd.exe	36
PID 1264 wrote to memory of 2496	1264	cmd.exe	36
PID 1264 wrote to memory of 2496	1264	cmd.exe	36
PID 1264 wrote to memory of 2496	1264	cmd.exe	36
PID 2024 wrote to memory of 1972	2024	Vigilanza.exe.com	37
PID 2024 wrote to memory of 1972	2024	Vigilanza.exe.com	37
PID 2024 wrote to memory of 1972	2024	Vigilanza.exe.com	37
PID 2024 wrote to memory of 1972	2024	Vigilanza.exe.com	37

C:\Users\Admin\AppData\Local\Temp\51c9d8f09a73802a05455e7aa8fd9953_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\51c9d8f09a73802a05455e7aa8fd9953_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\SysWOW64\dllhost.exe
  dllhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2652
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cmd < Apparve.dif
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:776
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1264
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^MUDMsvnAuDtONRMrwaGsxlhulYeCQOaTIUmgfUabcdKNJUYWSnXNYFQBGvCzzWKskkuSsbOiZpVrAmbdZuJsQEUetXHSaZ$" Abbozzo.dif
      4⤵
      System Location Discovery: System Language Discovery
      PID:2112
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vigilanza.exe.com
      Vigilanza.exe.com y
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2024
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vigilanza.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vigilanza.exe.com y
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1972
  - - C:\Windows\SysWOW64\PING.EXE
      ping VORHPBAB -n 30
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Abbozzo.dif

Filesize
872KB

MD5
56be969732eb8d40539f4996f11003bf

SHA1
fde5e246db4e864deaba285db78c9bea50bcaf72

SHA256
294c98105913e6507a1a9d64feb1a9954ee5a2c9f1240ee151ee711f73e36aec

SHA512
5e60e4e0e4b4b46009232c71a91e70ac173bc8d507a6d9679ffb7f18c4b2481c61aff47746845a31ef4841b8b4d282f697292b488099a420fdfeb97c39ccbda7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Apparve.dif

Filesize
491B

MD5
ed9121c7368700aa3cc49ba2d4c2e6b8

SHA1
b3b287d04addba4f3c58abdddf68fb6c6f05847e

SHA256
85c9a4a8d0042e183d90b8effa79306da4d71e45ff103a3ba933bfe016897b9d

SHA512
24c8965ca680407ab4e586ffdec988c60bd8bd9714ffccf186937411f6257e05b014a46dd208e1008760bf47851ccb6a762821686506948747d49cf89d677440

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Chiude.dif

Filesize
666KB

MD5
8905857f90c02a6d4175cf169311a3ff

SHA1
3cd095cf284ba240259a2f96189dc97f924e4772

SHA256
5ee655b903a03727768eb421d9f7c4b1db02b88b96462d30bb6f903d80ea9d8a

SHA512
824bf266770d08e68a7f544e99d8f51fd0f2c04a5a9ec97a2bd89d325857a4dce4be03e11f6f4adeb65d1a329e72fe01824cc8c8f6c75e90d732168e66e95075

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ero.dif

Filesize
634KB

MD5
dd0cd3862ffea01b0574e2fc841a9d0a

SHA1
35a3d5df1f3f4199b0c38b9b1a341876b2121d3d

SHA256
fdfc18b03172b2755cc2d9412c6942864b23d2c1f9eb471637e6042ff692beea

SHA512
0f10defb0a48827863b7ba710ca3ef0d2dc759bf7e0bdf426bfc35b3da371e4a69c60a90e69328844a994dea1ce8b52a6e55fb81df6710fb86309e4963653976

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQjsvzhqegBG\DsUGeSIY4VQ.zip

Filesize
38KB

MD5
18adeab96ff069465b9c65ac0b605c3c

SHA1
482bd5ed58325cd457e5edce807dc58d04911a50

SHA256
69d310edf73cf9f2345493c50a3224ac2aee8a3682da0bc25159c2282dd1ca9b

SHA512
315bc267c907c62c019b0eef3b5d4d94dc00096278287720fd508100d0b9cd196a9b14966f58f72129af613efc93091773c58a42c64f558607e0cac5fc8bbfb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQjsvzhqegBG\_Files\_Information.txt

Filesize
678B

MD5
b56153b6713312340d05c9da3533d17f

SHA1
90fa4c3f95aef532657ad916709b4ce7b63f2823

SHA256
b7442b086b91e7aea80329dfdcb8ade522890240e58a29b71aa6cb1815c1fe23

SHA512
ea4018ac379bc56cdca8927f1a11c011767a5aa4ede672e916c4dca44df266ecfb9355bf5dcc9592aa30fe94cb550dd998db7b42454e182e91b8b2a2a103206e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQjsvzhqegBG\_Files\_Information.txt

Filesize
1KB

MD5
465fc5379f109f602629bb227d293f0d

SHA1
1d373360e9b31fab99b023f51d1b876e212d700a

SHA256
d1bcc9b406870768b9c3f791fe9e2e1aa7e80a2fb071a2d11f2443606eaafbba

SHA512
b8d31878f71fdd4073ea32f6a4e49a75c25ec6f05d9b9774097d1527f433bd5805fcda58be500027fd0b4a22c91d87fc8f4c23ede1ae46dc8d67cdd7f86d5e2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQjsvzhqegBG\_Files\_Information.txt

Filesize
3KB

MD5
25d479bfd2781fbda1ae1f39a3e26d59

SHA1
09b9e828d10682a9b053a4ad5f45685eeb3a9c65

SHA256
56182eedb11060486aaf3885bbe0c20dacdb9f57864a68631bde9a711cd1b8ce

SHA512
1f27fb423d298709185e7f7847631c4eb7598db20010a52b90491fc4c274bd65e09e49be4678b72587ad6807481562f7cd592af292c06dbd60bd46dd6c20abc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQjsvzhqegBG\_Files\_Information.txt

Filesize
3KB

MD5
72bc39b123403bad07ddc301a907a397

SHA1
16d8adde4547cf6894ca776a2fa6dd9865b91f2b

SHA256
c067a22ef32cd8c75f5bf28f73d59b41f11c2611ec9492e8338c27c291edcb73

SHA512
cdda9fc1ccce4a48d18cce12b7ddbd9c5b4e9a3c44c3f594c1b99d6f2f988d6c40872403bc6f4e799190d88f79e4ba300f449c2c2db711d48d82a5b3a16d44a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQjsvzhqegBG\_Files\_Information.txt

Filesize
4KB

MD5
2826e2273e8d971debfe3e67d2230368

SHA1
163dd22a926f390c6ee69ed0785af02a90efc6d1

SHA256
e735e20f6de4351d08a1f44f410d638385bd3c3afd892776b7dd7b3bf840c4c0

SHA512
59a0e23d08abaf64a0c396b9968acb74581008f64aca123bc285259030e066236fcdc9bb6b99c777ecb40cc7f8543984e2d9ed143a0d74032efb45480c8e0fdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQjsvzhqegBG\_Files\_Screen_Desktop.jpeg

Filesize
45KB

MD5
54e1c31bd59e55aaeeb8721fb4bcff72

SHA1
ca17c6fbee2a2a6b1e6f66d5a1756889d3816a2f

SHA256
d9bff261d625c3bc29d8e450e65c3aae31e493fa37227708d331326e4dd2dd59

SHA512
00f5f5fb9dcc85104ef4e94540b16fd0e0b377dfff56a9f76c9590f209321de39e794633eafce653a27b6d15384e8986d1c013fc8d7b9a17fbe45b015128b8c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQjsvzhqegBG\files_\system_info.txt

Filesize
1KB

MD5
6c3b46ff1828e06062c0620c9cb9a8e9

SHA1
20606078c7544f04685eb20026509e8acd9d99e8

SHA256
010b93f8dfeeeb42c7b2d6023b44c222f3c9cd61025a558ca9f7bd9230ca4031

SHA512
af2b7fd5e632b202dc5f6a6a793c2090a7d561ce65adb35929271e57e227ee3b5dad92e4487c2ed71aea73b3d8677fc790bb2cc26483cd4400f01634347d2818

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQjsvzhqegBG\files_\system_info.txt

Filesize
3KB

MD5
9e706f1746f65ccc74ab8d6088676ac1

SHA1
d52e75fd2a063126e6ba7ce705a71f34be3dd696

SHA256
dad8c4c67cef3d33266987a1a3bca1b88b449dd41c48c16356b5a04a7878e390

SHA512
ad9291e6b77db83ca6d07d7e48c456d0829f57cb72834eff16837875e6128b19caf78b93642d8b8cd184217474fef804b274a3445bd71560f244650224c4ef54

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQjsvzhqegBG\files_\system_info.txt

Filesize
3KB

MD5
4962e1c1695b389bd46949a0f92a49fb

SHA1
9d7a75f978798f9f79a07b587ef2ea28f2bd395e

SHA256
31a885e08afe5b4539003e5255abb02b2a8c6035c64ebd24c363edec04e183bb

SHA512
3c642ea088df799f787fcd60d3f54beab31f55b818f3598460b5533c383740484d75866716f011c2e9757d98e10b1f2199a18395226ab476040369a3028461a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQjsvzhqegBG\files_\system_info.txt

Filesize
4KB

MD5
0b6d6592e189275ff481ae48efd31569

SHA1
a49725417811ecdf4fef71e8efe0d80593dd7f50

SHA256
9606993625936960e674bac2c8cd91e0e5e01b9181ea1c684281a0e5b8254a40

SHA512
eb4890bbbfff8cc19e2a6408fd87c0af15807f3fda1ba56ae447604a5112c4fad48d08a58e13765603a8d68b01eb8a93735de55f8a2324825f56ae91f203b04d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vigilanza.exe.com

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
memory/1972-24-0x0000000003A30000-0x0000000003AD3000-memory.dmp

Filesize
652KB

Download
memory/1972-29-0x0000000003A30000-0x0000000003AD3000-memory.dmp

Filesize
652KB

Download
memory/1972-28-0x0000000003A30000-0x0000000003AD3000-memory.dmp

Filesize
652KB

Download
memory/1972-27-0x0000000003A30000-0x0000000003AD3000-memory.dmp

Filesize
652KB

Download
memory/1972-26-0x0000000003A30000-0x0000000003AD3000-memory.dmp

Filesize
652KB

Download
memory/1972-25-0x0000000003A30000-0x0000000003AD3000-memory.dmp

Filesize
652KB

Download