cryptbot | e2d38fff6489893582da7827bf3f5179f7ced39a1391f736ea55d86b695b8e82

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-10-2024 10:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51c9d8f09a73802a05455e7aa8fd9953_JaffaCakes118.exe
Size

1.4MB
MD5

51c9d8f09a73802a05455e7aa8fd9953
SHA1

6510caf6fe4f5069acde292851de1c259ffe1c3f
SHA256

e2d38fff6489893582da7827bf3f5179f7ced39a1391f736ea55d86b695b8e82
SHA512

3f865ce110a852cd0c1e88c4697d9c6fbd6fb403cf418a8f40a4375c6547d0069e40edbe04ced3c61d03c723167b8994dfcd3dcccccc5be6b9e94e8366025fd8
SSDEEP

24576:MNAdKxA6xbbGhL56y6kX7wHkQaa9aA7CEbAj6tP4lWqDCbtOgbSekUhKuzfv:3dKa6xfGhL54kDuaAm4w52lGXxgX

Score

10^/10

cryptbot discovery persistence spyware stealer

Malware Config

Signatures

CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/540-24-0x0000000003ED0000-0x0000000003F73000-memory.dmp	family_cryptbot
behavioral2/memory/540-25-0x0000000003ED0000-0x0000000003F73000-memory.dmp	family_cryptbot
behavioral2/memory/540-26-0x0000000003ED0000-0x0000000003F73000-memory.dmp	family_cryptbot

Executes dropped EXE 2 IoCs

Processes:

Vigilanza.exe.comVigilanza.exe.com

pid	Process
3692	Vigilanza.exe.com
540	Vigilanza.exe.com

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

51c9d8f09a73802a05455e7aa8fd9953_JaffaCakes118.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	51c9d8f09a73802a05455e7aa8fd9953_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Vigilanza.exe.com51c9d8f09a73802a05455e7aa8fd9953_JaffaCakes118.execmd.execmd.exefindstr.exeVigilanza.exe.comPING.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Vigilanza.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	51c9d8f09a73802a05455e7aa8fd9953_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Vigilanza.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

PING.EXE

pid	Process
1076	PING.EXE

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Vigilanza.exe.com

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Vigilanza.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Vigilanza.exe.com

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
1076	PING.EXE

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

Vigilanza.exe.comVigilanza.exe.com

pid	Process
3692	Vigilanza.exe.com
3692	Vigilanza.exe.com
3692	Vigilanza.exe.com
540	Vigilanza.exe.com
540	Vigilanza.exe.com
540	Vigilanza.exe.com
540	Vigilanza.exe.com
540	Vigilanza.exe.com

Suspicious use of SendNotifyMessage 6 IoCs

Processes:

Vigilanza.exe.comVigilanza.exe.com

pid	Process
3692	Vigilanza.exe.com
3692	Vigilanza.exe.com
3692	Vigilanza.exe.com
540	Vigilanza.exe.com
540	Vigilanza.exe.com
540	Vigilanza.exe.com

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

51c9d8f09a73802a05455e7aa8fd9953_JaffaCakes118.execmd.execmd.exeVigilanza.exe.com

description	pid	Process	procid_target
PID 2132 wrote to memory of 4884	2132	51c9d8f09a73802a05455e7aa8fd9953_JaffaCakes118.exe	84
PID 2132 wrote to memory of 4884	2132	51c9d8f09a73802a05455e7aa8fd9953_JaffaCakes118.exe	84
PID 2132 wrote to memory of 4884	2132	51c9d8f09a73802a05455e7aa8fd9953_JaffaCakes118.exe	84
PID 2132 wrote to memory of 4132	2132	51c9d8f09a73802a05455e7aa8fd9953_JaffaCakes118.exe	85
PID 2132 wrote to memory of 4132	2132	51c9d8f09a73802a05455e7aa8fd9953_JaffaCakes118.exe	85
PID 2132 wrote to memory of 4132	2132	51c9d8f09a73802a05455e7aa8fd9953_JaffaCakes118.exe	85
PID 4132 wrote to memory of 4284	4132	cmd.exe	88
PID 4132 wrote to memory of 4284	4132	cmd.exe	88
PID 4132 wrote to memory of 4284	4132	cmd.exe	88
PID 4284 wrote to memory of 896	4284	cmd.exe	89
PID 4284 wrote to memory of 896	4284	cmd.exe	89
PID 4284 wrote to memory of 896	4284	cmd.exe	89
PID 4284 wrote to memory of 3692	4284	cmd.exe	90
PID 4284 wrote to memory of 3692	4284	cmd.exe	90
PID 4284 wrote to memory of 3692	4284	cmd.exe	90
PID 4284 wrote to memory of 1076	4284	cmd.exe	91
PID 4284 wrote to memory of 1076	4284	cmd.exe	91
PID 4284 wrote to memory of 1076	4284	cmd.exe	91
PID 3692 wrote to memory of 540	3692	Vigilanza.exe.com	93
PID 3692 wrote to memory of 540	3692	Vigilanza.exe.com	93
PID 3692 wrote to memory of 540	3692	Vigilanza.exe.com	93

C:\Users\Admin\AppData\Local\Temp\51c9d8f09a73802a05455e7aa8fd9953_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\51c9d8f09a73802a05455e7aa8fd9953_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Windows\SysWOW64\dllhost.exe
  dllhost.exe
  2⤵
  PID:4884
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cmd < Apparve.dif
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4132
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4284
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^MUDMsvnAuDtONRMrwaGsxlhulYeCQOaTIUmgfUabcdKNJUYWSnXNYFQBGvCzzWKskkuSsbOiZpVrAmbdZuJsQEUetXHSaZ$" Abbozzo.dif
      4⤵
      System Location Discovery: System Language Discovery
      PID:896
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vigilanza.exe.com
      Vigilanza.exe.com y
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:3692
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vigilanza.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vigilanza.exe.com y
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:540
  - - C:\Windows\SysWOW64\PING.EXE
      ping GLZCSNLK -n 30
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DRoJ4Ztily\VJ3LeqAV.zip

Filesize
46KB

MD5
dce67174679bd0771b90adb57a3704da

SHA1
a1e73f5d3d81a9537b7bb882d093d8ac970f96c3

SHA256
86ccdfc7ece92b800b1231ed9a02586decb635d7ba16e7f8a0775335e0374477

SHA512
3f80b936f7d3438475e6e30802540755ea12750ca596c4ebb3ad331f00de7e56d5fe47ad299204120a8c9baa87ac1a215d313f6cc5e0d5dd975cf1085cbeed8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRoJ4Ztily\_Files\_Information.txt

Filesize
1KB

MD5
b972b29db318eb7f1557ee08553d0484

SHA1
4d9b1682162ee3f7969587ff6571dd9d91e2767a

SHA256
85cb8cf534847ed2ff8193f263d48a03c56dbd3ae4c9ffe0f91b06da51abcccf

SHA512
bbf2a93054ebe433ec2f60b8cd868003178795505669cd847a1940dec65e11bd9440d8c34605bab9942fafb8dd6b9c16cf51739766db4695505f0e151681fef9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRoJ4Ztily\_Files\_Information.txt

Filesize
1KB

MD5
cd2a79194a5cbaa4e87eb053df7b67e6

SHA1
b4653cbdcca72629469fbf27b617478eb9d4e66e

SHA256
8427a134a1775a4c44ab20d28cd9075a4a881fd430f1930b60e0a7a1ab56c92b

SHA512
f424e220ffaedf2955631dc1e046f8fc700b9d67f5a075f9f758a2a705b96f536f4bdbad1166fec1b14fed1d847efd16b7bb5524e7054fd6b4b33d94a636694e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRoJ4Ztily\_Files\_Information.txt

Filesize
5KB

MD5
a1de5095ba8f2693613eb79265607c44

SHA1
f66b05e6f8fda261485d0bfba2d6205eb5aea8aa

SHA256
490d8ce92cb06a2ef8bf466ed2aa884416c4e16eebaad620958d6514f2b627a2

SHA512
d2a379203d0e02a383580e517c3e81bca558f7dc349173dbfaf1eceb668944bf351a703652bf5fb396e5b93d8e0c648f5429de1f005e44ef81d4ef8b34dd3166

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRoJ4Ztily\_Files\_Screen_Desktop.jpeg

Filesize
52KB

MD5
fbe65b2ba8ea99605b66eb5d42473a55

SHA1
b3dfd5cbe6203b481f923a4ad6eb990251bd280d

SHA256
87cfe9d8d6bced69c699a284e8da23359247d6f5d6a1d0a09e466d5aa5bce7e3

SHA512
7d8c9defd2229e6554cb95a082b61d796b548720711079c30d7fe76ac9727f474cb3068d02d4da82f14379dc72982afa304faadf6a1d52ba946fc1f2482a4f4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRoJ4Ztily\files_\system_info.txt

Filesize
7KB

MD5
2fa583e56a3e95f9cd7a835e8d56f102

SHA1
4a03b1134be5ee953f02308849e3abed03665e41

SHA256
d657b9d22eb43c2e4c6f0ee2bdb07ea0c0dc13bef1594e0386dc1af9b67a08bd

SHA512
9a343bf7b760c39a9f1b6866b09d6225f3b73558b5682a1164ba471aeaab3035f7baa793be26dc85eedd55aec8ebf8f5636f2f43e0fc6fc2818d53608fff740e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DRoJ4Ztily\tndvY6aAhEo.zip

Filesize
46KB

MD5
000f0457927d905996a99c809efb3df9

SHA1
f09cbb018e7c57fc5de37182d041f711798a9794

SHA256
72c4306ce7e986f4ecce0267cf50b205350dc7dccc296838f2d274627bc48a86

SHA512
e00109fda8f3e702aea6152644232eb5fd145599dee39cfc69449336e4b7e05f602cf37d489d25e0d63e339911411e5896665f4cd019dac98c2037417c578e52

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Abbozzo.dif

Filesize
872KB

MD5
56be969732eb8d40539f4996f11003bf

SHA1
fde5e246db4e864deaba285db78c9bea50bcaf72

SHA256
294c98105913e6507a1a9d64feb1a9954ee5a2c9f1240ee151ee711f73e36aec

SHA512
5e60e4e0e4b4b46009232c71a91e70ac173bc8d507a6d9679ffb7f18c4b2481c61aff47746845a31ef4841b8b4d282f697292b488099a420fdfeb97c39ccbda7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Apparve.dif

Filesize
491B

MD5
ed9121c7368700aa3cc49ba2d4c2e6b8

SHA1
b3b287d04addba4f3c58abdddf68fb6c6f05847e

SHA256
85c9a4a8d0042e183d90b8effa79306da4d71e45ff103a3ba933bfe016897b9d

SHA512
24c8965ca680407ab4e586ffdec988c60bd8bd9714ffccf186937411f6257e05b014a46dd208e1008760bf47851ccb6a762821686506948747d49cf89d677440

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Chiude.dif

Filesize
666KB

MD5
8905857f90c02a6d4175cf169311a3ff

SHA1
3cd095cf284ba240259a2f96189dc97f924e4772

SHA256
5ee655b903a03727768eb421d9f7c4b1db02b88b96462d30bb6f903d80ea9d8a

SHA512
824bf266770d08e68a7f544e99d8f51fd0f2c04a5a9ec97a2bd89d325857a4dce4be03e11f6f4adeb65d1a329e72fe01824cc8c8f6c75e90d732168e66e95075

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ero.dif

Filesize
634KB

MD5
dd0cd3862ffea01b0574e2fc841a9d0a

SHA1
35a3d5df1f3f4199b0c38b9b1a341876b2121d3d

SHA256
fdfc18b03172b2755cc2d9412c6942864b23d2c1f9eb471637e6042ff692beea

SHA512
0f10defb0a48827863b7ba710ca3ef0d2dc759bf7e0bdf426bfc35b3da371e4a69c60a90e69328844a994dea1ce8b52a6e55fb81df6710fb86309e4963653976

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vigilanza.exe.com

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
memory/540-26-0x0000000003ED0000-0x0000000003F73000-memory.dmp

Filesize
652KB

Download
memory/540-25-0x0000000003ED0000-0x0000000003F73000-memory.dmp

Filesize
652KB

Download
memory/540-24-0x0000000003ED0000-0x0000000003F73000-memory.dmp

Filesize
652KB

Download
memory/540-23-0x0000000003ED0000-0x0000000003F73000-memory.dmp

Filesize
652KB

Download
memory/540-22-0x0000000003ED0000-0x0000000003F73000-memory.dmp

Filesize
652KB

Download
memory/540-21-0x0000000003ED0000-0x0000000003F73000-memory.dmp

Filesize
652KB

Download