cryptbot | 5de12d55a698805ec98ada5964711f226fd1d4a424daf7062f178dbf52702cd5

General

Target

54efb1309d76e87c2185b576e3783247_JaffaCakes118.exe
Size

662KB
MD5

54efb1309d76e87c2185b576e3783247
SHA1

9111f54d035c70780a1decc4d808356cf1857940
SHA256

5de12d55a698805ec98ada5964711f226fd1d4a424daf7062f178dbf52702cd5
SHA512

e3be1ec27f080280b826429d0457c1560d2f6dc33b20e0af349a8d6b03ef6836c3df4bc5808f813d572fe7b0b7c694920931176fe45add7250fa6e823c943a3e
SSDEEP

12288:KzxWqgM8Yi/u5J3noTJDA8pTW8AawUb6nQHQ+5FChY9Cpi+oAg/Dt/zqH/iTQ:S0RM87HMF8VwUbJ/C7CL/DRuHSQ

Score

10^/10

cryptbot discovery spyware stealer

Malware Config

Extracted

Family

cryptbot

C2

lysayu42.top

morbyn04.top

Attributes

payload_url
http://damhlu05.top/download.php?file=lv.exe

Signatures

CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 5 IoCs

resource	yara_rule
behavioral2/memory/3608-2-0x0000000000AD0000-0x0000000000B70000-memory.dmp	family_cryptbot
behavioral2/memory/3608-3-0x0000000000400000-0x00000000004A3000-memory.dmp	family_cryptbot
behavioral2/memory/3608-218-0x0000000000AD0000-0x0000000000B70000-memory.dmp	family_cryptbot
behavioral2/memory/3608-220-0x0000000000400000-0x00000000004A3000-memory.dmp	family_cryptbot
behavioral2/memory/3608-219-0x0000000000400000-0x000000000095B000-memory.dmp	family_cryptbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	54efb1309d76e87c2185b576e3783247_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	54efb1309d76e87c2185b576e3783247_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	54efb1309d76e87c2185b576e3783247_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3608	54efb1309d76e87c2185b576e3783247_JaffaCakes118.exe
3608	54efb1309d76e87c2185b576e3783247_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\54efb1309d76e87c2185b576e3783247_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\54efb1309d76e87c2185b576e3783247_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:3608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\sTY2KCGmsNlV\Ic2E8Zw7X.zip

Filesize
41KB

MD5
15f21684330dfd169f0e8551924f821b

SHA1
8b98a5aa8ca2373bcaad6fde7865a51688cbf2f7

SHA256
d669bcd8a8ee9161c430a5dbd962b7dbb037627fa9cebd4db7a44605c638b7f2

SHA512
129a2f593f7cd685e916d672949dabe87677f21b0fe81ef474a072a6586970d159e5f652cd84d2a62d712c72ecdbd23b0df801af7b29a908aa75979176e71c53

Download Submit
C:\Users\Admin\AppData\Local\Temp\sTY2KCGmsNlV\_Files\_Information.txt

Filesize
7KB

MD5
db402e654123cd5e08ec1662be38c56d

SHA1
37870ea81dc0f140f2799c00b94d9e403de41c46

SHA256
e41a6b847733809348cc2f1ad5a636bad3dc12ab22c2d459e1c7983e0b143572

SHA512
7fcdd7af45df1f3d8a8b5dfab564dbc298d03db8f5383a9dbc3d208109717e0ceb02df52a67b8118bf2bdaf18c49853bcb21643f9e531c4ca3d3bf3076a86549

Download Submit
C:\Users\Admin\AppData\Local\Temp\sTY2KCGmsNlV\_Files\_Screen_Desktop.jpeg

Filesize
46KB

MD5
b6944df193e2d28342426697c1a2595e

SHA1
836429f4ef74fbdfea3a0fbd322679f843b23e31

SHA256
f0359465e6629951ca8b359fa0ab94a3057aaa36f046bf2f966606b285a61059

SHA512
b15882f263ed9d4bac9d55aa5c3202b7cfc92624130102b1dad6caa3cf80749a102fd90a4ee944d345c393632865d8608e285f6eb61e8bd8011222c988938724

Download Submit
C:\Users\Admin\AppData\Local\Temp\sTY2KCGmsNlV\d7lKPFFtEQ.zip

Filesize
41KB

MD5
bd792e8ac602f54a980bcc317c208f89

SHA1
94766fe6086f16d3b4c67037791ce9c5883ac353

SHA256
fb2a2b801b06341ba3703139fcec01ac12a2139e8edde42c5171fd8ace988f9e

SHA512
6e798260e60f01ac90e6473ff1c3c5f0086a6d8bd17f0da519e3efafa43eb01cdb2a61be8f6a1eb7331490a61b44f1e6c9d5711056c78244aa978c789d510005

Download Submit
C:\Users\Admin\AppData\Local\Temp\sTY2KCGmsNlV\files_\system_info.txt

Filesize
1KB

MD5
44becc9ea34403b81a825119dce274ba

SHA1
d67bc8977411cfb49a2ab02f6452d8aeb55f30e7

SHA256
27be136932d52df659d82c79e3da0ce9263f307078d148aa43957c656cf88432

SHA512
c57f42cc239c37b126e315e9ec98ff815c370dfb8ae8061a67a4c0b58051f0bcc5fb18ccfe247fceb0cd263a9806ddd60b81f8d2ccb16d42ccc882f8dc16e5d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\sTY2KCGmsNlV\files_\system_info.txt

Filesize
7KB

MD5
cb498a55fe1c054e6348e2a81671fbe9

SHA1
17d6c00425ea9c771652da95402996064f1cea76

SHA256
d56a14334696d077bdc71b6f1f8c746c5ad991ef6ad049706d02aac53ac22de3

SHA512
6daa6017ec5cb7a5a09df1a89c2cf453d8738a8fc05817a3c7b61d5ec9c93dc055caa7b4717fdd613b82588a683906ed278f4e32d9445ca67d0e542d20457c7c

Download Submit
memory/3608-1-0x0000000000BF0000-0x0000000000CF0000-memory.dmp

Filesize
1024KB

Download
memory/3608-217-0x0000000000BF0000-0x0000000000CF0000-memory.dmp

Filesize
1024KB

Download
memory/3608-218-0x0000000000AD0000-0x0000000000B70000-memory.dmp

Filesize
640KB

Download
memory/3608-220-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/3608-219-0x0000000000400000-0x000000000095B000-memory.dmp

Filesize
5.4MB

Download
memory/3608-3-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/3608-2-0x0000000000AD0000-0x0000000000B70000-memory.dmp

Filesize
640KB

Download

Analysis

Sharing