cryptbot | 7d5b421a001c3fa5345f5f6603e675b5d55b145a96f7669ae983a0e81fb24d2c

General

Target

584d548c03e8861214a069d6da77fa95_JaffaCakes118.exe
Size

669KB
MD5

584d548c03e8861214a069d6da77fa95
SHA1

660e92380a92f9fc2af5ae7d7b1a0f3c8a54b06d
SHA256

7d5b421a001c3fa5345f5f6603e675b5d55b145a96f7669ae983a0e81fb24d2c
SHA512

3a5420485a1d29caef9b1829bd27fc7de84887d78f3ad19381ce92f52569298950a1750a58784892bfecc45f47e0e4e582178b6b33e5cad5e70160e5535c5776
SSDEEP

12288:qkfYHf48BZPRzmH+6WbFQf6VthtNT+ajAEfLxBy09dmaW7AMlzhRTXhU:m/48BZpzmu3PNiWXbd1dMlVTU

Score

10^/10

cryptbot discovery spyware stealer

Malware Config

Extracted

Family

cryptbot

C2

lysayu42.top

morbyn04.top

Attributes

payload_url
http://damhlu05.top/download.php?file=lv.exe

Signatures

CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 6 IoCs

resource	yara_rule
behavioral1/memory/2172-2-0x0000000000960000-0x0000000000A00000-memory.dmp	family_cryptbot
behavioral1/memory/2172-3-0x0000000000400000-0x00000000004A3000-memory.dmp	family_cryptbot
behavioral1/memory/2172-4-0x0000000000400000-0x000000000095E000-memory.dmp	family_cryptbot
behavioral1/memory/2172-222-0x0000000000960000-0x0000000000A00000-memory.dmp	family_cryptbot
behavioral1/memory/2172-224-0x0000000000400000-0x00000000004A3000-memory.dmp	family_cryptbot
behavioral1/memory/2172-223-0x0000000000400000-0x000000000095E000-memory.dmp	family_cryptbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	584d548c03e8861214a069d6da77fa95_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	584d548c03e8861214a069d6da77fa95_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	584d548c03e8861214a069d6da77fa95_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2172	584d548c03e8861214a069d6da77fa95_JaffaCakes118.exe
2172	584d548c03e8861214a069d6da77fa95_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\584d548c03e8861214a069d6da77fa95_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\584d548c03e8861214a069d6da77fa95_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\QULVeJZhpMY\8UwlYEYC7myTj.zip

Filesize
39KB

MD5
e6224edf4b2e0979e43f8035e9ee700a

SHA1
4bc775af58a968a24ad9789d82e08c99780eacd3

SHA256
8908d9857fecc6c553bea70f1aa91a5e50f97bf7e09b7eb847bb9a129d496f0b

SHA512
d6add5b29068da79db57f04a20d1dd0ca41fcc03856d120c526e36321bc623b63c261aa5912d990e52eea10c20ae5c6216c5be13b79757cf60439147cf5718ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\QULVeJZhpMY\_Files\_Information.txt

Filesize
722B

MD5
cd104c735cd147a20c2e49fabe3d01ca

SHA1
03d17e72e58044d97d796f7a2651caa7874bbbd2

SHA256
60d8461de10f8ebd9f1ef74abd02b317367babfa320b419617e2e2e702b345ae

SHA512
c58aec6e73ed47d4785ef725a6ff441767eea052c93f23604dbb7ee9eaea193b950df5735a1a0560a765420db4e986e1bc8538a38cfa22c2ffed0ae46e75068d

Download Submit
C:\Users\Admin\AppData\Local\Temp\QULVeJZhpMY\_Files\_Information.txt

Filesize
1KB

MD5
78f8f2a29e10805feebcd6dadaf4a02e

SHA1
00e9c211032537f2b1818ee5635288c76fcafe15

SHA256
060c69379d5e9e0a90d2b617f334a74017e7c70a349e5f71ffc2be06c9a78b1a

SHA512
8cff7dcc946974c66828287e0cf8e487098a3a217055619290072f1973f02be08e3b1766e2180aa6dd0e482d29e8a7e019a907fe670378d6a5d89cd1457a1a76

Download Submit
C:\Users\Admin\AppData\Local\Temp\QULVeJZhpMY\_Files\_Information.txt

Filesize
3KB

MD5
01468632946ecab9a18c58c5de74e1b6

SHA1
8112046809fbaf4dac4f039cf894df385ac343b4

SHA256
afad2051fbb4655fb5a522190461282cf855b3e0f751963514eadb9a25d96c7f

SHA512
a84a4493061ae40ea2b4de96826d50e35bd5f74c452bf98c110d31a3d08061c27e78cb3ec2abc33c5b513642684b2582bec3fa8e0b77d7b49572ac94cc4ad7d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\QULVeJZhpMY\_Files\_Information.txt

Filesize
8KB

MD5
e0cd6995a7e08890f3c6430643c1d131

SHA1
71591faa7dd16d7358a1d77330edb7248e71fe44

SHA256
73e80dad04d8bc94e1add6c4c077ff09f30aacb03789cd96618f605d1b71ac66

SHA512
6207d29323c466690a725a2e50156e66079fdb78f807b3125f23bef5c60bca3d0eee1f71571fdc2c56df78cee31df7176abb490d7def14cdbb1e46ab5f6f893e

Download Submit
C:\Users\Admin\AppData\Local\Temp\QULVeJZhpMY\_Files\_Screen_Desktop.jpeg

Filesize
46KB

MD5
16351ac22ae5e85b75724a9b27ff2b25

SHA1
2174998728bddbc58caa17c45de6eb38b9a93dc8

SHA256
d940fe496f74bac81ad04b3c31a57ebee51f40992a28c62dd29b99bc3e0f77cb

SHA512
20b08bf0b57598b4ccfc66bb493dbd5eb9743fe73e024fd10834fc74934d62b714afa7996d619d46c1c0bea69228a6a977a52ef0445e14bea053393c2b1c3141

Download Submit
C:\Users\Admin\AppData\Local\Temp\QULVeJZhpMY\files_\system_info.txt

Filesize
8KB

MD5
99ee2f40bd9106138aedcae361dd6217

SHA1
01a1745eb8fdd43ba6fc558a508f59430b4567a0

SHA256
aa85933bd381c91722b56342008f3bfbaaa09a1d51d6c54740083daa03054afa

SHA512
6a34d9602d49126d6ef2bef63e7f1e02bc811fcaa8e234e84603a130e1ad29f0f2f834f6f9604e969b1b295f3d8f9bc8d658bf0a2fb2427d450a240aae7e1e34

Download Submit
memory/2172-4-0x0000000000400000-0x000000000095E000-memory.dmp

Filesize
5.4MB

Download
memory/2172-3-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2172-2-0x0000000000960000-0x0000000000A00000-memory.dmp

Filesize
640KB

Download
memory/2172-221-0x0000000000A10000-0x0000000000B10000-memory.dmp

Filesize
1024KB

Download
memory/2172-222-0x0000000000960000-0x0000000000A00000-memory.dmp

Filesize
640KB

Download
memory/2172-224-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2172-223-0x0000000000400000-0x000000000095E000-memory.dmp

Filesize
5.4MB

Download
memory/2172-1-0x0000000000A10000-0x0000000000B10000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing