cryptbot | 7d5b421a001c3fa5345f5f6603e675b5d55b145a96f7669ae983a0e81fb24d2c

General

Target

584d548c03e8861214a069d6da77fa95_JaffaCakes118.exe
Size

669KB
MD5

584d548c03e8861214a069d6da77fa95
SHA1

660e92380a92f9fc2af5ae7d7b1a0f3c8a54b06d
SHA256

7d5b421a001c3fa5345f5f6603e675b5d55b145a96f7669ae983a0e81fb24d2c
SHA512

3a5420485a1d29caef9b1829bd27fc7de84887d78f3ad19381ce92f52569298950a1750a58784892bfecc45f47e0e4e582178b6b33e5cad5e70160e5535c5776
SSDEEP

12288:qkfYHf48BZPRzmH+6WbFQf6VthtNT+ajAEfLxBy09dmaW7AMlzhRTXhU:m/48BZpzmu3PNiWXbd1dMlVTU

Score

10^/10

cryptbot discovery spyware stealer

Malware Config

Extracted

Family

cryptbot

C2

lysayu42.top

morbyn04.top

Attributes

payload_url
http://damhlu05.top/download.php?file=lv.exe

Signatures

CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 5 IoCs

resource	yara_rule
behavioral2/memory/3608-2-0x0000000000A90000-0x0000000000B30000-memory.dmp	family_cryptbot
behavioral2/memory/3608-3-0x0000000000400000-0x00000000004A3000-memory.dmp	family_cryptbot
behavioral2/memory/3608-218-0x0000000000A90000-0x0000000000B30000-memory.dmp	family_cryptbot
behavioral2/memory/3608-221-0x0000000000400000-0x00000000004A3000-memory.dmp	family_cryptbot
behavioral2/memory/3608-220-0x0000000000400000-0x000000000095E000-memory.dmp	family_cryptbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	584d548c03e8861214a069d6da77fa95_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	584d548c03e8861214a069d6da77fa95_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	584d548c03e8861214a069d6da77fa95_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3608	584d548c03e8861214a069d6da77fa95_JaffaCakes118.exe
3608	584d548c03e8861214a069d6da77fa95_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\584d548c03e8861214a069d6da77fa95_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\584d548c03e8861214a069d6da77fa95_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:3608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\QULVeJZhpMY\8UwlYEYC7myTj.zip

Filesize
43KB

MD5
8163b052a3dc897aec7ea2fc45ac3862

SHA1
48d9ed955d6268830b1240d24762feba92c5cf71

SHA256
6e46006d2dc9f51895db33f6b786fdb3bb92603f121dda28046376e53ac36bbc

SHA512
c459edae2eeb070bfec4fad9933c5424d394e8ec09f5acf143a657aa2e3c7ad77f64a5fac361a12a495eee930dbd8a13978d0c866eb3805a4ecda1a6de09b97c

Download Submit
C:\Users\Admin\AppData\Local\Temp\QULVeJZhpMY\_Files\_Information.txt

Filesize
1KB

MD5
18676fd9aab3f1776db73209a977b160

SHA1
87021bf395f8b5925ced3ab8019470e9a79cf0ed

SHA256
adc4feba63c67acd374eb1a0afb2aa95957cb36de2bd7902887c4144fed1d5a3

SHA512
5609ca3cdb4050145125fe01b0480bd9ad68ef787f25d31a9fa6576e411fe531f80298e5c4cd6c970289bbe4095c3b78850079536c05a0d86c33f3fa86f8bb48

Download Submit
C:\Users\Admin\AppData\Local\Temp\QULVeJZhpMY\_Files\_Information.txt

Filesize
1KB

MD5
a4ca573fa8ab1a7baa369b13ad678495

SHA1
c6cbf915550d3c59f8bc660dc3df352a3960e60b

SHA256
888f7d6ba602c29e2c8d848071820e31b8ad298e1b2c24c02485b6d380e4c758

SHA512
7d730c57949bab3bfc7826bb3dcff617db70c805305024e5a518dc7dab5ee4dbec861bdd8ad9e5c500e1e49f7b35386f8a4b41916fa3c4b7ca92f774a863dbd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\QULVeJZhpMY\_Files\_Information.txt

Filesize
4KB

MD5
329f7abb5e3637dc7eee986de350bbc3

SHA1
de86d8d79f8ce1a0588746e817b34ce37faace30

SHA256
41b2768115a134aff5d54805e83c643cc9a04c3ae6598b2ad9ba88761591f53c

SHA512
21fe71dcf4c4ad70978a05e9eebe4f66d11fbfc34bc8971c82b503668edc0141912dbb00d4fd8eb46b6366285372642e182213d55ae00281038f7f8bf060adc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\QULVeJZhpMY\_Files\_Screen_Desktop.jpeg

Filesize
49KB

MD5
3add090395eb571b6d90231d8810ffd9

SHA1
d38d469973eb22ca6ca5dab7d4d3ba299c5fa757

SHA256
cc131ad46cd6d3b42ae3e75d952e028ae28e3e1924f4d5d290346e4a116c8ac2

SHA512
67c103a7926b8b8edf8d1457a3d44e492d9563187823fb794b40b7ebf7adf4d849309b23f48dc6b38a2903882c7a5bfefa7aa55767d1a024c07311768dc2ef83

Download Submit
C:\Users\Admin\AppData\Local\Temp\QULVeJZhpMY\cZ1Jux1IoiXQb.zip

Filesize
43KB

MD5
4d519c0b34bf86a53850715b32512c92

SHA1
2bea4236400953125f9aff69eeafdc3c2c9aaf1c

SHA256
a7d74ba437ac6cf6e10e921914ac6c8e54ee1bd9c31fafc541d4dd9559d645f1

SHA512
962978dcc6cfeabf7c320448b293e40d37ba7c08d68018b9ebc85e40b6cd76ef23d0e2bddfb131005d40c12424d8aa54f71ce9234f73a9b363dde172664a8a2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\QULVeJZhpMY\files_\system_info.txt

Filesize
7KB

MD5
6b654c6d22125b13765547ff61e33800

SHA1
fa7a09585022f84f70bbeafd9bd536b1b8030910

SHA256
d8595aa44f3e256e6494ce426a1a2ba5a47b0ea29c0ae02cdd0307460d552f45

SHA512
95a06bc66e045fb552aa57e3f55a1ddeb4a83a6d658abcf9bf1b8dd8de2443afc306a3bfe62204e87e12770320c4d5c5bed47a90b51d4992be637f033704fdac

Download Submit
memory/3608-3-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/3608-1-0x0000000000B50000-0x0000000000C50000-memory.dmp

Filesize
1024KB

Download
memory/3608-217-0x0000000000B50000-0x0000000000C50000-memory.dmp

Filesize
1024KB

Download
memory/3608-218-0x0000000000A90000-0x0000000000B30000-memory.dmp

Filesize
640KB

Download
memory/3608-221-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/3608-220-0x0000000000400000-0x000000000095E000-memory.dmp

Filesize
5.4MB

Download
memory/3608-2-0x0000000000A90000-0x0000000000B30000-memory.dmp

Filesize
640KB

Download

Analysis

Sharing