cryptbot | d3b3bb2152cc272693f174af8209b0e41388e619e6ee0dbceb2d796153dc9c5b

Analysis

max time kernel
147s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26-11-2024 22:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a46fac3fce10d95d76cca57a9736a868_JaffaCakes118.exe
Size

1.4MB
MD5

a46fac3fce10d95d76cca57a9736a868
SHA1

5f18417206dd1734c9216f4b58ad547eacaae847
SHA256

d3b3bb2152cc272693f174af8209b0e41388e619e6ee0dbceb2d796153dc9c5b
SHA512

b97f46fdf6e8ae3d84cc6c844a8eb5217385c3ddd3ad5d2ebfd5f41cdcb8cf41870129b285396ca24ee97ed204baca08640df3594f3fa22ab5a7ed6bf2e196c6
SSDEEP

24576:6g8oV3LeiyZ2oS8iUxhhhCNToGSkLyObxPPnMHhqb6i9OVs:L36corSNPSkLNbNnWIb6js

Score

10^/10

cryptbot discovery persistence spyware stealer

Malware Config

Signatures

CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2940-27-0x0000000003A20000-0x0000000003AC3000-memory.dmp	family_cryptbot
behavioral1/memory/2940-28-0x0000000003A20000-0x0000000003AC3000-memory.dmp	family_cryptbot
behavioral1/memory/2940-29-0x0000000003A20000-0x0000000003AC3000-memory.dmp	family_cryptbot

Cryptbot family
cryptbot

Executes dropped EXE 2 IoCs

Processes:

Usci.exe.comUsci.exe.com

pid	Process
2944	Usci.exe.com
2940	Usci.exe.com

Loads dropped DLL 2 IoCs

Processes:

cmd.exeUsci.exe.com

pid	Process
2756	cmd.exe
2944	Usci.exe.com

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

a46fac3fce10d95d76cca57a9736a868_JaffaCakes118.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a46fac3fce10d95d76cca57a9736a868_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

dllhost.execmd.execmd.exefindstr.exeUsci.exe.comPING.EXEUsci.exe.coma46fac3fce10d95d76cca57a9736a868_JaffaCakes118.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Usci.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Usci.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a46fac3fce10d95d76cca57a9736a868_JaffaCakes118.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

PING.EXE

pid	Process
2816	PING.EXE

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Usci.exe.com

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Usci.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Usci.exe.com

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
2816	PING.EXE

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

Usci.exe.comUsci.exe.com

pid	Process
2944	Usci.exe.com
2944	Usci.exe.com
2944	Usci.exe.com
2940	Usci.exe.com
2940	Usci.exe.com
2940	Usci.exe.com
2940	Usci.exe.com
2940	Usci.exe.com

Suspicious use of SendNotifyMessage 6 IoCs

Processes:

Usci.exe.comUsci.exe.com

pid	Process
2944	Usci.exe.com
2944	Usci.exe.com
2944	Usci.exe.com
2940	Usci.exe.com
2940	Usci.exe.com
2940	Usci.exe.com

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

a46fac3fce10d95d76cca57a9736a868_JaffaCakes118.execmd.execmd.exeUsci.exe.com

description	pid	Process	procid_target
PID 2196 wrote to memory of 2664	2196	a46fac3fce10d95d76cca57a9736a868_JaffaCakes118.exe	31
PID 2196 wrote to memory of 2664	2196	a46fac3fce10d95d76cca57a9736a868_JaffaCakes118.exe	31
PID 2196 wrote to memory of 2664	2196	a46fac3fce10d95d76cca57a9736a868_JaffaCakes118.exe	31
PID 2196 wrote to memory of 2664	2196	a46fac3fce10d95d76cca57a9736a868_JaffaCakes118.exe	31
PID 2196 wrote to memory of 2700	2196	a46fac3fce10d95d76cca57a9736a868_JaffaCakes118.exe	32
PID 2196 wrote to memory of 2700	2196	a46fac3fce10d95d76cca57a9736a868_JaffaCakes118.exe	32
PID 2196 wrote to memory of 2700	2196	a46fac3fce10d95d76cca57a9736a868_JaffaCakes118.exe	32
PID 2196 wrote to memory of 2700	2196	a46fac3fce10d95d76cca57a9736a868_JaffaCakes118.exe	32
PID 2700 wrote to memory of 2756	2700	cmd.exe	34
PID 2700 wrote to memory of 2756	2700	cmd.exe	34
PID 2700 wrote to memory of 2756	2700	cmd.exe	34
PID 2700 wrote to memory of 2756	2700	cmd.exe	34
PID 2756 wrote to memory of 2780	2756	cmd.exe	35
PID 2756 wrote to memory of 2780	2756	cmd.exe	35
PID 2756 wrote to memory of 2780	2756	cmd.exe	35
PID 2756 wrote to memory of 2780	2756	cmd.exe	35
PID 2756 wrote to memory of 2944	2756	cmd.exe	36
PID 2756 wrote to memory of 2944	2756	cmd.exe	36
PID 2756 wrote to memory of 2944	2756	cmd.exe	36
PID 2756 wrote to memory of 2944	2756	cmd.exe	36
PID 2756 wrote to memory of 2816	2756	cmd.exe	37
PID 2756 wrote to memory of 2816	2756	cmd.exe	37
PID 2756 wrote to memory of 2816	2756	cmd.exe	37
PID 2756 wrote to memory of 2816	2756	cmd.exe	37
PID 2944 wrote to memory of 2940	2944	Usci.exe.com	38
PID 2944 wrote to memory of 2940	2944	Usci.exe.com	38
PID 2944 wrote to memory of 2940	2944	Usci.exe.com	38
PID 2944 wrote to memory of 2940	2944	Usci.exe.com	38

C:\Users\Admin\AppData\Local\Temp\a46fac3fce10d95d76cca57a9736a868_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a46fac3fce10d95d76cca57a9736a868_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Windows\SysWOW64\dllhost.exe
  dllhost.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2664
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cmd < Turbamento.aifc
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^JELfaxXqaAFUmUATRIcZuUapRVyOrkOsikNinQFIMVJZbuJNkRMCIJxPkCnvfpXiMhNhiacqeMhklzMKksCknkJnRXVVaozDXChpzvGScLmVcoESQNkY$" Ombra.aifc
      4⤵
      System Location Discovery: System Language Discovery
      PID:2780
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Usci.exe.com
      Usci.exe.com I
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2944
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Usci.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Usci.exe.com I
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2940
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 30
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Cancellato.aifc

Filesize
697KB

MD5
d264b6e27748733930592bff42ce935d

SHA1
1385ad7855a5c804f3822e28883adea0c51e123c

SHA256
10c83d6f9565adbea8040c424887cce1a19e981c9e55fdaf26b4c9bebbb4a198

SHA512
093c4dab47f3a50b395f88b8e594a0e889cea8d384352ce96e0cf5e407091275b1e1b081ad0f740c3702e50f76a2025fad827473c2b287f534db6cf0e8448ea1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ombra.aifc

Filesize
872KB

MD5
608ba61cbaf75e1c6258480f87ceb5c1

SHA1
89ac0c42b71d6af7b9c382fc3cfc71941dbb28cd

SHA256
8af4505d71423c4abd175dcf81fcc5566e4db03a4cfd6f3c0f8e6c8415e56e03

SHA512
dcbca3d1bb477cc53ba541053e4eb16f4ce3fad14091c700a843328786e0ff7ae956c05d6d886c8b8f1ccfab21923170b9117b3284256c4a632d7895ae21bc36

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Puoi.aifc

Filesize
634KB

MD5
9c90955c037667a1d6a98d52549c8031

SHA1
bfcbd11ef17be08426ff6c51f153ee449395d5bc

SHA256
dd5d31cfe88fd77fe8646b19a6b2f348fa5ce10e1febaca0d7bfc457964d7301

SHA512
72093264611efbfaccaa9a2133bf2174dc1de19873932d047be769442bd36d474edf64fdb8c9ec2073ed40e4a75166c9be39771811b41c7ad6ea7fbe4a2eabaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Turbamento.aifc

Filesize
548B

MD5
b5dcccb8491bad9b5313904cd56c95c8

SHA1
d2662d98013ccf8927c8e748009fd431c4bf1229

SHA256
f083338d4124496e820fd063cfa10274300be77ccc7ec6a9f26032d5cfae7cdc

SHA512
d9cb2b33f2eab343b29c1a372e81b3c416016db9a622e59dfe4e98df232afc69821468ffd2a62500b1bcc61b26d6a8c3a571ce66304e91f27831dbf29b8a29c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mKoiMbwRDljb\QnlA5t5B4EGW.zip

Filesize
44KB

MD5
876858376ef6c61c4f74c4766d55438b

SHA1
b64a9f531f74d8a14a79b5426346ee0f3851dc5a

SHA256
0a717ab2a22bca94045410d7cd0e58aea5d17797f7c69eeeb25b6d58a8efc4df

SHA512
9b9d8e3db4713f4ac169a8580445ef362112ca01f7ed3a3354ad9ea0ba242abad5c37c62b2088dff7d326f07c55ca0601ffe1eaa0752834ee2c089733dcfc65c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mKoiMbwRDljb\_Files\_Information.txt

Filesize
668B

MD5
c4e0136994ea48ba2e85cde875848abf

SHA1
257598f33defda2a0c6afdb74af1b1dcf165fb98

SHA256
35bffc3adc28ae1fdc8f1c8e65fd14292432bd677262b0d021f61fbf789e64a4

SHA512
de10e4a68e2b751e9b31f431ee33b463137003dd792c37e937362e2a80c8072510ee7cde08e6c431f9e83f1bb12bc1614b96657a92eaf57d5e67db7bd092fdca

Download Submit
C:\Users\Admin\AppData\Local\Temp\mKoiMbwRDljb\_Files\_Information.txt

Filesize
8KB

MD5
d4e020f0b9bfdc7ff8da80e16cbc9d6c

SHA1
029d9484b32d9fea756173bce30bf311f32b6983

SHA256
b2d6d3f38202228723e6e890490bae29bb58981b66cd65387d69f860bdb42c8c

SHA512
8d0cfdcc5d77d3ca952884fb2b0b704580f5bc1f2aa0afbcf5d0080488f48f5ecacb62ddeddf6c6ac8e0545abc755cdf9a7d031e1f062b43d8cf12d26d17ac94

Download Submit
C:\Users\Admin\AppData\Local\Temp\mKoiMbwRDljb\_Files\_Screen_Desktop.jpeg

Filesize
51KB

MD5
fe6da98344b1aa9a787589c87cb26dbd

SHA1
1cf70679318ddeb3016480688cb6f0b63c201d55

SHA256
b7cd7c5c2ad0dc5c4e37579b68920c3667ecb96b0e25582b793ce5b7852e151f

SHA512
877a44550361e48e4b618e9d07b556e648352b13401da90dad46065f7b7a1c108fc6923cce9bcad5d5942fbe45625a2a70f32e6ea6ef4c6d04147f4cd6a850d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\mKoiMbwRDljb\files_\system_info.txt

Filesize
8KB

MD5
e1f3c04881f8015ad52a2e5511963a98

SHA1
50542164213eedfcb23e443e5f6be19b5a3aee98

SHA256
b0f0a51354ed724947575b3ce77d489062cb9e23097860d4c6a07ffe6e096674

SHA512
95c660d78f25d13e07be4e90f6bf3fc1e69d626620a711e1f6535184d2103e436036c941f9ca0f1a0d87be6d554ef0980d6ff2602f15f23918df500b0b1fc0b2

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Usci.exe.com

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
memory/2940-24-0x0000000003A20000-0x0000000003AC3000-memory.dmp

Filesize
652KB

Download
memory/2940-27-0x0000000003A20000-0x0000000003AC3000-memory.dmp

Filesize
652KB

Download
memory/2940-28-0x0000000003A20000-0x0000000003AC3000-memory.dmp

Filesize
652KB

Download
memory/2940-29-0x0000000003A20000-0x0000000003AC3000-memory.dmp

Filesize
652KB

Download
memory/2940-25-0x0000000003A20000-0x0000000003AC3000-memory.dmp

Filesize
652KB

Download
memory/2940-26-0x0000000003A20000-0x0000000003AC3000-memory.dmp

Filesize
652KB

Download