cryptbot | d3b3bb2152cc272693f174af8209b0e41388e619e6ee0dbceb2d796153dc9c5b

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2024 22:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a46fac3fce10d95d76cca57a9736a868_JaffaCakes118.exe
Size

1.4MB
MD5

a46fac3fce10d95d76cca57a9736a868
SHA1

5f18417206dd1734c9216f4b58ad547eacaae847
SHA256

d3b3bb2152cc272693f174af8209b0e41388e619e6ee0dbceb2d796153dc9c5b
SHA512

b97f46fdf6e8ae3d84cc6c844a8eb5217385c3ddd3ad5d2ebfd5f41cdcb8cf41870129b285396ca24ee97ed204baca08640df3594f3fa22ab5a7ed6bf2e196c6
SSDEEP

24576:6g8oV3LeiyZ2oS8iUxhhhCNToGSkLyObxPPnMHhqb6i9OVs:L36corSNPSkLNbNnWIb6js

Score

10^/10

cryptbot discovery persistence spyware stealer

Malware Config

Signatures

CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5072-24-0x0000000004AA0000-0x0000000004B43000-memory.dmp	family_cryptbot
behavioral2/memory/5072-25-0x0000000004AA0000-0x0000000004B43000-memory.dmp	family_cryptbot
behavioral2/memory/5072-26-0x0000000004AA0000-0x0000000004B43000-memory.dmp	family_cryptbot

Cryptbot family
cryptbot

Executes dropped EXE 2 IoCs

Processes:

Usci.exe.comUsci.exe.com

pid	Process
1748	Usci.exe.com
5072	Usci.exe.com

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

a46fac3fce10d95d76cca57a9736a868_JaffaCakes118.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a46fac3fce10d95d76cca57a9736a868_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

findstr.exePING.EXEUsci.exe.comUsci.exe.coma46fac3fce10d95d76cca57a9736a868_JaffaCakes118.execmd.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Usci.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Usci.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a46fac3fce10d95d76cca57a9736a868_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

PING.EXE

pid	Process
768	PING.EXE

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Usci.exe.com

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Usci.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Usci.exe.com

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
768	PING.EXE

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

Usci.exe.comUsci.exe.com

pid	Process
1748	Usci.exe.com
1748	Usci.exe.com
1748	Usci.exe.com
5072	Usci.exe.com
5072	Usci.exe.com
5072	Usci.exe.com
5072	Usci.exe.com
5072	Usci.exe.com

Suspicious use of SendNotifyMessage 6 IoCs

Processes:

Usci.exe.comUsci.exe.com

pid	Process
1748	Usci.exe.com
1748	Usci.exe.com
1748	Usci.exe.com
5072	Usci.exe.com
5072	Usci.exe.com
5072	Usci.exe.com

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

a46fac3fce10d95d76cca57a9736a868_JaffaCakes118.execmd.execmd.exeUsci.exe.com

description	pid	Process	procid_target
PID 4836 wrote to memory of 3840	4836	a46fac3fce10d95d76cca57a9736a868_JaffaCakes118.exe	83
PID 4836 wrote to memory of 3840	4836	a46fac3fce10d95d76cca57a9736a868_JaffaCakes118.exe	83
PID 4836 wrote to memory of 3840	4836	a46fac3fce10d95d76cca57a9736a868_JaffaCakes118.exe	83
PID 4836 wrote to memory of 1780	4836	a46fac3fce10d95d76cca57a9736a868_JaffaCakes118.exe	84
PID 4836 wrote to memory of 1780	4836	a46fac3fce10d95d76cca57a9736a868_JaffaCakes118.exe	84
PID 4836 wrote to memory of 1780	4836	a46fac3fce10d95d76cca57a9736a868_JaffaCakes118.exe	84
PID 1780 wrote to memory of 1584	1780	cmd.exe	86
PID 1780 wrote to memory of 1584	1780	cmd.exe	86
PID 1780 wrote to memory of 1584	1780	cmd.exe	86
PID 1584 wrote to memory of 4032	1584	cmd.exe	87
PID 1584 wrote to memory of 4032	1584	cmd.exe	87
PID 1584 wrote to memory of 4032	1584	cmd.exe	87
PID 1584 wrote to memory of 1748	1584	cmd.exe	88
PID 1584 wrote to memory of 1748	1584	cmd.exe	88
PID 1584 wrote to memory of 1748	1584	cmd.exe	88
PID 1584 wrote to memory of 768	1584	cmd.exe	89
PID 1584 wrote to memory of 768	1584	cmd.exe	89
PID 1584 wrote to memory of 768	1584	cmd.exe	89
PID 1748 wrote to memory of 5072	1748	Usci.exe.com	90
PID 1748 wrote to memory of 5072	1748	Usci.exe.com	90
PID 1748 wrote to memory of 5072	1748	Usci.exe.com	90

C:\Users\Admin\AppData\Local\Temp\a46fac3fce10d95d76cca57a9736a868_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a46fac3fce10d95d76cca57a9736a868_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4836
- C:\Windows\SysWOW64\dllhost.exe
  dllhost.exe
  2⤵
  PID:3840
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cmd < Turbamento.aifc
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1780
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1584
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^JELfaxXqaAFUmUATRIcZuUapRVyOrkOsikNinQFIMVJZbuJNkRMCIJxPkCnvfpXiMhNhiacqeMhklzMKksCknkJnRXVVaozDXChpzvGScLmVcoESQNkY$" Ombra.aifc
      4⤵
      System Location Discovery: System Language Discovery
      PID:4032
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Usci.exe.com
      Usci.exe.com I
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1748
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Usci.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Usci.exe.com I
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:5072
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 30
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Cancellato.aifc

Filesize
697KB

MD5
d264b6e27748733930592bff42ce935d

SHA1
1385ad7855a5c804f3822e28883adea0c51e123c

SHA256
10c83d6f9565adbea8040c424887cce1a19e981c9e55fdaf26b4c9bebbb4a198

SHA512
093c4dab47f3a50b395f88b8e594a0e889cea8d384352ce96e0cf5e407091275b1e1b081ad0f740c3702e50f76a2025fad827473c2b287f534db6cf0e8448ea1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ombra.aifc

Filesize
872KB

MD5
608ba61cbaf75e1c6258480f87ceb5c1

SHA1
89ac0c42b71d6af7b9c382fc3cfc71941dbb28cd

SHA256
8af4505d71423c4abd175dcf81fcc5566e4db03a4cfd6f3c0f8e6c8415e56e03

SHA512
dcbca3d1bb477cc53ba541053e4eb16f4ce3fad14091c700a843328786e0ff7ae956c05d6d886c8b8f1ccfab21923170b9117b3284256c4a632d7895ae21bc36

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Puoi.aifc

Filesize
634KB

MD5
9c90955c037667a1d6a98d52549c8031

SHA1
bfcbd11ef17be08426ff6c51f153ee449395d5bc

SHA256
dd5d31cfe88fd77fe8646b19a6b2f348fa5ce10e1febaca0d7bfc457964d7301

SHA512
72093264611efbfaccaa9a2133bf2174dc1de19873932d047be769442bd36d474edf64fdb8c9ec2073ed40e4a75166c9be39771811b41c7ad6ea7fbe4a2eabaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Turbamento.aifc

Filesize
548B

MD5
b5dcccb8491bad9b5313904cd56c95c8

SHA1
d2662d98013ccf8927c8e748009fd431c4bf1229

SHA256
f083338d4124496e820fd063cfa10274300be77ccc7ec6a9f26032d5cfae7cdc

SHA512
d9cb2b33f2eab343b29c1a372e81b3c416016db9a622e59dfe4e98df232afc69821468ffd2a62500b1bcc61b26d6a8c3a571ce66304e91f27831dbf29b8a29c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Usci.exe.com

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jYuVZjTkRgJ\_Files\_Information.txt

Filesize
4KB

MD5
68091992f551bc3023e4e85eae368371

SHA1
26385b05bfc1f964f5abd8713d5f4df4d8dcad37

SHA256
b205707c3e6281ad508cdf1f7bbc520c4a3656536a13e418c5d1f1c23bfcff2d

SHA512
d5a03ef6c23c8ae3b040b66c7086468ebdd0f1050a39134690084c88deae2841cb8d81c0605bbb550171803e416d82d1cf6481aab9d515c1209493c027558370

Download Submit
C:\Users\Admin\AppData\Local\Temp\jYuVZjTkRgJ\_Files\_Screen_Desktop.jpeg

Filesize
48KB

MD5
994dddd97df58eb2449e6ae4b1be6f28

SHA1
24fdc8598acd37f31034fba1f0736501dfd69989

SHA256
57a9f193b310090e12122df90b5738ce12da1ee59b2b37ad40f8647071c8a3fa

SHA512
6068d3352c7c03c23c0e5dd8e515d3b0c8d5aa0980141ba91bfce1e7cc7266e0216312cb3aa0240fb9c84b38953c1847160d83b0dd5bfb9f9fa04456e90db9a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\jYuVZjTkRgJ\files_\system_info.txt

Filesize
692B

MD5
4f4b2b587dfbfb98af80d70833b3dc10

SHA1
71594790452c38a31298e8cdc1a996e7d16fa6f6

SHA256
6dec55b6cbf471d228b32d0c941ce023e1572f7bd39fb01336153303b31736ca

SHA512
95b5edfb3f61982ca2df1d80f7d408530e8c36efa6b9c31bb06b2f4f56e6b4e59967e1ed9f73e7745edae6026ce8c18c174c8e59f53b688593db350f0a695809

Download Submit
C:\Users\Admin\AppData\Local\Temp\jYuVZjTkRgJ\files_\system_info.txt

Filesize
7KB

MD5
8e00b18627a93edcb34bd541d1a08829

SHA1
cb67252f401cb5e798ddb278838442f925a3edd8

SHA256
fc6e3e13fefd11501f6e2e7c3aa338d570d3667339ecd7825fde980f5c3ce3f3

SHA512
4a3e09dd57e34c27253df8d4f7f2217258ff20754f7a0809cd76b22857855aaf621b324526c05e50f5e856f809fb15bd8f3a055f28d8313bb92f1038d7c3fa7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jYuVZjTkRgJ\sZaktFxY1B7.zip

Filesize
43KB

MD5
25a845131621544e4434669f50ae2856

SHA1
dc374ab5696958c59f6d26f0c9f3902fdbf22712

SHA256
6c03ee6689094b54b62e421577a1ec6e9941df617c99a15c777ce7b0337b6c57

SHA512
79583a24f12737143217d3182e706322e68fc201114a51b61f350f0e4f48d09b9e727545c8b3b42d8a5b32b6d1d2df6098944518de325fbf189f81c8a83d85d5

Download Submit
memory/5072-22-0x0000000004AA0000-0x0000000004B43000-memory.dmp

Filesize
652KB

Download
memory/5072-24-0x0000000004AA0000-0x0000000004B43000-memory.dmp

Filesize
652KB

Download
memory/5072-25-0x0000000004AA0000-0x0000000004B43000-memory.dmp

Filesize
652KB

Download
memory/5072-26-0x0000000004AA0000-0x0000000004B43000-memory.dmp

Filesize
652KB

Download
memory/5072-23-0x0000000004AA0000-0x0000000004B43000-memory.dmp

Filesize
652KB

Download
memory/5072-21-0x0000000004AA0000-0x0000000004B43000-memory.dmp

Filesize
652KB

Download