cryptbot | 501c0162355dee7aef140c1d26e3424e4e3fce34fca4776fb74f89e450c726e8

Analysis

max time kernel
146s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2024 11:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac1eec7ed21f24d15b47eeb754f40ebe_JaffaCakes118.exe
Size

964KB
MD5

ac1eec7ed21f24d15b47eeb754f40ebe
SHA1

4ddfcf906a754c96d92c63dfc8fbf65bac8271fe
SHA256

501c0162355dee7aef140c1d26e3424e4e3fce34fca4776fb74f89e450c726e8
SHA512

dbb1bc5a028651eb567f5f9b5635f37fd02efa8aa8548ed2f21a3b03e73534ab7ad16bea67eea71bb2636f238fb74497401d8aaeba82545acfb0425cfaff7777
SSDEEP

24576:ZwiC/zGeGGIJk6u2Ir7Y/qV4BsjPsW0IYTIH9ASRrn:ZwicIJ8Q/daTsCYTw

Score

10^/10

cryptbot discovery persistence spyware stealer

Malware Config

Signatures

CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Cryptbot family
cryptbot

Executes dropped EXE 2 IoCs

pid	Process
4744	Suoi.exe.com
1872	Suoi.exe.com

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ac1eec7ed21f24d15b47eeb754f40ebe_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Suoi.exe.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ac1eec7ed21f24d15b47eeb754f40ebe_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Suoi.exe.com

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
644	PING.EXE

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Suoi.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Suoi.exe.com

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
644	PING.EXE

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
4744	Suoi.exe.com
4744	Suoi.exe.com
4744	Suoi.exe.com
1872	Suoi.exe.com
1872	Suoi.exe.com
1872	Suoi.exe.com

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
4744	Suoi.exe.com
4744	Suoi.exe.com
4744	Suoi.exe.com
1872	Suoi.exe.com
1872	Suoi.exe.com
1872	Suoi.exe.com

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 2012	2216	ac1eec7ed21f24d15b47eeb754f40ebe_JaffaCakes118.exe	83
PID 2216 wrote to memory of 2012	2216	ac1eec7ed21f24d15b47eeb754f40ebe_JaffaCakes118.exe	83
PID 2216 wrote to memory of 2012	2216	ac1eec7ed21f24d15b47eeb754f40ebe_JaffaCakes118.exe	83
PID 2216 wrote to memory of 1492	2216	ac1eec7ed21f24d15b47eeb754f40ebe_JaffaCakes118.exe	84
PID 2216 wrote to memory of 1492	2216	ac1eec7ed21f24d15b47eeb754f40ebe_JaffaCakes118.exe	84
PID 2216 wrote to memory of 1492	2216	ac1eec7ed21f24d15b47eeb754f40ebe_JaffaCakes118.exe	84
PID 1492 wrote to memory of 5116	1492	cmd.exe	86
PID 1492 wrote to memory of 5116	1492	cmd.exe	86
PID 1492 wrote to memory of 5116	1492	cmd.exe	86
PID 5116 wrote to memory of 3236	5116	cmd.exe	87
PID 5116 wrote to memory of 3236	5116	cmd.exe	87
PID 5116 wrote to memory of 3236	5116	cmd.exe	87
PID 5116 wrote to memory of 4744	5116	cmd.exe	88
PID 5116 wrote to memory of 4744	5116	cmd.exe	88
PID 5116 wrote to memory of 4744	5116	cmd.exe	88
PID 5116 wrote to memory of 644	5116	cmd.exe	89
PID 5116 wrote to memory of 644	5116	cmd.exe	89
PID 5116 wrote to memory of 644	5116	cmd.exe	89
PID 4744 wrote to memory of 1872	4744	Suoi.exe.com	90
PID 4744 wrote to memory of 1872	4744	Suoi.exe.com	90
PID 4744 wrote to memory of 1872	4744	Suoi.exe.com	90

C:\Users\Admin\AppData\Local\Temp\ac1eec7ed21f24d15b47eeb754f40ebe_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ac1eec7ed21f24d15b47eeb754f40ebe_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Windows\SysWOW64\dllhost.exe
  dllhost.exe
  2⤵
  PID:2012
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cmd < Ricordate.vsdm
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1492
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5116
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^QWHLUKuiiDFIhiRyCPjdFJNtltqqpnGWMhmyxpaEILzHfdHrBCugXdnupCAQJyYJWIWqHMLavIIUfyPTvXmHa$" Illusione.vsdm
      4⤵
      System Location Discovery: System Language Discovery
      PID:3236
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Suoi.exe.com
      Suoi.exe.com V
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4744
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Suoi.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Suoi.exe.com V
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1872
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Illusione.vsdm

Filesize
872KB

MD5
109f787615bbe467bc1e4fe223c64cd5

SHA1
ce3aacc8542a180c49f81910c67bdd410f1a9aa5

SHA256
e73d322be366b7d0ef65f202fce5744a2bb66e7dfeb4845c75612c064a2dfb45

SHA512
2409e35db56292fcb511d366cfa0bc8c27aa46f9c44562be76cbbb9d74bc4a1f9fe1117a5baa2927b47eedf3dbfb7b2af6f95cf663e92b4e51a9fed7216b0d9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ricordate.vsdm

Filesize
369B

MD5
fde57daa71c28252665c4b580ff34c5c

SHA1
499743b480a84e323da62545b15c37d5b40af210

SHA256
bd21fc1f1de4e42951bebd3df3605fb59791934916b48334b79076b331803b25

SHA512
5af3f7056fd234f6806202da8d829841c6d6ffe023c003d2e97ed731b730d0b71c064c159a4a8f3106f31840167d9829c346ede593cd8945c20ebaf0a645a426

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sul.vsdm

Filesize
1.1MB

MD5
ebd410b00fb7f35dd4085899c639aead

SHA1
f02331585123a2c0cd6c636912281d6657b8e58c

SHA256
fb8fd58158d33e6f1781fef18f0c15657db81ee3d9b177ef816720cbd797f214

SHA512
fe4c195c3df38f2cae2b033696dd9e72bc4af6230002d3f9ea3cf31a593a3c6d3c944704d432c7c2744c77c4fb48f36da6a09e0aa4a3e8c609481cd0e853d8dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Suoi.exe.com

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\abgdSqfZ\_Files\_Information.txt

Filesize
1KB

MD5
7a06bb703b3e9e50c9086a6c9a4caac9

SHA1
e4ebd3607d8eca3d76ab2f83d240b9b240cac2ca

SHA256
15537fd2c1de2a3541e89deeaed9dc16921e76e55107aec636b4e026d8993b08

SHA512
47d9704a6bf23ed98ab607b155b89d784b78b864e292117af8b0a5860fb75c26d5dbde0e43a4b60494f3a9c0f9a3a72485104b6abfabbb1815d465db918bc9c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\abgdSqfZ\_Files\_Information.txt

Filesize
3KB

MD5
88ab6962a4d9bb16ca21f6d9a0c9f97d

SHA1
bdcfb8586ca482f478850357a9908b9d8c85b4e9

SHA256
8f7aecd50a3fce1cbfd29cc41b0e7262da94b4e410034f95a497e91feccdd9f5

SHA512
ac991db5ca969978bc6317b82bbfcf6fe2e244d36f27bc9374f905757c8fd9c3ffa45550e565a18b821c9ecb62e25fa37ba756d59cfae1df93d7b6ee667c384a

Download Submit
C:\Users\Admin\AppData\Local\Temp\abgdSqfZ\_Files\_Information.txt

Filesize
4KB

MD5
a1210950d0137daefe02b66a4d74d3df

SHA1
f5107d7e544786a1f98346d0e35fc1898d0e1652

SHA256
314a822dc5ab3702ffd40c230c6a60262890ff126db113373ad55796a3ffce4d

SHA512
57e268cf40749fc3c483675b5390d4e813ceec81ec9f1f0bde384a9ea1eaf16857aea722b05b2eea4d9d7bcf87196ab96d26c4fcb37d9c8b7a2239e4167cc724

Download Submit
C:\Users\Admin\AppData\Local\Temp\abgdSqfZ\_Files\_Screen_Desktop.jpeg

Filesize
48KB

MD5
c404800f7608f003486357533d25a23f

SHA1
a23b829c64c988838c66640d2354a42eb4183784

SHA256
1f272819344ad2b7bc8b10c2819a909558667d8179dddaf73f65fdcbc6fc3954

SHA512
c7033082b8d405b97a1035c102fc37dc080660648edc06ba9699725159520e436412d45316e0764f265188ad144d64a7847dacaacc9af0b7a8e4c4bb6d7e575c

Download Submit
C:\Users\Admin\AppData\Local\Temp\abgdSqfZ\xsCuQZaUmL.zip

Filesize
42KB

MD5
e4f1e816037fcf382e821c601aa5d78e

SHA1
2c7b68709a4d39e985644fce7a10dd9c57a76231

SHA256
75361f7db4128acda45f5b94c453ef196c4b7f6acbe823f3b03165f2fed7ff47

SHA512
4072756f01f65f61ae0452106996f4b6c0fe31020affc91058a8c4336cec5d4967e2e6b29529b49ef35a5bacf69d916a7266dfc3b251070416125e0d0d8607a4

Download Submit
memory/1872-21-0x0000000000370000-0x00000000003B9000-memory.dmp

Filesize
292KB

Download
memory/1872-24-0x0000000000370000-0x00000000003B9000-memory.dmp

Filesize
292KB

Download
memory/1872-23-0x0000000000370000-0x00000000003B9000-memory.dmp

Filesize
292KB

Download
memory/1872-22-0x0000000000370000-0x00000000003B9000-memory.dmp

Filesize
292KB

Download
memory/1872-20-0x0000000000370000-0x00000000003B9000-memory.dmp

Filesize
292KB

Download
memory/1872-19-0x0000000000370000-0x00000000003B9000-memory.dmp

Filesize
292KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads