cryptbot | ee868c21339f7b0d6c1fcbe27769b583d3a17b11dc5f39862defef456a4a8df5

General

Target

b9603bc9734cc8f5a19cea4c717970ab_JaffaCakes118.exe
Size

602KB
MD5

b9603bc9734cc8f5a19cea4c717970ab
SHA1

33675c412f39535a1e39c4d4d900ff5b224aed9e
SHA256

ee868c21339f7b0d6c1fcbe27769b583d3a17b11dc5f39862defef456a4a8df5
SHA512

25bc956decaada8d3d0ed1739644c56dc2f2272904334c6638b4e6fa0312eb58de474e46328059430e6e0b06788d87422dbf667ac22eed7e0dee836eadcffdff
SSDEEP

12288:3uBqDLOHBcaqQOftyYMRxFP0/6ySMyQlA/P5391ak5mT6iq3ekVhtG9C5Gxaq:iqD9aqQOLMrqXSwaHNGzZq3eko9H1

Score

10^/10

cryptbot discovery spyware stealer

Malware Config

Extracted

Family

cryptbot

C2

lysvay12.top

moroer01.top

Attributes

payload_url
http://damuxa01.top/download.php?file=lv.exe

Signatures

CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1260-2-0x0000000004AB0000-0x0000000004B50000-memory.dmp	family_cryptbot
behavioral2/memory/1260-3-0x0000000000400000-0x00000000004A3000-memory.dmp	family_cryptbot
behavioral2/memory/1260-220-0x0000000004AB0000-0x0000000004B50000-memory.dmp	family_cryptbot
behavioral2/memory/1260-219-0x0000000000400000-0x0000000002CCC000-memory.dmp	family_cryptbot
behavioral2/memory/1260-221-0x0000000000400000-0x00000000004A3000-memory.dmp	family_cryptbot

Cryptbot family
cryptbot
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

b9603bc9734cc8f5a19cea4c717970ab_JaffaCakes118.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b9603bc9734cc8f5a19cea4c717970ab_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b9603bc9734cc8f5a19cea4c717970ab_JaffaCakes118.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	b9603bc9734cc8f5a19cea4c717970ab_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	b9603bc9734cc8f5a19cea4c717970ab_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

b9603bc9734cc8f5a19cea4c717970ab_JaffaCakes118.exe

pid	Process
1260	b9603bc9734cc8f5a19cea4c717970ab_JaffaCakes118.exe
1260	b9603bc9734cc8f5a19cea4c717970ab_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\b9603bc9734cc8f5a19cea4c717970ab_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b9603bc9734cc8f5a19cea4c717970ab_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:1260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rhcP2Jr\EI3Y4hz0h5.zip

Filesize
43KB

MD5
f37715da4781ebddfdad0e21d20db0ca

SHA1
9d1bda29ad1eece2aeff489099184cb7db6aac81

SHA256
4fd5067fd4ad44eac2051927e33ff7cf5d07d91ca617d8832b06222f7561aa88

SHA512
6ffa3f6c0d8cde4c5ae4f20f44b3b4bca38c30fab92a9f2116aaaae7d2a6a4dbf7c00e799f85c4a3dc50887cb11acca6f2abbbe7d05ee498867c517102739f13

Download Submit
C:\Users\Admin\AppData\Local\Temp\rhcP2Jr\_Files\_Information.txt

Filesize
1KB

MD5
2f28c4138b451508bdef829e2e36cae2

SHA1
1c93c2404820914352f8db0300549d7bd873046b

SHA256
49e42275265e550b593f86c5950b7d8fc5f1020d6e37ceced24eb0b1246f37e5

SHA512
245b85f106ddfe07d57536e81e74caabdf77c8cb5b1d5cdb27c423d6764e46a15891816bdc6c37dad112dbb66946a89561533d85ed7cdda9e9a50da45685f8e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\rhcP2Jr\_Files\_Information.txt

Filesize
1KB

MD5
f37ad9d412287e21ed2db54a00df1186

SHA1
6585837252d9b59419451f81e884cbe963686646

SHA256
de73492ecefa839bdc6772521309d03e746efd2b1fa12bc0b86f461cfd7ed710

SHA512
9068da8d941d01498fd2e1851571dcd5277965395891c438e963f4458724408b110155646b06d9e2776f3852f006349b7f7bdb96f287faee8adc3f75806617a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\rhcP2Jr\_Files\_Information.txt

Filesize
5KB

MD5
3e76a403700508def47f7bad4679cfa5

SHA1
44d636e9f4a9728ce4e2e507077c23d6b92b32b3

SHA256
6b9d688cec860e8111affbb3e47d13ad01021fd348e9e512ae190b7b42724e75

SHA512
58d1128095f961f5369aa14b5df9e516331c2690ba83bf176e904d2210ed721175edbf0b44f0221a99a339164a48898ea7cd1932a4c7780e9cadf8f792c5929f

Download Submit
C:\Users\Admin\AppData\Local\Temp\rhcP2Jr\_Files\_Screen_Desktop.jpeg

Filesize
48KB

MD5
104eb8ba21e19ec0c1241675a5382222

SHA1
c7cab5b09573f4435cb2e195b2c4dd28a35a312b

SHA256
e50e4b83805b51a53934c564dcd44a06af201a91297a98c5aac3a9d33ea1b1d0

SHA512
9fc592e14b0ef497c8ec6bcff093a0375370dc916e3d263a2d452c9bbb7812f07862e86d3d001572ad268eb0874bd99a2f90cf680fc9d9925e8dffaf3d7973a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\rhcP2Jr\files_\system_info.txt

Filesize
1KB

MD5
3cdf5653b355b9f3ea23bb2e254b7fd2

SHA1
4ed6ca417b75563cfbe9ae028a687a4d67073562

SHA256
6f3441011cba13eef5c078efe566ce07477859a6c143b29ea9a3fda97c3fb4b9

SHA512
574020a2678e9854e100cb72a424470eb69d453285ae31f268369f48f60211170a6d066a1b36b995ef8765b6351d9e66b5ad27c5313e28a457fa98cb21dc9fc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\rhcP2Jr\files_\system_info.txt

Filesize
7KB

MD5
5ba6b209a2211a632f8d34ed039ed522

SHA1
58877b5aa9af4f859cef3e750fc8ef42b9c12b22

SHA256
c564dc7ee26c0b964bf27001be9b37c069d32d848eead0c4714ccd62abac482e

SHA512
481aa024c8e1c5f054748badc0044b469aa681363a7e7bf29fba464745ac21106047d541039b7eeb7733c6794b2330ddd816e592d404880f47c4a9e2dc9875f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\rhcP2Jr\smWLloVPlM.zip

Filesize
43KB

MD5
88783c3117ff00f7a1ce2332ba763284

SHA1
f9c4da2b1206f02c861582d8b9c0e7d586c34d13

SHA256
cd2f8ec8ba2ffffd7cd8bb3d8f060ac1aa247b8666891da18e3b38a03f4b39b7

SHA512
1b237216bf6be41fc938ecc4684c2ad54410be6ce263ea86205753b10984a1ea8b41ee8b52a5b8a37143fb359678f81c310faed725c1f48836b57652f24c86b1

Download Submit
memory/1260-3-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1260-1-0x0000000002EA0000-0x0000000002FA0000-memory.dmp

Filesize
1024KB

Download
memory/1260-218-0x0000000002EA0000-0x0000000002FA0000-memory.dmp

Filesize
1024KB

Download
memory/1260-220-0x0000000004AB0000-0x0000000004B50000-memory.dmp

Filesize
640KB

Download
memory/1260-219-0x0000000000400000-0x0000000002CCC000-memory.dmp

Filesize
40.8MB

Download
memory/1260-221-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1260-2-0x0000000004AB0000-0x0000000004B50000-memory.dmp

Filesize
640KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads