cryptbot | e40c1359fa0e86c65f50363b88e29a7d4d24990195cc766273203c496393ebe4

Analysis

max time kernel
147s
max time network
148s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
06/12/2024, 07:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cbbfe74029e6eb81ccc66d728428b328_JaffaCakes118.exe
Size

596KB
MD5

cbbfe74029e6eb81ccc66d728428b328
SHA1

75ca75a839b5605286385329839d01986b11b19d
SHA256

e40c1359fa0e86c65f50363b88e29a7d4d24990195cc766273203c496393ebe4
SHA512

9a8e97265e9a777c8d5e7b9508c444b574a58dad184c6b008ecda3106926e9c0eed15d11c220282054d70d7a61afceb308c4d4c6ed611a0c0a516e5f4aef1c12
SSDEEP

12288:bGTJt5et/HePSr9fg/YiTRtILP8IQXbcZ9uDWUJLypTJ4JLvC5:mJfet/He6r9fUHmPpQAWSqkWLv

Score

10^/10

cryptbot discovery spyware stealer

Malware Config

Extracted

Family

cryptbot

lysvay12.top

moroer01.top

Attributes

payload_url
http://damuxa01.top/download.php?file=lv.exe

Signatures

CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 6 IoCs

resource	yara_rule
behavioral1/memory/2196-2-0x0000000000330000-0x00000000003D0000-memory.dmp	family_cryptbot
behavioral1/memory/2196-3-0x0000000000400000-0x00000000004A3000-memory.dmp	family_cryptbot
behavioral1/memory/2196-4-0x0000000000400000-0x0000000002CCB000-memory.dmp	family_cryptbot
behavioral1/memory/2196-222-0x0000000000330000-0x00000000003D0000-memory.dmp	family_cryptbot
behavioral1/memory/2196-224-0x0000000000400000-0x00000000004A3000-memory.dmp	family_cryptbot
behavioral1/memory/2196-223-0x0000000000400000-0x0000000002CCB000-memory.dmp	family_cryptbot

Cryptbot family
cryptbot
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cbbfe74029e6eb81ccc66d728428b328_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	cbbfe74029e6eb81ccc66d728428b328_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	cbbfe74029e6eb81ccc66d728428b328_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2196	cbbfe74029e6eb81ccc66d728428b328_JaffaCakes118.exe
2196	cbbfe74029e6eb81ccc66d728428b328_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\cbbfe74029e6eb81ccc66d728428b328_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cbbfe74029e6eb81ccc66d728428b328_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:2196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TLTLbtDu\QgyAZRme2JaR.zip

Filesize
44KB

MD5
50041063e3e5caf1b5add29602c5d622

SHA1
0ebd28446b0d80980b6883a3f4a14affa4506883

SHA256
88017741af810b6d1e9d31a933c30bc82ef75d6d582c3ecbd9c1c73e9029deee

SHA512
f49944bb687d0d40d02a41401e3b692b7c56d734913f0b6a73eff91ba13cd928652da4abcb14cd96f18dc27f61d22fddcbceedb38e243786819c4a0ed7298851

Download Submit
C:\Users\Admin\AppData\Local\Temp\TLTLbtDu\_Files\_Information.txt

Filesize
1KB

MD5
10c8ba9a5e355813e9fe5b65afa8720d

SHA1
a7a266240e6473134529b43347b8bfc1897948ae

SHA256
cc80d9f3494681941db98a7be2bb1b4a4200b39c0be5749f4f6ac9deea0200bd

SHA512
fce41207948678909cd9d8cc264867137239a6bfbdcf36891fc21f6dfa5712e8810ff23c1f24f07e243e44d4a029a8753c7185bd4d9b6d882cbbf69089579333

Download Submit
C:\Users\Admin\AppData\Local\Temp\TLTLbtDu\_Files\_Information.txt

Filesize
2KB

MD5
fb8185e3938eddc2b55745a7e58aa72a

SHA1
f414f096632aeb3a9e24bddf41b8007038fe3549

SHA256
4242925ca5216ab126601cb6bd9bc0a6ce878584768b74e1706c4a98c1ca9efc

SHA512
903f0e4cbe780137e9694d730c2519eb91ed1bc44cd32860f77ce26369794967cd9b9d098e8e82553e4353bef35f158af1ac7e77440b166a4a630037a8379ebc

Download Submit
C:\Users\Admin\AppData\Local\Temp\TLTLbtDu\_Files\_Information.txt

Filesize
8KB

MD5
013deb52080b631fbc2d0f46b08152db

SHA1
e1169f8eb885b16d5dea3a9f56a0cdbd887cb11e

SHA256
ced4d449cd3bf7c95e3a1febbb827a1a14c69124aaa625a16aa13db0d4573e28

SHA512
e49710d5fd18e2d825d779cf42315bee4cb791ad81e843fc423508c7b9720aa725e084d3ce08b39a5cc629f7b96d3cfa0112a2f7db56c978342ec515bd0dd2f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TLTLbtDu\_Files\_Screen_Desktop.jpeg

Filesize
51KB

MD5
76bb1fbce8ab85508342a343c4e983c7

SHA1
8e9bb2092eda158a8d212ca805308f151d3ab8f7

SHA256
9b9cbf17cd5803f548d5266275ef894611c8ea8bca61d26d632045c867cfa40f

SHA512
f146dabecf066017989ecd8f6aa2b53673f04da77eb3017833ea9193defec4171f1568518fd0c0d780d5bc9fcb7d69688222ae8181fdb5de63fced590ae9090f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TLTLbtDu\files_\system_info.txt

Filesize
1KB

MD5
da789109ac1d46a890b331452f5a859c

SHA1
1d4e22e630be15dafc5e134eb8e31aa9124494cd

SHA256
7ea9a3223492a1776cf5d3b9af2f1ebac8f2fbaaa8cf8873c0dd71d10ba7c8e4

SHA512
2546de6b54f3092da16a7beed8171cf9cb916165129c1870edf9129d45b5756738dfbace814e2d26ddc42dda166eb21148011a5233ce4d20d5292c696fb6c949

Download Submit
C:\Users\Admin\AppData\Local\Temp\TLTLbtDu\files_\system_info.txt

Filesize
1KB

MD5
98b8d102c99fb6fed2462e7d57dca6e5

SHA1
539b654e54d74501e1327b27e96763648bbe151f

SHA256
f966eafd7cc4c9936a91d2c4a49f9e97a244d3e44582c966d00b13e38f05c115

SHA512
230ba4027363ad5e3495ec71b23256f04617baf433fe7a5ab1eee0c144c1fa9a13425c9d8d2652ba613078acec9a441b71e6a5f2145d72f1f86964f6f268c6b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\TLTLbtDu\files_\system_info.txt

Filesize
3KB

MD5
607aee0ff0bedcbd59f7f4e89859744e

SHA1
60221d79bdb97fc0dd1c3eca847aebfe0cf60dbf

SHA256
73d2da1f9a5320b09c5a0b7cc53321df27756400e139f7efcd8a9175e8761704

SHA512
d76b22016bc27a1d85a6b2ec779637792d1542a3aac323473b9b5e4d1588f5b09b0d9bf584329faca0ee33e9192db8503f1650c08a658ed9ba8b263367bca5a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\TLTLbtDu\files_\system_info.txt

Filesize
8KB

MD5
4a3d2da3977185fcbda0182d65dca1ab

SHA1
39cb4946a64fb47ca40313b1ab0223b20ca714b5

SHA256
9c681b5b89ca8e3cc775fdf9d28a03ed4809fa011c07b6f7e36317b0723d19ad

SHA512
209d0d7360504f1ed6998bb1b0959a9cdfa750b9fde08cfbab42d53978f6feb9fbb1ee2db00d629fbf2e1b60c94a75a8246bdc4db65598b46e7d2f459abd0858

Download Submit
memory/2196-4-0x0000000000400000-0x0000000002CCB000-memory.dmp

Filesize
40.8MB

Download
memory/2196-1-0x0000000002D50000-0x0000000002E50000-memory.dmp

Filesize
1024KB

Download
memory/2196-3-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2196-221-0x0000000002D50000-0x0000000002E50000-memory.dmp

Filesize
1024KB

Download
memory/2196-222-0x0000000000330000-0x00000000003D0000-memory.dmp

Filesize
640KB

Download
memory/2196-224-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2196-223-0x0000000000400000-0x0000000002CCB000-memory.dmp

Filesize
40.8MB

Download
memory/2196-2-0x0000000000330000-0x00000000003D0000-memory.dmp

Filesize
640KB

Download