cryptbot | e40c1359fa0e86c65f50363b88e29a7d4d24990195cc766273203c496393ebe4

General

Target

cbbfe74029e6eb81ccc66d728428b328_JaffaCakes118.exe
Size

596KB
MD5

cbbfe74029e6eb81ccc66d728428b328
SHA1

75ca75a839b5605286385329839d01986b11b19d
SHA256

e40c1359fa0e86c65f50363b88e29a7d4d24990195cc766273203c496393ebe4
SHA512

9a8e97265e9a777c8d5e7b9508c444b574a58dad184c6b008ecda3106926e9c0eed15d11c220282054d70d7a61afceb308c4d4c6ed611a0c0a516e5f4aef1c12
SSDEEP

12288:bGTJt5et/HePSr9fg/YiTRtILP8IQXbcZ9uDWUJLypTJ4JLvC5:mJfet/He6r9fUHmPpQAWSqkWLv

Score

10^/10

cryptbot discovery spyware stealer

Malware Config

Extracted

Family

cryptbot

C2

lysvay12.top

moroer01.top

Attributes

payload_url
http://damuxa01.top/download.php?file=lv.exe

Signatures

CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 5 IoCs

resource	yara_rule
behavioral2/memory/1360-2-0x0000000004A30000-0x0000000004AD0000-memory.dmp	family_cryptbot
behavioral2/memory/1360-3-0x0000000000400000-0x00000000004A3000-memory.dmp	family_cryptbot
behavioral2/memory/1360-224-0x0000000004A30000-0x0000000004AD0000-memory.dmp	family_cryptbot
behavioral2/memory/1360-223-0x0000000000400000-0x0000000002CCB000-memory.dmp	family_cryptbot
behavioral2/memory/1360-225-0x0000000000400000-0x00000000004A3000-memory.dmp	family_cryptbot

Cryptbot family
cryptbot
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cbbfe74029e6eb81ccc66d728428b328_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	cbbfe74029e6eb81ccc66d728428b328_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	cbbfe74029e6eb81ccc66d728428b328_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1360	cbbfe74029e6eb81ccc66d728428b328_JaffaCakes118.exe
1360	cbbfe74029e6eb81ccc66d728428b328_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\cbbfe74029e6eb81ccc66d728428b328_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cbbfe74029e6eb81ccc66d728428b328_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:1360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TLTLbtDu\5n2a6YNXaOh.zip

Filesize
382KB

MD5
aabf6537378d32298029d7c7e5df3297

SHA1
fe5a65a0243822c33529867fe21c643ba3d947e1

SHA256
4318aefdf035871dd2ed309d7b37c34d661debaaccca43cc2b96f1ffe1ed0d01

SHA512
ca09c85163bfab679171fdc3ae530acfc5f16f4421221c5cec1b1ea1a800c2b103b896739a3eab7d73e3ecea247ee5136b0179402cae47657cb59b4bf3b31fce

Download Submit
C:\Users\Admin\AppData\Local\Temp\TLTLbtDu\QgyAZRme2JaR.zip

Filesize
382KB

MD5
f1d6bf681e0679b6397e3af7938a6a03

SHA1
52f541c7c1b40bf2c74e3e4debca09a9c751d856

SHA256
88fb019762f94024d131922d84fa25a2756b071b3abbc3da59d9b340e9da4a4b

SHA512
d78ffbfb1f3fb015a0d104533127d622b689985adbd7b51bc134ab807d4630f6834157521bf0ada0c4e75a79533b253f3a7f16a141b868cf2b6a83cf51805261

Download Submit
C:\Users\Admin\AppData\Local\Temp\TLTLbtDu\_Files\_Files\EditSend.txt

Filesize
342KB

MD5
9659c05db583a26dad011ce1db907cab

SHA1
6cf880c385c310a6f4f1fcd2f5037715dd096575

SHA256
b16668e70795461ec02addca1308b10c19292ed3a1ed6be0431ee173886192ae

SHA512
e1a461a1423f56526c6a073e8c80bcaf93ac6f9a71dcfa98b483b7994394ec4417b0351e76fbc5525c5a585fc4f218cdb050f2e03c7a944dd741923b84168933

Download Submit
C:\Users\Admin\AppData\Local\Temp\TLTLbtDu\_Files\_Information.txt

Filesize
1KB

MD5
c83f89bdaca554bc3f305ce080957675

SHA1
05dfaf2de8a364fa0458cd41514cf5c6d43fd3a9

SHA256
2670b3d2220a952291955587908247937e8494ec041bb8a58fc6fa50ebd2c544

SHA512
b2e5fccc484e5d8ed3431d30f8281a4beb4cbf838777e8400bfe8c84439dc7ac8ec89b07f80f4a7b2ffc44c6591c55fbcd0f0f393c149596ca89e57a0e83b284

Download Submit
C:\Users\Admin\AppData\Local\Temp\TLTLbtDu\_Files\_Information.txt

Filesize
4KB

MD5
dabb75123839459b73c84df8c97f5317

SHA1
46b036f0fddeae71c6bc8c5e551871efda4be079

SHA256
1a3973c8d6d4550e30f673a2a67b184798f39e3e3e030d8b4610fb2eb924ca4f

SHA512
48331cfad67eac91dadc0df43802a69144b66626a7cc3408830afd912eb062176b32bcd9b1923aac6b58602f3c58ef5d0350a66a9eb5e0f21a3b4b1ddc453429

Download Submit
C:\Users\Admin\AppData\Local\Temp\TLTLbtDu\_Files\_Screen_Desktop.jpeg

Filesize
45KB

MD5
cacee8dea34a09cf79746d9a4097e7a2

SHA1
44ca142d49e7a17c5119eff0815a6c0fd198010e

SHA256
cf52bbb5c807a9c86b267f19cbff74d392895d47812c52ef7f0be3130bf1bc71

SHA512
b7c6ca0fc67651dcca8c1a2491dd94afb3e2513796a53b93a1225e573383e70cfd00a538b5c09f56ea1202e0f1b888ef45d6e835bb762711562e109b39e6801e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TLTLbtDu\files_\system_info.txt

Filesize
746B

MD5
0cf6a473e46d9922c8f2c9f91acd32f5

SHA1
edc65559d7679029980d46add0f78a3b168039a4

SHA256
6ad3644d04f14abd6ff051a497ef199385f0f1ed52a29fc2038c418bfc5597d8

SHA512
d116995db6a57c236577dcf759dca287f949987b4a3a42f638502a840d227a95580e7447c7f255510fee3044cea93d2f647a301d48e06fca8a70183dd2e63633

Download Submit
C:\Users\Admin\AppData\Local\Temp\TLTLbtDu\files_\system_info.txt

Filesize
7KB

MD5
6289889e7e5940cc318351d0e994c253

SHA1
369455fe9bc3daf2652cc5d2a5c5c4153205f286

SHA256
5c9563fc017c4f9ec1ac98c03c913d2321118fd4b05853695c5e97b63628853b

SHA512
ef58c937e5b0c89370511cb3a5fd81fbf9a4db828ce7a35f7bcceb78d1c90a44137553f75605fe0e4fa0458f326f5cf638e26b02438b81e94c78071fa069bd10

Download Submit
memory/1360-1-0x0000000002E50000-0x0000000002F50000-memory.dmp

Filesize
1024KB

Download
memory/1360-222-0x0000000002E50000-0x0000000002F50000-memory.dmp

Filesize
1024KB

Download
memory/1360-224-0x0000000004A30000-0x0000000004AD0000-memory.dmp

Filesize
640KB

Download
memory/1360-223-0x0000000000400000-0x0000000002CCB000-memory.dmp

Filesize
40.8MB

Download
memory/1360-225-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1360-3-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1360-2-0x0000000004A30000-0x0000000004AD0000-memory.dmp

Filesize
640KB

Download

Analysis

Sharing