cryptbot | 4a26bf04a82781ba937c450a3ebfa33556aec1a645fa820ff8cffde9b2b5a240

General

Target

d176e50d489f6ed1109d9954944877b6_JaffaCakes118.exe
Size

609KB
MD5

d176e50d489f6ed1109d9954944877b6
SHA1

f23f1dd77727fc85fcfc8227c6d6021803e5231f
SHA256

4a26bf04a82781ba937c450a3ebfa33556aec1a645fa820ff8cffde9b2b5a240
SHA512

a0d316a84bb566d409cb50b0d8612960e8ef280f936b6838e23a9e8f85201e1d9dbc3ec4234d6859d19514621190ce6fd925f6ec06dbce208165ceb19f262c51
SSDEEP

12288:w2DMbd4yPDeCpZNqmSr/U7wpgGBp4NC7D7M9C5vYpM:pMCIeC5urKwFp4NuE9aA

Score

10^/10

cryptbot discovery spyware stealer

Malware Config

Extracted

Family

cryptbot

C2

lysvay12.top

moroer01.top

Attributes

payload_url
http://damuxa01.top/download.php?file=lv.exe

Signatures

CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 6 IoCs

resource	yara_rule
behavioral1/memory/1292-2-0x00000000043F0000-0x0000000004490000-memory.dmp	family_cryptbot
behavioral1/memory/1292-3-0x0000000000400000-0x00000000004A3000-memory.dmp	family_cryptbot
behavioral1/memory/1292-4-0x0000000000400000-0x0000000002CCE000-memory.dmp	family_cryptbot
behavioral1/memory/1292-222-0x00000000043F0000-0x0000000004490000-memory.dmp	family_cryptbot
behavioral1/memory/1292-224-0x0000000000400000-0x00000000004A3000-memory.dmp	family_cryptbot
behavioral1/memory/1292-223-0x0000000000400000-0x0000000002CCE000-memory.dmp	family_cryptbot

Cryptbot family
cryptbot
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d176e50d489f6ed1109d9954944877b6_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	d176e50d489f6ed1109d9954944877b6_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	d176e50d489f6ed1109d9954944877b6_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1292	d176e50d489f6ed1109d9954944877b6_JaffaCakes118.exe
1292	d176e50d489f6ed1109d9954944877b6_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\d176e50d489f6ed1109d9954944877b6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d176e50d489f6ed1109d9954944877b6_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:1292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\VJKs86hlSwdc\XbLyGrikhcnNTz.zip

Filesize
40KB

MD5
339ebb39468a61f92ae9e67852644db0

SHA1
b5f8db33b136bc046766e47e1d0ddf0627fb5cbc

SHA256
b61f0efde50fd454fe8a7c2cc1f19c15ddc627708a50a7c13e6178c3752e93d4

SHA512
bc909d5ab47249648ee31f0a81ba9302fb54f99b3d4be34694075bf3f06bc4f11a67cefa5dad08c14639a17bcead6093788a3bdf3bce0af1cd03042c6ec87946

Download Submit
C:\Users\Admin\AppData\Local\Temp\VJKs86hlSwdc\_Files\_Information.txt

Filesize
8KB

MD5
668e256296aaa9839b1ee79414e395f5

SHA1
6e29c53d0f616989aa82ebe69d2ba0d48dcaec0b

SHA256
43984e8d5785c660f38354e4617478bb0f65296ffdd670abae86ca734abc8289

SHA512
486585bdf1a4d178b6a5e895266b3cabc3f5d1819878edc1bc68ad718b73468cd720546a63f213f15918e588667ad783f57099d13a51beff86601969c56cf517

Download Submit
C:\Users\Admin\AppData\Local\Temp\VJKs86hlSwdc\_Files\_Information.txt

Filesize
8KB

MD5
c24b053796d218f59af1e0e71b4fe273

SHA1
a3c6623a5eec7c7383e3ccd37add591759c21eab

SHA256
2e91702983a9de09671f530d0dea5dceec7c744b9968176f831752ad010ac64e

SHA512
404fb57ac10c5148b8512c8d0868113791c9ff35f2f67c393ab15bee8f3692bb776f38f3d70a37fbb205225007c268a1219cdd482402580ca3adeb961f4985db

Download Submit
C:\Users\Admin\AppData\Local\Temp\VJKs86hlSwdc\_Files\_Screen_Desktop.jpeg

Filesize
47KB

MD5
e12792d9471b8115fd4e4333ba3905d6

SHA1
89cf8a71be14476273fade66a9f32accc95254ce

SHA256
1a5bb119ebbcfb0381905c574de4fb186f905cf5b9e647fb2f29e224e6488e68

SHA512
24e0b73060d2ff39f79dd1a76a30e5283cf61df0f5d3b6fab4bb60675b0b23bf6918a40318395b6ad04c262a672160bf3e724f5fedacbca610e252d1cac5baac

Download Submit
C:\Users\Admin\AppData\Local\Temp\VJKs86hlSwdc\files_\system_info.txt

Filesize
744B

MD5
e073d0546b724ef616cb7b596c9c3593

SHA1
147e473e3cb9e2e054bcc178862f31b9a6aef2d5

SHA256
02dbf4fde778937c6f1dba0392e60358a5872c6b9bd6bf70193c4abd771e22cf

SHA512
7d29936a9545b9d550618f83442967650d5a16e3e6667255705b31c974e26457f95e39b0a02131f94b4e642705a5932f43e3d110ed95eac7dad18b7b0c67f1e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\VJKs86hlSwdc\files_\system_info.txt

Filesize
8KB

MD5
edd959089789658327137e718dabcbed

SHA1
3b1527832ba41678f25c5630f349aee8c664356b

SHA256
ac27594f3faf1aaa48291576cc8f3f085a3bcfce7e763e2e27f71c4968136313

SHA512
9483bdcbaad3f88562378d21fbf80d2c205104451948c56403ce6921bac18d585e9e8a7b5bcc5a47a517a6cfebfeba206faeac0737a634fc3902cecd7a628cbe

Download Submit
memory/1292-4-0x0000000000400000-0x0000000002CCE000-memory.dmp

Filesize
40.8MB

Download
memory/1292-1-0x0000000000230000-0x0000000000330000-memory.dmp

Filesize
1024KB

Download
memory/1292-3-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1292-221-0x0000000000230000-0x0000000000330000-memory.dmp

Filesize
1024KB

Download
memory/1292-222-0x00000000043F0000-0x0000000004490000-memory.dmp

Filesize
640KB

Download
memory/1292-224-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1292-223-0x0000000000400000-0x0000000002CCE000-memory.dmp

Filesize
40.8MB

Download
memory/1292-2-0x00000000043F0000-0x0000000004490000-memory.dmp

Filesize
640KB

Download

Analysis

Sharing