cryptbot | 4a26bf04a82781ba937c450a3ebfa33556aec1a645fa820ff8cffde9b2b5a240

General

Target

d176e50d489f6ed1109d9954944877b6_JaffaCakes118.exe
Size

609KB
MD5

d176e50d489f6ed1109d9954944877b6
SHA1

f23f1dd77727fc85fcfc8227c6d6021803e5231f
SHA256

4a26bf04a82781ba937c450a3ebfa33556aec1a645fa820ff8cffde9b2b5a240
SHA512

a0d316a84bb566d409cb50b0d8612960e8ef280f936b6838e23a9e8f85201e1d9dbc3ec4234d6859d19514621190ce6fd925f6ec06dbce208165ceb19f262c51
SSDEEP

12288:w2DMbd4yPDeCpZNqmSr/U7wpgGBp4NC7D7M9C5vYpM:pMCIeC5urKwFp4NuE9aA

Score

10^/10

cryptbot discovery spyware stealer

Malware Config

Extracted

Family

cryptbot

C2

lysvay12.top

moroer01.top

Attributes

payload_url
http://damuxa01.top/download.php?file=lv.exe

Signatures

CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot payload 5 IoCs

resource	yara_rule
behavioral2/memory/744-2-0x0000000004A90000-0x0000000004B30000-memory.dmp	family_cryptbot
behavioral2/memory/744-3-0x0000000000400000-0x00000000004A3000-memory.dmp	family_cryptbot
behavioral2/memory/744-219-0x0000000004A90000-0x0000000004B30000-memory.dmp	family_cryptbot
behavioral2/memory/744-221-0x0000000000400000-0x00000000004A3000-memory.dmp	family_cryptbot
behavioral2/memory/744-220-0x0000000000400000-0x0000000002CCE000-memory.dmp	family_cryptbot

Cryptbot family
cryptbot
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d176e50d489f6ed1109d9954944877b6_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	d176e50d489f6ed1109d9954944877b6_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	d176e50d489f6ed1109d9954944877b6_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
744	d176e50d489f6ed1109d9954944877b6_JaffaCakes118.exe
744	d176e50d489f6ed1109d9954944877b6_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\d176e50d489f6ed1109d9954944877b6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d176e50d489f6ed1109d9954944877b6_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WPbVtqaUVY4U\_Files\_Information.txt

Filesize
3KB

MD5
3606764c713c9b269a00f6334bac8a67

SHA1
dfc66123c491d84f889269929d60f38483fd09a0

SHA256
8a2f16f9c26dc54ac84123d84c64c16837464753834fd027e77e71e32d2a9688

SHA512
0e7f793898732d6d854de5671e5de15252a553f9778bdcf0bac1f465362a4366c83d129867b5363bcb58cdf8b58aba8db609acda860bf5a60db26bbd2f177b35

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPbVtqaUVY4U\_Files\_Information.txt

Filesize
4KB

MD5
d826a0737191426fe9b8d396d9f3f9d8

SHA1
1165076b048db8c25136b87023ad166326430490

SHA256
b874f8fd57a21f14d77367e566cf3a82e1c6a144a842efa839628f62581dbdf8

SHA512
f7d5f366f033b8b4d8a214ef2ce327bd07f47cf3a43d8df324c3b506efd9fb86c27ef04511b439f7ecb4449a5edf20c61f61ecbb5b0e0e9077c33df86da58900

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPbVtqaUVY4U\_Files\_Screen_Desktop.jpeg

Filesize
50KB

MD5
c9580111f373466ecd0c12b4374790ba

SHA1
e7260e35a2376fab57e6df70a426694869eb420a

SHA256
5e32bf7441c4c935db9acaf4cb43c90d28d775cb01d07ffc3cbde33d1530570d

SHA512
53710dd477aabd07feb5650d234fb67b9e9b04c68925c338311060ecc6b850d8c54d24a9da97536333b41e930ca763a80711cedf8e2e6e2163263ff85f52a511

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPbVtqaUVY4U\files_\system_info.txt

Filesize
746B

MD5
70db1107120ad725d94ec66d7b44d3fa

SHA1
48ebba3643fa3bb689cfd6ab4bc409df025aac86

SHA256
49f1443da5592356c024ac0e6dd9e5f3d76e469cc6d6e736178dfe6ce11c8d8a

SHA512
5e47d242be818256cc6d50eb26d808519bcefbbfadccf82d2c2ec62e2fd55d7b024b57a814dda3b63d1877aee02f397e958060fe98d15626989fef804998ba58

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPbVtqaUVY4U\files_\system_info.txt

Filesize
2KB

MD5
27d78192bade2f9e8e348a81e764dfec

SHA1
e2eff8ad21b81e0d131329dfe8a02c30d6f5b73b

SHA256
df38c889a50f13a1eb538dce60a729d0564baab6bb88a195cc4155fcfedd9606

SHA512
f5a406131014420272c7649aac87a08c3ed3f76b1d7d1b65f033f43f8b12b1b9fa77023205a5ae440ce75ff6efc2cf1fa0e49c357c37e84a83c7f7864c83e041

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPbVtqaUVY4U\files_\system_info.txt

Filesize
4KB

MD5
e40c4e72ea3b60e6c00f0efde2aa2ab6

SHA1
909f1495ff3a1a0d49c216e56d14b3e8b904c40a

SHA256
1475c08251270023cbe1971c0b85ce5b585767ce3a57240b0c47f37c37c2863f

SHA512
465d234e03e4c27844ac06d8970e5d61e1e05e8bb96d6f4680da2415f1131fb84299398fcb29cb771a507cdd62c14054706b1da9a80819f0f67e0611e9519805

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPbVtqaUVY4U\hEVkbXFpM3.zip

Filesize
44KB

MD5
a9465b29dc0c802289cd99025a2fc419

SHA1
505ebe6859caf8b372477b0aeb640b9c37d61f71

SHA256
b2d1cc1edf9ceae0573bede8452b73831c763f0dd63ebf7ebeeaa851e4580df4

SHA512
437b60ab162936d7b3f6f85a6fdde724189a7f4a0e714c51137cf54a7983a4809432d67b0ed71380e3d1dcceb0f555917e0584fdcdd61e1f35ac81c5530c773c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPbVtqaUVY4U\zNXubQtf3pE.zip

Filesize
44KB

MD5
34e3872cfecb043f778b7faa05739041

SHA1
e2faa31324e89e112ca8203a72b0632a9e310ab6

SHA256
3debe3de100d159f22b4f7134972d1358ce39001a1653160a2b87d6fc96b89b5

SHA512
c8951946e9f2caed0a93828973122be9a3267c8ec72a932eaf887942c13bc1cac02c041e2611f7975348f3e4281df613bbe983c2d994b10273bc7d24407d91bb

Download Submit
memory/744-3-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/744-2-0x0000000004A90000-0x0000000004B30000-memory.dmp

Filesize
640KB

Download
memory/744-1-0x0000000002D50000-0x0000000002E50000-memory.dmp

Filesize
1024KB

Download
memory/744-217-0x0000000002D50000-0x0000000002E50000-memory.dmp

Filesize
1024KB

Download
memory/744-219-0x0000000004A90000-0x0000000004B30000-memory.dmp

Filesize
640KB

Download
memory/744-221-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/744-220-0x0000000000400000-0x0000000002CCE000-memory.dmp

Filesize
40.8MB

Download

Analysis

Sharing