cryptbot | 56f3dcaa23c6f1f9fb9178fcf382168773b832236dc2955e24964e0acc6f0884

General

Target

JaffaCakes118_56f3dcaa23c6f1f9fb9178fcf382168773b832236dc2955e24964e0acc6f0884.exe
Size

727.6MB
MD5

e8eafc4826f22001b09f5cee3e46e54e
SHA1

e66b4001dc5fc5183a78253a649619b815a9c873
SHA256

56f3dcaa23c6f1f9fb9178fcf382168773b832236dc2955e24964e0acc6f0884
SHA512

e08cf4e23eb3953ceb473f1175602d6ac3d7ab4677f44d971d0bedc7ca0c837acff523f9b78fe28b50d60ba3a9f39410fe4ac348410ddbd3b30d3d826ce02c3d
SSDEEP

196608:mTdgDIK/MAVDXme7TshVez4GwrwTT19lGO5A/+:fP/JcWeruJ3

Score

10^/10

cryptbot discovery spyware stealer

Malware Config

Extracted

Family

cryptbot

C2

http://kudxoq75.top/gate.php

Attributes

payload_url
http://tamlar10.top/allude.dat

Signatures

CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Cryptbot family
cryptbot
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	JaffaCakes118_56f3dcaa23c6f1f9fb9178fcf382168773b832236dc2955e24964e0acc6f0884.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	JaffaCakes118_56f3dcaa23c6f1f9fb9178fcf382168773b832236dc2955e24964e0acc6f0884.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4112	JaffaCakes118_56f3dcaa23c6f1f9fb9178fcf382168773b832236dc2955e24964e0acc6f0884.exe
4112	JaffaCakes118_56f3dcaa23c6f1f9fb9178fcf382168773b832236dc2955e24964e0acc6f0884.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_56f3dcaa23c6f1f9fb9178fcf382168773b832236dc2955e24964e0acc6f0884.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	JaffaCakes118_56f3dcaa23c6f1f9fb9178fcf382168773b832236dc2955e24964e0acc6f0884.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	JaffaCakes118_56f3dcaa23c6f1f9fb9178fcf382168773b832236dc2955e24964e0acc6f0884.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	JaffaCakes118_56f3dcaa23c6f1f9fb9178fcf382168773b832236dc2955e24964e0acc6f0884.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4112	JaffaCakes118_56f3dcaa23c6f1f9fb9178fcf382168773b832236dc2955e24964e0acc6f0884.exe
4112	JaffaCakes118_56f3dcaa23c6f1f9fb9178fcf382168773b832236dc2955e24964e0acc6f0884.exe
4112	JaffaCakes118_56f3dcaa23c6f1f9fb9178fcf382168773b832236dc2955e24964e0acc6f0884.exe
4112	JaffaCakes118_56f3dcaa23c6f1f9fb9178fcf382168773b832236dc2955e24964e0acc6f0884.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_56f3dcaa23c6f1f9fb9178fcf382168773b832236dc2955e24964e0acc6f0884.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_56f3dcaa23c6f1f9fb9178fcf382168773b832236dc2955e24964e0acc6f0884.exe"
1⤵
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BC90.tmp

Filesize
32B

MD5
7a8ac9fa48e6e437e211f7c1b2cd2105

SHA1
8bb3d14fde1c1af01c4433c291cfa96a5c3a34a2

SHA256
e35bc6c050606b9988f872be53346d0ee930f12a5dee58e5cd0c288b04c0c33e

SHA512
e86fc2449820a2ba8b804898fe4f2d82dabf45b2078e826f4d4a9e1a53434b3d06702e303edd1c90c8e5ca4189f360fd0d7db935b6b27924df97e24729518b7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\BD6F.tmp

Filesize
116KB

MD5
09368884c09befec31894bb90946459f

SHA1
485f538b65e8c7ed68f65b5797a4fe56c8814a48

SHA256
73bf02a0d07ec0dda4d6ec16a79a4d73396923e5bef5dad91e1c0db965083e0b

SHA512
50d6956d0242175843dc03cb3b58bc4aa7f6e023062d97136e435520539864dca900f96bc3119a62c3a4dbcffc7ddf1f6a1c33eb5838a6f88c6b3a374df73907

Download Submit
C:\Users\Admin\AppData\Local\Temp\C076.tmp

Filesize
32B

MD5
6a1a009426e1664e77e650762c43a9e7

SHA1
3b4cf56a1df4c2986a53bed13f4752078673bd53

SHA256
e3bfded11f5a37d6ff3e1771d2d98e45e28c4d92941ac22a91e6ff9ea19d594e

SHA512
836eed648fb912a055e0fc5fa90398b16e3497a696425c281bd792cbee349f1bf0aba58812922109118808e4d801c34a4aa2e3ce462045c618f509e849bffa4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\C0A8.tmp

Filesize
8KB

MD5
0f232086211230c987dfaa97316cdda2

SHA1
89f90c1cc6577e346346fe25e4c79ddb2d029841

SHA256
9ce13384f776b3ebb8e0c0a418b61090235bf33803423300fe4b9c2bd2ec747a

SHA512
db0b4b79dd1764f4c379325dbf8a6d3cbeedc4771731d557b81b8fb00cc142b81fce9ae0b86d84559c350c40143aa315d521d0088b80caef2add480973869b84

Download Submit
memory/4112-0-0x00000000004D1000-0x000000000082E000-memory.dmp

Filesize
3.4MB

Download
memory/4112-2-0x00000000029F0000-0x00000000029F1000-memory.dmp

Filesize
4KB

Download
memory/4112-1-0x00000000029E0000-0x00000000029E1000-memory.dmp

Filesize
4KB

Download
memory/4112-3-0x0000000000400000-0x0000000000B98000-memory.dmp

Filesize
7.6MB

Download
memory/4112-111-0x00000000004D1000-0x000000000082E000-memory.dmp

Filesize
3.4MB

Download
memory/4112-112-0x0000000000400000-0x0000000000B98000-memory.dmp

Filesize
7.6MB

Download
memory/4112-113-0x0000000000400000-0x0000000000B98000-memory.dmp

Filesize
7.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads