General
-
Target
JaffaCakes118_5a9e3280eb6db0cfbd5a5fd70a4c58e35e397c29f7cda8306c681151030f4352
-
Size
6.7MB
-
Sample
241225-17zjjszqal
-
MD5
8d39ac315e1b224de97e282414967265
-
SHA1
97a44f78b91da3129e108a40e28e1cf6c3c932fe
-
SHA256
5a9e3280eb6db0cfbd5a5fd70a4c58e35e397c29f7cda8306c681151030f4352
-
SHA512
65d3f8acdc1da1941c6a86ab8b3134d52f2b88e9972aa475120cee560a10fba30c740aa81d08866964af04357f6b32be72a45d1cf6b50f224afae3c26f9b5445
-
SSDEEP
196608:7yy2/AGulG1pk8xbpAxbAL6USws916g98yuPnBWJ/2OXv:B24IYWqI6xMA8Xn4B
Malware Config
Extracted
cryptbot
verf04.info
Targets
-
-
Target
576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510
-
Size
4.6MB
-
MD5
d75d7dce371da77f30f35288b8ff37f3
-
SHA1
03a63127e19682acb329a4abfffb031311854c00
-
SHA256
576fc63980d3db3e2bbada7b11b7ff8585b18fa42e01cce219551799e0335510
-
SHA512
4fe86c0d0d2022f1986c786e882127dda583cfb7be9df7313db9b982bd8aad1f1b8919d0e0c883c1793768e2c7c6f3a9aeb138ace7264c887f69870ce14970fb
-
SSDEEP
98304:IGEqCZgN7219sQrtQwPWD9pEof9RvcScw2cepvi6yvSVj9QYO:IGEqC4K1uQxQwu9Rvc1li6ny
Score10/10-
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Cryptbot family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
$PLUGINSDIR/System.dll
-
Size
11KB
-
MD5
bf712f32249029466fa86756f5546950
-
SHA1
75ac4dc4808ac148ddd78f6b89a51afbd4091c2e
-
SHA256
7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af
-
SHA512
13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4
-
SSDEEP
192:0N2gQuUwXzioj4KALV2upWzVd7q1QDXEbBZ8KxHdGzyS/Kx:rJoiO8V2upW7vQjS/
Score3/10 -
-
-
Target
$PLUGINSDIR/UAC.dll
-
Size
14KB
-
MD5
adb29e6b186daa765dc750128649b63d
-
SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9
-
SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
-
SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
-
SSDEEP
192:DiF6v2imI36Op/tGZGfWxdyWHD0I53vLl7WVl8e04IpDlPjs:DGVY6ClGoWxXH75T1WVl83lLs
Score3/10 -
-
-
Target
$PLUGINSDIR/UserInfo.dll
-
Size
4KB
-
MD5
c7ce0e47c83525983fd2c4c9566b4aad
-
SHA1
38b7ad7bb32ffae35540fce373b8a671878dc54e
-
SHA256
6293408a5fa6d0f55f0a4d01528eb5b807ee9447a75a28b5986267475ebcd3ae
-
SHA512
ee9f23ea5210f418d4c559628bbfb3a0f892440bcd5dc4c1901cb8e510078e4481ea8353b262795076a19055e70b88e08fee5fb7e8f35a6f49022096408df20e
Score3/10 -
-
-
Target
$PLUGINSDIR/nsDialogs.dll
-
Size
9KB
-
MD5
4ccc4a742d4423f2f0ed744fd9c81f63
-
SHA1
704f00a1acc327fd879cf75fc90d0b8f927c36bc
-
SHA256
416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6
-
SHA512
790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb
-
SSDEEP
192:SbEunjqjIcESwFlioU3M0LLF/t8t9pKSfOi:SbESjFCw6oWPFl8jfOi
Score3/10 -
-
-
Target
Install.exe
-
Size
2.1MB
-
MD5
f59df95a5f1760ed6d213f5ad70c0510
-
SHA1
697dd19671251ed102d92cb730e7854a7611a53f
-
SHA256
2ee4567751ec4fca4a9390b4743625bee298955cc2cb6375341d673ef0003ab5
-
SHA512
f553f4053bae6236fd093be86240883b12b9457860e1249707cc4d6212a2fb953d31836106b3c1e8be3fb23de1c3835fb0aaa2e93d0e39422a03e4fc1e75f194
-
SSDEEP
49152:gku1iJxTg812RE+bxfYMULARTNSabPiYP+cmozJtRhd77K4:HuWe81cpNaUtNSabPiJ+Jtp7V
Score10/10-
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
Cryptbot family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
Notepad2.exe
-
Size
693KB
-
MD5
b60d390ba42c0109ee38de2e0ca56e1a
-
SHA1
735a4eb61fe695c9bd2c9961f5fa41ac5a73d833
-
SHA256
9ac61841c5a9716c04d632f9d107a17e94af751573a50b9d2c1d5ce26e32b477
-
SHA512
97d17a96a5773f2c8c78a1b985e75314c0ad8a5d9188b6e3d327b1445c04b15b99bd1697b8b12e4f3e56d040e5570f9e7b938e4d67cacca03a947093a082dc24
-
SSDEEP
12288:6tmI4blkGgFigjLHnrX96Uym8EXwTfEIVXxuFNOFwXi4tjp:6tUtgI2LLX96E8EXwICgKwXi4tjp
Score3/10 -
-
-
Target
util.exe
-
Size
2.3MB
-
MD5
1a399301e1eb1821088776166420c80e
-
SHA1
317bfecd99d6b0d7415173b55781deb4afc428b8
-
SHA256
69344b8a53d189c7640d0ada5f74b5febcd7b06e5aa5c4fc01a7c676ec986b67
-
SHA512
679e7e6c777287303e64d9c3b1d6d23fab2331708a17ba922746db240e25c35a60418f65302c294b851d2cf095cb6b5f174e3b300e74664c54df2349561992fe
-
SSDEEP
49152:nWnhoRhvQgR8+z1JLmgbPfrXPyBumegoauebmupsE5dv7okOUHl/k:nCE4gR8qEqgoaucPsE5dvt1t
Score9/10-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
6e80e005df38336538ccb8d85ab2bc29cfa761243a4715a28c437c501170372d
-
Size
1.1MB
-
MD5
3667fcde90db97a8b6007a06ff7b49da
-
SHA1
d21c5a703d711950b1e052a7a1bf70e2e14fdf19
-
SHA256
6e80e005df38336538ccb8d85ab2bc29cfa761243a4715a28c437c501170372d
-
SHA512
9c6dce629f70fc3eeda4dbd171aef01b53f1b4a087f56c09f67e661a775c0a0c4b84313f65d14ec90dfbbc62e09fd85f158d2e9d1fd43242a11059d6195232ef
-
SSDEEP
24576:bI1HQFplGzTSqzKMquOYrDbl015VCTaKUxcFk2CnfsgvPQnyv/cHw:c1HQFplGpKlubr/EfsbRknUgvPQnyGw
Score7/10-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
-
-
Target
$PLUGINSDIR/System.dll
-
Size
11KB
-
MD5
bf712f32249029466fa86756f5546950
-
SHA1
75ac4dc4808ac148ddd78f6b89a51afbd4091c2e
-
SHA256
7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af
-
SHA512
13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4
-
SSDEEP
192:0N2gQuUwXzioj4KALV2upWzVd7q1QDXEbBZ8KxHdGzyS/Kx:rJoiO8V2upW7vQjS/
Score3/10 -
-
-
Target
$PLUGINSDIR/UAC.dll
-
Size
14KB
-
MD5
adb29e6b186daa765dc750128649b63d
-
SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9
-
SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
-
SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
-
SSDEEP
192:DiF6v2imI36Op/tGZGfWxdyWHD0I53vLl7WVl8e04IpDlPjs:DGVY6ClGoWxXH75T1WVl83lLs
Score3/10 -
-
-
Target
$PLUGINSDIR/UserInfo.dll
-
Size
4KB
-
MD5
c7ce0e47c83525983fd2c4c9566b4aad
-
SHA1
38b7ad7bb32ffae35540fce373b8a671878dc54e
-
SHA256
6293408a5fa6d0f55f0a4d01528eb5b807ee9447a75a28b5986267475ebcd3ae
-
SHA512
ee9f23ea5210f418d4c559628bbfb3a0f892440bcd5dc4c1901cb8e510078e4481ea8353b262795076a19055e70b88e08fee5fb7e8f35a6f49022096408df20e
Score3/10 -
-
-
Target
$PLUGINSDIR/nsDialogs.dll
-
Size
9KB
-
MD5
4ccc4a742d4423f2f0ed744fd9c81f63
-
SHA1
704f00a1acc327fd879cf75fc90d0b8f927c36bc
-
SHA256
416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6
-
SHA512
790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb
-
SSDEEP
192:SbEunjqjIcESwFlioU3M0LLF/t8t9pKSfOi:SbESjFCw6oWPFl8jfOi
Score3/10 -
-
-
Target
vpn2.exe
-
Size
1.3MB
-
MD5
fedc12761c161021b24e55df8634a0d5
-
SHA1
750bcf790aa9d2981d90a3ede63ca7856ae12eeb
-
SHA256
c18292ba5f1e7081f1afaf5e62e63823ffc1673ea59a9d62cd4ff1b8ec7e1903
-
SHA512
838333cfe967e99b8a23499a13123ddedfbbd369b968524cbc7cf442444350b985ceddf2cfa79513923f06f409759ae022d670b71b12611fae331fb40909fc7a
-
SSDEEP
24576:aOUmR8GQTNqYKRquOpr4bl0k5a4ha+lxAAkld2IfLDa+j/I+V:xR8GMKQuYr6nEs7lkWIfLDa+j/I
Score6/10-
Legitimate hosting services abused for malware hosting/C2
-
-
-
Target
c18292ba5f1e7081f1afaf5e62e63823ffc1673ea59a9d62cd4ff1b8ec7e1903
-
Size
1.3MB
-
MD5
fedc12761c161021b24e55df8634a0d5
-
SHA1
750bcf790aa9d2981d90a3ede63ca7856ae12eeb
-
SHA256
c18292ba5f1e7081f1afaf5e62e63823ffc1673ea59a9d62cd4ff1b8ec7e1903
-
SHA512
838333cfe967e99b8a23499a13123ddedfbbd369b968524cbc7cf442444350b985ceddf2cfa79513923f06f409759ae022d670b71b12611fae331fb40909fc7a
-
SSDEEP
24576:aOUmR8GQTNqYKRquOpr4bl0k5a4ha+lxAAkld2IfLDa+j/I+V:xR8GMKQuYr6nEs7lkWIfLDa+j/I
Score6/10-
Legitimate hosting services abused for malware hosting/C2
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2