cryptbot | 20d4c85a6b854c3e7c7d69145a6bc199a376bf12cb1fbda2361d888c7e7aadec

General

Target

JaffaCakes118_20d4c85a6b854c3e7c7d69145a6bc199a376bf12cb1fbda2361d888c7e7aadec.exe
Size

387KB
MD5

da6aae5a8de3423b5930348f0118a189
SHA1

3333b39ae134a1e102d00c5241e2cb7ea7761dbb
SHA256

20d4c85a6b854c3e7c7d69145a6bc199a376bf12cb1fbda2361d888c7e7aadec
SHA512

1901a501d5dee2cc2dc78c8a102c9e686dc16fe7913382fbda353b52c5f8d2aa4603e2bf53d4525181faf5093040940b7a07740440594d459fabf641cc612012
SSDEEP

6144:GRTN8mVs7XZj0vjlcAmgRQZxli5H/9l1R74X7vAGa7k8Ty:GRB8mMXZSjpRwi5HVV4XUHo

Score

10^/10

cryptbot credential_access discovery spyware stealer

Malware Config

Extracted

Family

cryptbot

C2

unic12m.top

unic12e.top

Signatures

CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Cryptbot family
cryptbot
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_20d4c85a6b854c3e7c7d69145a6bc199a376bf12cb1fbda2361d888c7e7aadec.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	JaffaCakes118_20d4c85a6b854c3e7c7d69145a6bc199a376bf12cb1fbda2361d888c7e7aadec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	JaffaCakes118_20d4c85a6b854c3e7c7d69145a6bc199a376bf12cb1fbda2361d888c7e7aadec.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_20d4c85a6b854c3e7c7d69145a6bc199a376bf12cb1fbda2361d888c7e7aadec.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_20d4c85a6b854c3e7c7d69145a6bc199a376bf12cb1fbda2361d888c7e7aadec.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:4864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

4

T1552

Credentials In Files

4

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BeZMuScqqdA\_Files\_Information.txt

Filesize
1KB

MD5
fbb9d440df9414f54e18f68afa248478

SHA1
46b31be22158cf9ca6c8343109272adf9bd0a4b4

SHA256
51a7ae85289b5f4ddbba166fc0b1774a4a81a56e8bb508592755ad97f6db36ad

SHA512
113480e3b59893a33354c10862c8af72a9a794ef27896ea095d56792e80e0fd2e888ae6d947fc91931828dd00d7db67c84c8d7b88ef8656006afb9b97a0c858d

Download Submit
C:\Users\Admin\AppData\Local\Temp\BeZMuScqqdA\_Files\_Information.txt

Filesize
3KB

MD5
c852d6542e5239877e0f6b1701699c62

SHA1
d73a27dedf09d9d4b1c7f58c1e7047db1739ad38

SHA256
b7392a8465178e870e8617060d2ccea776c639ddddb0c5650ec3145ef428db4b

SHA512
dbd2686daea3a7d723df57ee292be04c45049fe2a7dbc0abb0bcaaf495169f745d2888c44d229ecf6e5568632324023eb366fc2a301014bed582b76ad63ced30

Download Submit
C:\Users\Admin\AppData\Local\Temp\BeZMuScqqdA\_Files\_Information.txt

Filesize
6KB

MD5
83e0f0689bd03b774deec282b0af108c

SHA1
7e513a4e85632f412681c12f0d9535f9cb327b20

SHA256
7c40f8079c4804e157b0042400789ee0fd5a53abf95e4a628273ed3efd581cb9

SHA512
5124dd916f89e5c07ce29bc361c9300bee9d1348d3431acc62cbb5b7fdf74fd2927561e07553e04ae6e22280add2db2d8932b258ac053e040e085e5246d0cf88

Download Submit
C:\Users\Admin\AppData\Local\Temp\BeZMuScqqdA\_Files\_Screen_Desktop.jpeg

Filesize
51KB

MD5
b12da8e3c522b6904de0a3163f8b3b2e

SHA1
2757fd8b701a80f10fd5cf3bc5c7fc399f5a6120

SHA256
b4b671d3fcfcee882350d91802a888025c585194db7dee2b4c65f31360b69e27

SHA512
2731a16326d4d3d3c891fce8b11e7e656b05a7d67d4292e86cfb36cf2843c66d0d6137028244d21d45fd0853e88d4d911c2de8ca90da663bfb73e3a5cae09732

Download Submit
C:\Users\Admin\AppData\Local\Temp\BeZMuScqqdA\ghMXOUKtbY.zip

Filesize
46KB

MD5
85adb17092fba1a8a6f48ad3d6558f81

SHA1
28af13522311bcfd41f29c887fc3b2cfb7346275

SHA256
d989c9cac33a3a1b7ad80f16cea47142e872f3b067f674cf21b12cf88400e46a

SHA512
23d1fac184c9bf9bbdb56ee4e0cfb0c3169bd058acb13b9270dd5110033e70bf1f0c0cc4337b9559e0e5201ce364b0a2e290f1d1e4c9f8e061f0bda03b1699d4

Download Submit
memory/4864-132-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4864-154-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4864-114-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/4864-115-0x00000000020A0000-0x00000000020E7000-memory.dmp

Filesize
284KB

Download
memory/4864-117-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4864-116-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4864-124-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4864-3-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4864-160-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4864-2-0x00000000020A0000-0x00000000020E7000-memory.dmp

Filesize
284KB

Download
memory/4864-1-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/4864-135-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4864-138-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4864-141-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4864-144-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4864-148-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4864-150-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4864-130-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4864-157-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4864-127-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download

Analysis

Sharing