cryptbot | 4ea07b9988b03173d35240bd56cfe6b16b6f5721c62d16129c9d974bbab92d04

General

Target

JaffaCakes118_7ebbb54dd8b2cc5aea696b2ad88abdbc.exe
Size

346KB
MD5

7ebbb54dd8b2cc5aea696b2ad88abdbc
SHA1

b1ae8ad0ff5ba202b5783d951be5d4aee2e92600
SHA256

4ea07b9988b03173d35240bd56cfe6b16b6f5721c62d16129c9d974bbab92d04
SHA512

603c898492ea2ec7e0a4271d02ba1c0afd38a7abe9e8bcf1d1747dcc705530bca1537d5e16a3b06af5170c9ce17c0c5a417fbc8679529994bb92419b2fce53e7
SSDEEP

6144:6o6QtEG7DLMyJ6NhhGgIEX9noRJg7AcgtVjiIADG8el:6RQtE8LNJ+nHjFoY7SjixD

Score

10^/10

cryptbot discovery spyware stealer

Malware Config

Extracted

Family

cryptbot

C2

veoalm42.top

moruhx04.top

Attributes

payload_url
http://tynjua14.top/download.php?file=lv.exe

Signatures

CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Cryptbot family
cryptbot
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7ebbb54dd8b2cc5aea696b2ad88abdbc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	JaffaCakes118_7ebbb54dd8b2cc5aea696b2ad88abdbc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	JaffaCakes118_7ebbb54dd8b2cc5aea696b2ad88abdbc.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ebbb54dd8b2cc5aea696b2ad88abdbc.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ebbb54dd8b2cc5aea696b2ad88abdbc.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:4740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rMPDiDdwCJVd\DGTTyuOYnWol.zip

Filesize
54KB

MD5
b86386daf6df9c3b45aee04d037a9e6c

SHA1
d49dc2a0299657033c9232a262ffe6aa16c2c100

SHA256
8b82d7746b4713de59016a5ff0e3f233a203d585a25632ff772edd9bacbefc1e

SHA512
7abc3c636c502b5c7cc802df31fef75f0645b97a265009c6438a4cd99136329bd4f389624c96d527d9f69c0c21038b384fc41b17e33757faeec50befad4ce770

Download Submit
C:\Users\Admin\AppData\Local\Temp\rMPDiDdwCJVd\_Files\_Information.txt

Filesize
1KB

MD5
553109d02578771e73a42c7c7f8b528e

SHA1
9085fea37ef21fa86fb6ddf7a3e5109fd4bf79b0

SHA256
4acfa06a4f15f0a3f54690b04801f9ba57bbf2f8be875bdbabb9006c6b5bbd6a

SHA512
eb4d58633b58c6b283e57abc76833fe19a50444561b434edb4f28cf6a43e469f0b98ec81827443c370d86f213ffae6b846906ca14e72e3f551a32c359a157cef

Download Submit
C:\Users\Admin\AppData\Local\Temp\rMPDiDdwCJVd\_Files\_Information.txt

Filesize
3KB

MD5
66d6fc77890c8b9487be00b06640075c

SHA1
a961dc9e1ca777ffaadbbb09c15b3e5a24d34100

SHA256
99584707a2d9f3b6db20a511a340b2ded4c6a2b1929d0bc29358f1c6e4a9c364

SHA512
ae788ff173c57413516ad0f99f766a64a3f7455d2d80ef278cabab19896e8e4b80f323338b3fd2883f2b2329eb36e2a38c544dd27fc70532ded2513935d91b75

Download Submit
C:\Users\Admin\AppData\Local\Temp\rMPDiDdwCJVd\_Files\_Information.txt

Filesize
4KB

MD5
e41af78699d3d7582b87b2a8799f8a0f

SHA1
f24f4c6009fc304b9958d8eea8e13e011a3d8c6c

SHA256
44d8946ee9b97ac946f30da12d0173de3eeca7ac8f92173996c36f6d1bc41b41

SHA512
b97ea8f61004fd3bf60d0aa614c355cb98acbbfddfbfb13800915cb8ea5c48cf54e9b9ec266cb958457d0e6cdf60803709fc954fe03b08eb5386aced943f6ce5

Download Submit
C:\Users\Admin\AppData\Local\Temp\rMPDiDdwCJVd\_Files\_Screen_Desktop.jpeg

Filesize
59KB

MD5
8763679ca5b0d29e681db7f25d26c14f

SHA1
1c0e42aaa115725400c539458c75056be459585a

SHA256
6a93931eac4f72aa7296b14eeb17618c38336bb8daf7fc5fc81f7c0078e33a6a

SHA512
c791cf8e860bed15d127a424e3337dec948fc827459c8d5bfe2248ae04446d69c365b985126bb8a526b846dd47c6ba075e07fdb9fa5a56a08f67c27c3575cac1

Download Submit
memory/4740-128-0x0000000000400000-0x0000000002F1D000-memory.dmp

Filesize
43.1MB

Download
memory/4740-153-0x0000000000400000-0x0000000002F1D000-memory.dmp

Filesize
43.1MB

Download
memory/4740-117-0x00000000030B0000-0x00000000030D5000-memory.dmp

Filesize
148KB

Download
memory/4740-116-0x0000000000400000-0x0000000002F1D000-memory.dmp

Filesize
43.1MB

Download
memory/4740-119-0x00000000030E0000-0x0000000003125000-memory.dmp

Filesize
276KB

Download
memory/4740-120-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4740-122-0x0000000000400000-0x0000000002F1D000-memory.dmp

Filesize
43.1MB

Download
memory/4740-132-0x0000000000400000-0x0000000002F1D000-memory.dmp

Filesize
43.1MB

Download
memory/4740-160-0x0000000000400000-0x0000000002F1D000-memory.dmp

Filesize
43.1MB

Download
memory/4740-0-0x00000000030B0000-0x00000000030D5000-memory.dmp

Filesize
148KB

Download
memory/4740-1-0x00000000030E0000-0x0000000003125000-memory.dmp

Filesize
276KB

Download
memory/4740-134-0x0000000000400000-0x0000000002F1D000-memory.dmp

Filesize
43.1MB

Download
memory/4740-137-0x0000000000400000-0x0000000002F1D000-memory.dmp

Filesize
43.1MB

Download
memory/4740-141-0x0000000000400000-0x0000000002F1D000-memory.dmp

Filesize
43.1MB

Download
memory/4740-144-0x0000000000400000-0x0000000002F1D000-memory.dmp

Filesize
43.1MB

Download
memory/4740-147-0x0000000000400000-0x0000000002F1D000-memory.dmp

Filesize
43.1MB

Download
memory/4740-149-0x0000000000400000-0x0000000002F1D000-memory.dmp

Filesize
43.1MB

Download
memory/4740-2-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4740-157-0x0000000000400000-0x0000000002F1D000-memory.dmp

Filesize
43.1MB

Download
memory/4740-125-0x0000000000400000-0x0000000002F1D000-memory.dmp

Filesize
43.1MB

Download

Analysis

Sharing