cryptbot | 264eb379519c57856467254c1350da612757e762ac3198046eced7353c35106a

General

Target

JaffaCakes118_5747ed332f72912ac53faea2b4442663.exe
Size

346KB
MD5

5747ed332f72912ac53faea2b4442663
SHA1

eec858844eb7faf37f33854243eb941b9a61a15d
SHA256

264eb379519c57856467254c1350da612757e762ac3198046eced7353c35106a
SHA512

6504c7262be16daf970b77040596f6d7ccec45a39e9cba53517380ea8f11e56f23637c69cdb19f489e16e027f97034eecbd8506adddb3106b768554049405f39
SSDEEP

6144:6o6QtEG7DLMyJ6NhhGgIEX9noRJg7AcgtVjiIADG8elm:6RQtE8LNJ+nHjFoY7SjixD7

Score

10^/10

cryptbot discovery spyware stealer

Malware Config

Extracted

Family

cryptbot

C2

veoalm42.top

moruhx04.top

Attributes

payload_url
http://tynjua14.top/download.php?file=lv.exe

Signatures

CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Cryptbot family
cryptbot
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5747ed332f72912ac53faea2b4442663.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	JaffaCakes118_5747ed332f72912ac53faea2b4442663.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	JaffaCakes118_5747ed332f72912ac53faea2b4442663.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5747ed332f72912ac53faea2b4442663.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5747ed332f72912ac53faea2b4442663.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DmRpfhnBPc\_Files\_Files\LockResolve.txt

Filesize
592KB

MD5
dc985daa9a3838aadb3cfb336cce2ff3

SHA1
d279898ccd508260a95ed00398cb186c36010a6e

SHA256
061a9aefcd7f5d1b7ec38e42d4acf77bfcf0ef3d55f07001bda9588ca4834212

SHA512
66d55538bf53fe03838b2f40fb99d03d24c47691492a59bbb32c4deb8f4bb182649ec6f58f92c8635bbb83ce5cc5e1c9f54965c799ad33831b16188a9685b6a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DmRpfhnBPc\_Files\_Information.txt

Filesize
2KB

MD5
74d336d03fedb1aeaf9ed0010408b8b0

SHA1
fbc5bdc1a5af6b55784aa0777e8a222f7f81c6b6

SHA256
25f966afced8065cd2f07d07d3dfcdb68149ef556adc77b00a0914d90e7d83a2

SHA512
0def05b2f93f860c78f1699ab478e97f4f1e366b936fd96ca54f8d92d650d39f661fe53fbf8acce325b767f53a7d6364e34c84a6f7dd960263f9407be3db6803

Download Submit
C:\Users\Admin\AppData\Local\Temp\DmRpfhnBPc\_Files\_Information.txt

Filesize
5KB

MD5
7e3cb6b951dd87a90e009c1de6af131c

SHA1
28fde05d222a90533df6b0cd51f6fb855cf372eb

SHA256
68d44a1072cd4264a91333318343f9a27e98d09550c39a75d2ad38ad76ff0f32

SHA512
3a6209a3b8bbe89c5697dd36be5cba63d92434c12f21dd455cdce477b75ca9ae18ea9e8f7dbb03d73b36d61e1da9a5478e6cf4410abd410bb82ccaad3be03417

Download Submit
C:\Users\Admin\AppData\Local\Temp\DmRpfhnBPc\_Files\_Screen_Desktop.jpeg

Filesize
52KB

MD5
1ca2daa1cae726af168fb1019f88b5eb

SHA1
842094e3d36736abf70791be554071597368e446

SHA256
8d09f260acae3f1d2a351c0d5aa6adff99239ea03b2ba968b1f50765f8cd3254

SHA512
13a9896bbb2f277e70e3f3d9544763e3f400482c739014171446aaf91356bd48f52b9678241eba6d2d71fc1d3efadd48652d2f9f4523d7df8ef43d8722441eec

Download Submit
C:\Users\Admin\AppData\Local\Temp\DmRpfhnBPc\plfDpyMyEF.zip

Filesize
640KB

MD5
43d6b0a6cf60cce38548bb6b48bbe420

SHA1
864084fb1ba4a3e7e71ed17937b58cd12d292db8

SHA256
2276b9c53ada896c44f571f581ac142915cffbabd9a7ee1244103b2bc36bc4ec

SHA512
727a13be999bfe5144c03c043ad68b10f047c420c42bd97dfcd7a5fda55c53ad9ef3fe1bd5e4ec8db8e973e1c3cb7a471b5b360c3ee0c8b3a41fd07c66dc2a71

Download Submit
memory/668-138-0x0000000000400000-0x0000000002F1D000-memory.dmp

Filesize
43.1MB

Download
memory/668-158-0x0000000000400000-0x0000000002F1D000-memory.dmp

Filesize
43.1MB

Download
memory/668-123-0x0000000004C60000-0x0000000004C85000-memory.dmp

Filesize
148KB

Download
memory/668-122-0x0000000000400000-0x0000000002F1D000-memory.dmp

Filesize
43.1MB

Download
memory/668-124-0x0000000004C90000-0x0000000004CD5000-memory.dmp

Filesize
276KB

Download
memory/668-126-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/668-128-0x0000000000400000-0x0000000002F1D000-memory.dmp

Filesize
43.1MB

Download
memory/668-2-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/668-164-0x0000000000400000-0x0000000002F1D000-memory.dmp

Filesize
43.1MB

Download
memory/668-1-0x0000000004C90000-0x0000000004CD5000-memory.dmp

Filesize
276KB

Download
memory/668-0-0x0000000004C60000-0x0000000004C85000-memory.dmp

Filesize
148KB

Download
memory/668-141-0x0000000000400000-0x0000000002F1D000-memory.dmp

Filesize
43.1MB

Download
memory/668-143-0x0000000000400000-0x0000000002F1D000-memory.dmp

Filesize
43.1MB

Download
memory/668-146-0x0000000000400000-0x0000000002F1D000-memory.dmp

Filesize
43.1MB

Download
memory/668-149-0x0000000000400000-0x0000000002F1D000-memory.dmp

Filesize
43.1MB

Download
memory/668-152-0x0000000000400000-0x0000000002F1D000-memory.dmp

Filesize
43.1MB

Download
memory/668-155-0x0000000000400000-0x0000000002F1D000-memory.dmp

Filesize
43.1MB

Download
memory/668-135-0x0000000000400000-0x0000000002F1D000-memory.dmp

Filesize
43.1MB

Download
memory/668-161-0x0000000000400000-0x0000000002F1D000-memory.dmp

Filesize
43.1MB

Download
memory/668-132-0x0000000000400000-0x0000000002F1D000-memory.dmp

Filesize
43.1MB

Download

Analysis

Sharing