cryptbot | d30efbcdbf30c57ad8bfb278d5098d7044762442d5c2553f5e5cf92e39bc7c43

General

Target

JaffaCakes118_f4869964da97cd1c6a459dc0862e0537.exe
Size

419KB
MD5

f4869964da97cd1c6a459dc0862e0537
SHA1

ca09397b71d5519852f2f459e9bb493b60570908
SHA256

d30efbcdbf30c57ad8bfb278d5098d7044762442d5c2553f5e5cf92e39bc7c43
SHA512

03a7bf9a73598f436da16e22f07dc1dedf8507743071d3630cb63182b73cd3d0a0a24a56f2a705aec8fd31f0dcddaa7203c8ab90351402ba0ebd2bae8ae28d38
SSDEEP

12288:QHEKqNxt0FXDFun2XNSNc6kk8v2OSSnsl:QtqNuZxQP8+OSC0

Score

10^/10

cryptbot discovery spyware stealer

Malware Config

Extracted

Family

cryptbot

C2

veomho62.top

morizu06.top

Attributes

payload_url
http://tynmat16.top/download.php?file=roamer.exe

Signatures

CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Cryptbot family
cryptbot
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_f4869964da97cd1c6a459dc0862e0537.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	JaffaCakes118_f4869964da97cd1c6a459dc0862e0537.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	JaffaCakes118_f4869964da97cd1c6a459dc0862e0537.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f4869964da97cd1c6a459dc0862e0537.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f4869964da97cd1c6a459dc0862e0537.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:3668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\QheFYcny\XgDsEEAKav.zip

Filesize
47KB

MD5
0f154a36dab1c28fd71948e56abb5136

SHA1
915e8944e38d062fab298361e887601aa3f35a1c

SHA256
150686d40220bd66231f6761f2177817aa5dc397ba58044e435b14ee518702b4

SHA512
831598ad19dee1226da2a2a9ae7abfe0aa887d2df2e0b85aac355c3ffbfc786d4b529d58a57d0f23eded8fdf13edce9b6b633caa601ea4818ad013959fb06cdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\QheFYcny\_Files\_Information.txt

Filesize
4KB

MD5
fd2186c78b289c42b408eb6e64b61907

SHA1
2551257813a2c200912779d9abb5aac05b57bc17

SHA256
bb1eca7319ee23d55e8ff5bab09178428038b366c60d76160f1d09b5dbf59307

SHA512
f539ca7f5e55275d50913b2b8a94fc12023b3c840800eea63730911a5dcd3c300e4806f838d81cd3717bec0db823d9835acfd3ee1ca996c542d88e4dfc849540

Download Submit
C:\Users\Admin\AppData\Local\Temp\QheFYcny\_Files\_Screen_Desktop.jpeg

Filesize
52KB

MD5
7e796b19a6e7ff85000edbd3d03d9472

SHA1
d9fbc83fee829a755eaaf7aa78f614b6e637ddd9

SHA256
a485d59bfeb13c797246f68717e36e9ede4033c30065bebcaa21df054e2fcb8e

SHA512
b53e910634f31c1b85cf9222439135d40c550a84dda83d942ca8e526ab50b08b44c7d8f948a63745c15211e4bbe0166ee87a7db1fca04bc581fe85978f737c11

Download Submit
memory/3668-114-0x0000000000910000-0x0000000000A10000-memory.dmp

Filesize
1024KB

Download
memory/3668-130-0x0000000000400000-0x0000000000899000-memory.dmp

Filesize
4.6MB

Download
memory/3668-1-0x0000000000910000-0x0000000000A10000-memory.dmp

Filesize
1024KB

Download
memory/3668-118-0x00000000008A0000-0x00000000008E5000-memory.dmp

Filesize
276KB

Download
memory/3668-121-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3668-120-0x0000000000400000-0x0000000000899000-memory.dmp

Filesize
4.6MB

Download
memory/3668-124-0x0000000000400000-0x0000000000899000-memory.dmp

Filesize
4.6MB

Download
memory/3668-2-0x00000000008A0000-0x00000000008E5000-memory.dmp

Filesize
276KB

Download
memory/3668-127-0x0000000000400000-0x0000000000899000-memory.dmp

Filesize
4.6MB

Download
memory/3668-3-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3668-133-0x0000000000400000-0x0000000000899000-memory.dmp

Filesize
4.6MB

Download
memory/3668-136-0x0000000000400000-0x0000000000899000-memory.dmp

Filesize
4.6MB

Download
memory/3668-139-0x0000000000400000-0x0000000000899000-memory.dmp

Filesize
4.6MB

Download
memory/3668-143-0x0000000000400000-0x0000000000899000-memory.dmp

Filesize
4.6MB

Download
memory/3668-146-0x0000000000400000-0x0000000000899000-memory.dmp

Filesize
4.6MB

Download
memory/3668-149-0x0000000000400000-0x0000000000899000-memory.dmp

Filesize
4.6MB

Download
memory/3668-152-0x0000000000400000-0x0000000000899000-memory.dmp

Filesize
4.6MB

Download
memory/3668-155-0x0000000000400000-0x0000000000899000-memory.dmp

Filesize
4.6MB

Download
memory/3668-158-0x0000000000400000-0x0000000000899000-memory.dmp

Filesize
4.6MB

Download
memory/3668-160-0x0000000000400000-0x0000000000899000-memory.dmp

Filesize
4.6MB

Download

Analysis

Sharing