cryptbot | c415e164b8539e5b4d8232f5bbf359caa81250d78b1785cc074c3e204e689b97

General

Target

JaffaCakes118_fd01ea3415d761f0c9289fe2630194fb.exe
Size

388KB
MD5

fd01ea3415d761f0c9289fe2630194fb
SHA1

72d6991b8b43ce94db7b1118e61753c5c2e0f490
SHA256

c415e164b8539e5b4d8232f5bbf359caa81250d78b1785cc074c3e204e689b97
SHA512

625a34ea0b561ee7e8fb7ab7f17346b40d7b28d46ccb96bad9687054dfa83fa1b2a4ab7f8199f4959b4e96e87a68fafe0a7043631450b1fd0fa2c30b894459bf
SSDEEP

6144:XNj6TYWryIIt5z5nYiXu1t7+y/urZkw5FwthSHP+WeoOM6WdNU:XNj6TvOnq1t+ymlkw5FwIP+WeoOSN

Score

10^/10

cryptbot discovery spyware stealer

Malware Config

Extracted

Family

cryptbot

C2

veobav12.top

morysl01.top

Attributes

payload_url
http://tyngle01.top/download.php?file=lv.exe

Signatures

CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Cryptbot family
cryptbot
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_fd01ea3415d761f0c9289fe2630194fb.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	JaffaCakes118_fd01ea3415d761f0c9289fe2630194fb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	JaffaCakes118_fd01ea3415d761f0c9289fe2630194fb.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fd01ea3415d761f0c9289fe2630194fb.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fd01ea3415d761f0c9289fe2630194fb.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:4792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ciTEYpCh\_Files\_Files\ClearUnlock.txt

Filesize
1.2MB

MD5
1b80d1e20bd017c5d1dc8d186c205f92

SHA1
7a8000712f776c1c6426b495f56ca0de860f00a6

SHA256
b4cb7605f6515ee30c294abfa8b0b4b024cd32d1e069e0e020761504567df48b

SHA512
fe6aee1c69573704326fd560becafdb1184224885fea839ae5a2c8a6bcdcc9ffb533b6d151b489754e49dd2a940018c3c8a7f684bed7960341157b47530d5f23

Download Submit
C:\Users\Admin\AppData\Local\Temp\ciTEYpCh\_Files\_Information.txt

Filesize
1KB

MD5
25613b250da1f83561daaa805bf1f56f

SHA1
cae6e67c10e620a202a066c1134a0a56fac466a8

SHA256
15fefbfa3f06fe1d19ff5ad4ae298286fc5303e6a8c6c968e8b7e00ce46b9e46

SHA512
eb77d8ca2348efac418d611ee0d0ba6439906671641e6d3e15e59d69baf09441c4f17c77f13e47f3186876fd740997190e94db3f4f582871a2c925050576c57a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ciTEYpCh\_Files\_Information.txt

Filesize
5KB

MD5
b30b318b7e5df317f848ad2288307d50

SHA1
f4015d619b2f9ce04d1f744ad0ae623bd3d19092

SHA256
17dec033985caae7f7124b66b7c7bff2a7de58f47582645faaa9a4d40ccb4e59

SHA512
7966f406915d6f5cbffe0bb0b8fb4c54d9746e1c88d019decac0813fe15186e22dac7eeaeeadda24f4b446ed076b8c47ebb39b0228b9cb56d0e8e2fd53280da6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ciTEYpCh\_Files\_Screen_Desktop.jpeg

Filesize
57KB

MD5
66bc19e6184459de2a1531ccfe72c8dc

SHA1
51b184859ffc23628baa0220ddecc7f99be899e6

SHA256
2dab44f50aa42efacea70de56f187adb533ab49b7bef2140463d52a3d073cc7e

SHA512
cec6a0e2e82db41a363dba0f7ad4a0dcac844ffec42a8f3f2f1590dd859ee8555c90d6f2b96161629ab31bf7c4b6679e00e45b1ff2d0ce6a60da11cd5eadecfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ciTEYpCh\obWBLQGDAP.zip

Filesize
1.2MB

MD5
c1dffcce99a6a8660a032f15bce18da6

SHA1
fa0fa5f539213e38ae6412e36ec56b5b44532404

SHA256
ad149304ebdf838eb4812fa94a3f80bbeb04b233d16746c058e9e46b457a9204

SHA512
4b53b85c7a104cbe5e0f7b8b0e3b800f9561f3ee472a88e52fa33638f4cfe00a3f79b96df8e80a00e968f994f014a903874a4ac980fe470b0220ae47adeec44c

Download Submit
memory/4792-139-0x0000000000400000-0x0000000002DB8000-memory.dmp

Filesize
41.7MB

Download
memory/4792-161-0x0000000000400000-0x0000000002DB8000-memory.dmp

Filesize
41.7MB

Download
memory/4792-123-0x0000000002FC0000-0x00000000030C0000-memory.dmp

Filesize
1024KB

Download
memory/4792-125-0x0000000004B00000-0x0000000004B45000-memory.dmp

Filesize
276KB

Download
memory/4792-124-0x0000000000400000-0x0000000002DB8000-memory.dmp

Filesize
41.7MB

Download
memory/4792-126-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4792-129-0x0000000000400000-0x0000000002DB8000-memory.dmp

Filesize
41.7MB

Download
memory/4792-3-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4792-166-0x0000000000400000-0x0000000002DB8000-memory.dmp

Filesize
41.7MB

Download
memory/4792-2-0x0000000004B00000-0x0000000004B45000-memory.dmp

Filesize
276KB

Download
memory/4792-1-0x0000000002FC0000-0x00000000030C0000-memory.dmp

Filesize
1024KB

Download
memory/4792-142-0x0000000000400000-0x0000000002DB8000-memory.dmp

Filesize
41.7MB

Download
memory/4792-145-0x0000000000400000-0x0000000002DB8000-memory.dmp

Filesize
41.7MB

Download
memory/4792-148-0x0000000000400000-0x0000000002DB8000-memory.dmp

Filesize
41.7MB

Download
memory/4792-151-0x0000000000400000-0x0000000002DB8000-memory.dmp

Filesize
41.7MB

Download
memory/4792-154-0x0000000000400000-0x0000000002DB8000-memory.dmp

Filesize
41.7MB

Download
memory/4792-158-0x0000000000400000-0x0000000002DB8000-memory.dmp

Filesize
41.7MB

Download
memory/4792-136-0x0000000000400000-0x0000000002DB8000-memory.dmp

Filesize
41.7MB

Download
memory/4792-164-0x0000000000400000-0x0000000002DB8000-memory.dmp

Filesize
41.7MB

Download
memory/4792-133-0x0000000000400000-0x0000000002DB8000-memory.dmp

Filesize
41.7MB

Download

Analysis

Sharing