{
	"id": "759e2638-5846-44ef-a73b-6d5b435f7874",
	"created_at": "2026-04-06T00:13:56.453114Z",
	"updated_at": "2026-04-10T03:20:58.269344Z",
	"deleted_at": null,
	"sha1_hash": "67d57821edabc8568a2be2ec4cbe9e3a25d4aed1",
	"title": "CrackedCantil: Malware Work Together",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 153454,
	"plain_text": "CrackedCantil: Malware Work Together\r\nBy Lena aka LambdaMamba\r\nArchived: 2026-04-05 18:29:01 UTC\r\nLena aka LambdaMamba\r\nI am a Chief Research Officer at a cybersecurity company. My passions include investigations, experimentations, gaming,\r\nwriting, and drawing. I also like playing around with hardware, operating systems, and FPGAs. I enjoy assembling things\r\nas well as disassembling things! In my spare time, I do CTFs, threat hunting, and write about them. I am fascinated by\r\nsnakes, which includes the Snake Malware!\r\nCheck out:\r\nMy website\r\nMy LinkedIn profile\r\nMalware is constantly evolving to become more evasive, destructive, efficient, and infectious. There are numerous\r\nfamilies of malware, each with its own unique characteristics. These different families of malware can work together in a\r\nsymphonious manner to deliver a powerful infection. For instance, the stealer malware can exfiltrate data before the\r\nransomware encrypts the files. \r\nIn this blog post, we’re diving into a recent case of something I started calling a “malware symphony.” It’s a way to\r\ndescribe how different types of malware can work together, sort of like instruments in an orchestra. And just like how each\r\ninstrument adds to the harmony, these malware parts work together in a coordinated way — we’ll explore the behavior of\r\neach malware involved in this symphony in detail.\r\nLet’s dive right into it!\r\nOverview of CrackedCantil\r\nThe author (of this article, not the malware), Lena (aka LambdaMamba) has decided to name this type of malware the\r\n“CrackedCantil”. \r\nThe “Cracked” part comes from cracked software meaning a common vector of infection. The “Cantil” part comes from\r\nthe Cantil Viper, which is a species of highly venomous viper. This viper uses its bright yellow tail to lure in prey, just like\r\nhow this malware uses cracked software to lure in victims. \r\nhttps://any.run/cybersecurity-blog/crackedcantil-breakdown/\r\nPage 1 of 20\n\nAnd just like viper venom, which uses a complex cocktail of chemicals that work together to wreak havoc in the victim’s\r\nbody, numerous malware work together in the CrackedCantil to wreak havoc in the victim’s system. The CrackedCantil\r\nexamined in this article includes the following:\r\nLoaders: Includes the PrivateLoader and Smoke, which drops more malware onto the system\r\nInfostealers: Includes the Lumma, RedLine, RisePro, Amadey, Stealc, which steals sensitive information \r\nCrytominers: Turns the infected system into a cryptominer, which drains system resources \r\nProxy Bot Malware: Includes the Socks5Systemz, which turns the infected system into a proxy bot\r\nRansomware: Includes the STOP, which encrypts the files and disrupts the system\r\nAlso, the process tree is long, packed, and intertwined like a snake pit.\r\nThe CrackedCantil Process Tree and an image of a Snake Pit generated by OpenAI\r\nThe CrackedCantil Process Tree and an image of a Snake Pit generated by OpenAI\r\nAnalyzing the behavior in a sandbox\r\nThe CrackedCantil ANY.RUN sample examined in this article can be found here. Additionally, the analysis techniques\r\nintroduced in my blog Analyzing Snake Keylogger in ANY.RUN: a Full Walkthrough will be used here. \r\nSearching for the Cracked software \r\nThe query “ida pro crack download” was searched on Google on a Windows 11 Google Chrome using a United States\r\nResidential Proxy. There was a peculiar Google Groups result “CRACK IDA Pro V6 8 150423 And HEX-Rays\r\nDecompiler …” within the first search result page:\r\nSearching “ida pro crack download” on Google\r\nSearching “ida pro crack download” on Google\r\nVisiting the Google Groups search result showed a Google Groups conversation with the subject “CRACK IDA Pro V6 8\r\n150423 And HEX-Rays Decompiler ARM X86 X64-iDAPROl”. A shortened link is included in the body:\r\nA Google Groups conversation with a download link\r\nA Google Groups conversation with a download link\r\nClicking on the shortened link redirects to hxxps://airfiltersing[.]com…. , and Clicking on the “Download” button will\r\ndownload “release.rar” from hxxps://afashionstudio[.]com:\r\nThe redirected download site\r\nThe redirected download site\r\nThe archive file is password-protected and can be opened with the password provided on the download site, which was\r\n“1234”. A folder called “prom” and an application called “setup.exe” are inside the archive. These were extracted onto the\r\nDesktop:\r\nThe contents of “release.rar”\r\nThe contents of “release.rar”\r\nThe details of “setup.exe” can be seen in the Properties. The file description was “Logitech PlugIn Installer Utility\r\n(UNICODE)”, and the original filename was “PlugInInstallerUtility.exe”. The folder “prom” contains various files with\r\nhttps://any.run/cybersecurity-blog/crackedcantil-breakdown/\r\nPage 2 of 20\n\nunique extensions, such as “.dllqqq”, “.dllew”, “.dllw”, “.dlww”:\r\nThe properties of “setup.exe” and contents of the “prom” folder\r\nThe properties of “setup.exe” and contents of the “prom” folder\r\nRunning the Cracked Software\r\nDouble-clicking on “setup.exe” will execute the application. Around a minute after executing “setup.exe”, a bunch of\r\nprocesses is spawned, and “cmd.exe” and “schtasks.exe” windows pop up:\r\nThe “cmd.exe” and “schtasks.exe” windows pop up after executing “setup.exe”\r\nThe “cmd.exe” and “schtasks.exe” windows pop up after executing “setup.exe”\r\nAfter “cmd.exe” and “schtasks.exe” closes, nothing alarming happens from the user’s perspective. The system is manually\r\nrestarted for experimentation. The system restarts normally from the user’s perspective, and logins to “admin”.\r\nLogging into “admin” after manual system reboot\r\nLogging into “admin” after manual system reboot\r\nAfter the login, everything on the Desktop looks normal from the user’s perspective. Approximately 15 seconds later, a\r\n“schtasks.exe” window pops up and a bunch of processes are spawned:\r\nThe “schtasks.exe” window pops up after logging in\r\nThe “schtasks.exe” window pops up after logging in\r\nA few seconds later, the files’ icons change to a white file icon, and the “.hhaz” extension is added to the files, indicating\r\nthey were encrypted:\r\nThe files’ type has become “HHAZ file”\r\nThe files’ type has become “HHAZ file”\r\nThe ransom note is located in “C:\\Users\\admin\\_readme.txt”. The ransom note includes a link to download the decryption\r\ninstruction video, the contact email, and a personal ID:\r\nContents of the ransom note “_readme.txt”\r\nContents of the ransom note “_readme.txt”\r\nIn a different ANY.RUN task, the WeTransfer link was opened in a browser, and the”Decrypt Software.avi” was\r\ndownloaded and opened in a Video player. It showed a decryption instruction video with a “.djvuu” example:\r\nThe Decryption Instruction video from the ransom note\r\nThe Decryption Instruction video from the ransom note\r\nAnalyzing the Processes based on Malware Family\r\nThe process tree is complex, and numerous notorious malware families were involved. This section will break down the\r\ndifferent malware families involved and explore each one in detail.  They include PrivateLoader, Smoke, Lumma,\r\nRedLine, RisePro, Amadey, Stealc, Socks5Systemz, and STOP.\r\nPrivateLoader\r\nhttps://any.run/cybersecurity-blog/crackedcantil-breakdown/\r\nPage 3 of 20\n\nPrivateLoader is a malicious loader family first identified in 2021 and is known for distributing many kinds of malware\r\nincluding stealers, rootkits, spyware, and more. It is written in C++, and cracked software is a common source of infection.\r\nAdditionally, it drops payloads depending on the configuration of the victim’s system. More information on PrivateLoader\r\ncan be found in ANY.RUN’s PrivateLoader Malware Trends. \r\nProcess 4440: setup.exe\r\nThe process “setup.exe” (process 1952) starts when the “setup.exe” executable is double-clicked from the Desktop. Almost\r\nimmediately after, another process called “setup.exe” (process 4440) spawns, and is detected as a PrivateLoader. From\r\nProcess 4440, numerous malicious processes spawn, which includes more PrivateLoader instances, Smoke, Lumma,\r\nRedLine, RisePro, Amadey, Stealc, Socks5Systemz, and STOP.\r\nThe “setup.exe” (process 4440) is detected as a PrivateLoader\r\nThe “setup.exe” (process 4440) is detected as a PrivateLoader\r\nNumerous executables are downloaded by “setup.exe” (process 4440) from several endpoints. Detonating these\r\nexecutables independently inside the ANY.RUN Sandbox revealed that they are Stealc (timeSync.exe ANY.RUN task),\r\nRedline (autorun.exe ANY.RUN task), Risepro (good.exe ANY.RUN task), and Sock5Systemz (adobe.exe ANY.RUN\r\ntask).\r\nProcess 4440 downloads several executables from several endpoints\r\nProcess 4440 downloads several executables from several endpoints\r\nProcess 4440 is also seen communicating with its C2 server, 185[.]216.70.235 and 195.20.16[.]45 via port 80 (T1071 –\r\nApplication Layer Protocol). HTTP requests “/api/tracemap.php” and “/api/firegate.php” were made to the host\r\n185[.]216.70.235 and 195.20.16[.]45 by Process 4440:\r\nThe HTTP requests by Process 4440\r\nThe HTTP requests by Process 4440\r\nAn example network stream between 195.20.16[.]45:80 and VM:52634 can be seen below:\r\nThe Network Stream for Process 4440 between 195.20.16[.]45:80 and VM:52634\r\nThe Network Stream for Process 4440 between 195.20.16[.]45:80 and VM:52634\r\nThe contents include Base64-encoded strings, like “Q0uWGgHyOK1yWQK-BXHkM-HySJVrM-bkDRjaZRMVle11OCvYaPf2WzR9nGuLpCPzAv8ibLyhynT0DqT5CPejzN_j4vkuL4Rmafqdqg7q29RNzn9VOTArbMt6Jrq5lsZ3”\r\n, but decoding these strings did not reveal human-readable results. These strings are encrypted, and decrypting may reveal\r\nthe C2 server and other crucial information as shown in PrivateLoader: Analyzing the Encryption and Decryption of a\r\nModern Loader.\r\nProcess 5088: vRNddZqIkwaYVpHLFkGcr1Tk.exe\r\nThe initial PrivateLoader “setup.exe” (process 4440) spawns “vRNddZqIkwaYVpHLFkGcr1Tk.exe” (process 5088),\r\nwhich is also detected as  PrivateLoader.\r\nThe “setup.exe” (process 4440) \u003e “vRNddZqIkwaYVpHLFkGcr1Tk.exe” (process 5088) is detected as a\r\nPrivateLoader.\r\nThe “setup.exe” (process 4440)\r\nhttps://any.run/cybersecurity-blog/crackedcantil-breakdown/\r\nPage 4 of 20\n\nThe “vRNddZqIkwaYVpHLFkGcr1Tk.exe” (process 5088) was seen modifying files in the Chrome extension folder.\r\nBrowser extensions can be abused to establish persistent access to systems (T1176 – Browser Extensions).\r\nProcess 5088 is seen modifying files in the Chrome extension folder\r\nProcess 5088 is seen modifying files in the Chrome extension folder\r\nThe extension “difpelfbkngealhghppkgcpkgbgohhph” is associated with K Searches. According to the K Searches\r\ndescription, “The extension will update your search settings and will change your new tab search provider to Microsoft\r\nBing”. Opening Google Chrome on a different ANY.RUN task after detonating “setup.exe” showed the K Searches\r\nextension being added to the browser:\r\nThe K Searches extension on a Chrome Browser\r\nThe K Searches extension on a Chrome Browser\r\nProcess 5088 also communicates with its C2, 195.20.16[.]45 via port 80 (T1071 – Application Layer Protocol), and the\r\nHTTP POST requests also contain Base64 encoded and encrypted strings just like Process 4440:\r\nThe Network Stream\r\nThe Network Stream for Process 5088 between 195.20.16[.]45:80 and VM:53329\r\nProcess 1916: wlC578T8hWfvZ2yJxLzrF38Y.exe\r\nThe initial PrivateLoader “setup.exe” (process 4440) spawns “wlC578T8hWfvZ2yJxLzrF38Y.exe” (process 1916), which\r\nis also detected as  PrivateLoader.\r\nThe “setup.exe” (process 4440)\r\nProcess 1916 was seen dropping executables “C:\\Users\\admin\\Pictures\\Minor\r\nPolicy\\5RfuRxo3fpxiWkD42DRCixRe[.]exe” and\r\n“C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\J0KBFYBW\\build2[1].exe”. These two executables\r\nhave the same hash, and “5RfuRxo3fpxiWkD42DRCixRe[.]exe” is examined in a later section, which is detected as\r\nAmadey.\r\nProcess 1916 drops executable files immediately after the start\r\nProcess 1916 drops executable files immediately after the start\r\nhttps://any.run/cybersecurity-blog/crackedcantil-breakdown/\r\nPage 5 of 20\n\nProcess 5088 also communicates with its C2, 45.15.156[.]229 via port 80 (T1071 – Application Layer Protocol). Similar to\r\nProcess 4440 and Process 5088, the HTTP POST requests also contain Base64 encoded and encrypted strings:\r\nThe Network Stream for Process 1916 between 45.15.156[.]229:80 and VM:52754\r\nThe Network Stream for Process 1916 between 45.15.156[.]229:80 and VM:52754\r\nSmoke \r\nSmoke is a modular malware first identified in 2011, and is known to download other malware as well as steal\r\ninformation. The Smoke Loader can load several files, execute them, mimic legitimate processes, and more. It injects\r\nmalicious code into system processes like “explorer.exe”, and conducts malicious activities while evading detection. More\r\ninformation on the Smoke Loader can be found in ANY.RUN’s Smoke Loader Malware Trends.\r\nProcess 4192: explorer.exe\r\nThe initial PrivateLoader “setup.exe” (process 4440) spawns “vvlbVE_a1T9mi81qLqDvAjYH.exe” (process 2648), which\r\nruns injected code in “explorer.exe” (process 4192). This is detected as Smoke.\r\nSmoke malware\r\nThe “setup.exe” (process 4440)\r\nThe “C:\\Users\\admin\\Pictures\\Minor Policy\\vvlbVE_a1T9mi81qLqDvAjYH.exe” is responsible for injecting malicious\r\ncode into “explorer.exe”:\r\nCrackedCantil malware analysis\r\nThe “vvlbVE_a1T9mi81qLqDvAjYH.exe” (process 2648) runs injected code in another process\r\nThe “explorer.exe” (process 4192) conducts several malicious activities after being injected with malicious code. Process\r\n4192 is seen communicating with the C2 servers, 34.94.245[.]237, 91.215.85[.]17, 34.168.225[.]46 via port 80 (T1071 –\r\nApplication Layer Protocol).\r\nHTTP POST requests “/” to the host sumagulituyo[.]org, stualialuyastrelia[.]net, criogetikfenbut[.]org were observed for\r\n34.94.245[.]237, 91.215.85[.]17, 34.168.225[.]46 respectively for Process 4192. The response to the POST requests\r\ncontained references to https://myattwg.att[.]com/UverseAccount.html, and opening this URL in a browser in ANY.RUN\r\nsandbox shows a site that asks for AT\u0026T credentials. This is known to be a browser hijacker according to OSINT.\r\nCrackedCantil malware analysis\r\nThe Network Stream comparison\r\nProcess 4192 runs a command that uses PowerShell to tell the Windows Defender to ignore the current user’s profile\r\nfolder ( “C:\\Users\\admin” in this case), and the Program Files folder (“C:\\Program Files” in this case) during scans. This\r\nallows more malware into the system without being detected by Windows Defender (T1562.001 – Impair Defenses:\r\nDisable or Modify Tools).\r\nCrackedCantil malware analysis\r\nProcess 4192 adds a path to the Windows Defender exclusion list with the line surrounded by green\r\nProcess 4192 runs a command that will start a scheduled task called “GoogleUpdateTaskMachineQC” using schtasks\r\n(Task Scheduler). The purpose is to evade analysis environments with time-based methods, and the Windows Task\r\nhttps://any.run/cybersecurity-blog/crackedcantil-breakdown/\r\nPage 6 of 20\n\nScheduler can be abused for the initial or recurring execution of malicious code (T1497.003 – Virtualization/Sandbox\r\nEvasion: Time Based Evasion, and T1053.005 – Scheduled Task/Job: Scheduled Task).\r\nCrackedCantil malware analysis\r\nProcess 4192 uses the Task Scheduler to run other applications with the line surrounded by green\r\nThe “GoogleUpdateTaskMachineQC” is an XML file that is modified by “svchost.exe” (process 1272). The “svchost.exe”\r\nis located under “C:\\Windows\\system32\\”. This is a system file in Windows, and acts as a host process for services\r\nrunning from DLLs.\r\nCrackedCantil malware analysis\r\nProcess 1272 modifies the file “GoogleUpdateTaskMachineQC”\r\n“GoogleUpdateTaskMachineQC” is an XML configuration file for a scheduled task. It configures a scheduled task called\r\n“GoogleUpdateTaskMachineQC”, which will be triggered at every system boot. It runs using the highest available\r\nprivilege, and will execute “C:\\Program Files\\Google\\Chrome\\updater.exe”.\r\nCrackedCantil malware analysis\r\nThe URI is “GoogleUpdateTaskMachineQC”\r\nCrackedCantil malware analysis\r\nThe RunLevel is “HighestAvailable”\r\nCrackedCantil malware analysis\r\nThe Exec location is “C:\\Program Files\\Google\\Chrome\\updater.exe”\r\nThe “t4vXjCz8dD8LVP0hkcsFvzr1.exe” (process 6320) spawns from the PrivateLoader\r\n“wlC578T8hWfvZ2yJxLzrF38Y.exe” (process 1916), and modifies “C:\\Program Files\\Google\\Chrome\\updater.exe”:\r\nCrackedCantil malware analysis\r\nProcess 6320 modifies “C:\\Program Files\\Google\\Chrome\\updater.exe”\r\nDetonating “updater.exe” in this sample, independently in ANY.RUN sandbox revealed that it is a Miner malware.\r\nCrackedCantil malware analysis\r\nThe attributes of “updater.exe” in Static Discovering\r\nAfter the system reboot, “updater.exe” (process 1632) starts via Task Scheduler:\r\nCrackedCantil malware analysis\r\nSystem Reboot \u003e “updater.exe” (process 1632)\r\nProcess 1632 drops executable files “C:\\Program Files\\Google\\Libs\\WR64.sys”, and\r\n“C:\\Windows\\TEMP\\cwpxsctaqxko.tmp”.\r\nCrackedCantil malware analysis\r\nProcess 1632 drops executable files immediately after reboot\r\nIn the “WR64.sys” and “cwpxsctaqxko.tmp” EXIF information, the MachineType mentioned “AMD AMD64”. According\r\nto OSINT, these files are Miner malware for AMD64.\r\nCrackedCantil malware analysis\r\nhttps://any.run/cybersecurity-blog/crackedcantil-breakdown/\r\nPage 7 of 20\n\nThe attributes of “WR64.sys” and “cwpxsctaqxko.tmp” in Static Discovering\r\nProcess 1436: explorer.exe\r\nAfter the system reboot, “bdutbcd” (process 3984) injects “explorer.exe” (process 1436), and this is detected as Smoke.\r\nCrackedCantil malware analysis\r\nSystem reboot \u003e “bdutbcd” (process 3984) ↦ “explorer.exe” (process 1436) is detected as Smoke\r\nProcess 3984 originates from the initial Smoke instance before reboot, “explorer.exe” (process 4192). “bdutbcd” has the\r\nexact same hash as “vvlbVE_a1T9mi81qLqDvAjYH.exe”, which injected “explorer.exe” (process 4192):\r\nCrackedCantil malware analysis\r\n“C:\\Users\\admin\\AppData\\Roaming\\bdutbcd” originates from Process 4192\r\nNumerous HTTP POST requests to several hosts and IPs were observed for Process 1436:\r\nCrackedCantil malware analysis\r\nThe HTTP POST requests and the Network Stream for Process 1436\r\nLumma\r\nLumma is an information stealer first identified in 2022. It is developed using the C programming language and is known\r\nto steal sensitive information such as cryptocurrency wallets, credentials, and more. Lumma can target a wide range of\r\nsystems, ranging from Windows 7 up to 11, and has been actively evolving since its discovery. More information on\r\nLumma can be found in ANY.RUN’s Lumma Malware Trends.\r\nProcess 1588: T6OBqC4lLuNgq7EqPk6LjxrX.exe\r\nThe initial PrivateLoader “setup.exe” (process 4440) spawns “T6OBqC4lLuNgq7EqPk6LjxrX.exe” (process 2344), which\r\nalso spawns “T6OBqC4lLuNgq7EqPk6LjxrX.exe” (process 1588). This is detected as Lumma.\r\nCrackedCantil malware analysis\r\nThe “setup.exe” (process 4440)\r\nProcess 1588 was also seen connecting to its C2 via port 80 (T1071 – Application Layer Protocol), and HTTP POST\r\nrequests “/api” to the host cinemaretailermkw[.]fun were observed.\r\nCrackedCantil malware analysis\r\n The HTTP POST requests made by Process 1588\r\nIn one of the POST requests to the host cinemaretailermkw[.]fun, the string “Content-Disposition: form-data;\r\nname=”file”; filename=”file”” and “Content-Type: attachment/x-object” were observed (in green). This indicates that the\r\ncontent underneath is a file. Strings like “System.txt”, “Software.txt”, and “Screen.png” (in red) were observed within the\r\ncontent, which suggests that this file is an archive file.\r\nCrackedCantil malware analysis\r\nThe Network Stream for Process 1588 between 188.114.97[.]3:80 and VM:56670\r\nThe PCAP was downloaded, and the file contents were extracted from “MIME Multipart Media Encapsulation, Type:\r\nmultipart/form-data, Boundary: “be85de5ipdocierre1” \u003e “Media Type” \u003e “Export Packet Bytes…” with Wireshark. The\r\nhttps://any.run/cybersecurity-blog/crackedcantil-breakdown/\r\nPage 8 of 20\n\nfile was named “file.zip”.\r\nCrackedCantil malware analysis\r\nExtracting “file.zip” from the PCAP using Wireshark\r\nThis “file.zip” was opened inside a new ANY.RUN sandbox’s sample. This archive file contains “System.txt”,\r\n“Software.txt”, and “Screen.png”. Opening “Screen.png” shows a screenshot of the original CrackedCantil task at 6:31\r\nAM:\r\nCrackedCantil malware analysis\r\nOpening “file.zip” with WinRAR, and “Screen.png in Photos\r\nOpening “Software.txt” and “System.txt” in Notepad showed a bunch of interesting information. “Software.txt” contained\r\nthe information of installed software in the ANY.RUN sandbox system. “System.txt” contained the Lumma ID, the\r\nTelegram (@lummanowork), and system information like the PC name, user, OS Version, HWID, Screen Resolution,\r\nLanguage, CPU Name, GPU, Physical Installed Memory.\r\nCrackedCantil malware analysis\r\nIn another POST request to the host cinemaretailermkw[.]fun, something similar was observed. Strings like\r\n“Edge/BrowserVersion.txt”, “Edge/dp.txt”, and “Edge/Default/History” (in red) were observed within the content, which\r\nsuggests that this file is also an archive file.\r\nCrackedCantil malware analysis\r\nThe Network Stream for Process 1588 between 188.114.96[.]3:80 and VM:53676\r\nThe PCAP was downloaded, and the file contents were extracted with the method highlighted previously. This file was\r\nnamed “file2.zip”, and was opened inside a new sample, which contained a folder “Edge”. The contents of “Edge” can be\r\nviewed with the command “tree /F”, and contain various Edge-related information:\r\nCrackedCantil malware analysis\r\nThe contents of “file2.zip”\r\n“History” contained the Edge Browser history, “Login Data” contained the Edge Browser login data, “Cookies” contained\r\nthe Edge browser cookies, and more:\r\nCrackedCantil malware analysis\r\nA section of “Edge/Default/Login Data”, “Edge/Default/History”\r\nIn another POST request to the host cinemaretailermkw[.]fun, something similar was observed. Strings like “Mozilla\r\nFirefox/8o2qovza.default-release/key4.db” (in red) were observed within the content.\r\nCrackedCantil malware analysis\r\nThe Network Stream for Process 1588 between 188.114.97[.]3:80 and VM:54018\r\nThe file contents were extracted, and named “file3.zip”. It was opened inside an ANY.RUN sample, which contained a\r\nfolder “Mozilla Firefox”:\r\nCrackedCantil malware analysis\r\nThe contents of “file3.zip”\r\nhttps://any.run/cybersecurity-blog/crackedcantil-breakdown/\r\nPage 9 of 20\n\nIt contained .db, .sqlite, and .json files with various Firefox related information, like the Firefox Browser history, meta\r\ndata, bookmarks, and credentials:\r\nSections of the database files containing sensitive Firefox information\r\nCrackedCantil malware analysis\r\nThe contents of “logins.json” in Static Discovering, which contains the encrypted username and password\r\nThe information in the archive files are exfiltrated via HTTP by Process 1588.\r\nProcess 4360: RegSvcs.exe\r\nThe initial PrivateLoader “setup.exe” (process 4440) spawns “cuS4AGoWkhss2UsAPWfpvGrK.exe” (process 2452),\r\nwhich spawns “RegSvcs.exe” (process 4360). This is also detected as Lumma.\r\nCrackedCantil malware analysis\r\nLumma is detected\r\n“RegSvcs.exe” (process 4360) is located in “C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\”. This is a part of the\r\nMicrosoft .NET Framework for version 4.0.30319, and is mostly used for setting up applications that require COM\r\ninterop. However, “RegSvcs.exe” is known to be abused for registering and executing malicious .NET assemblies by\r\nmalware. More details can be found in Perception Point’s Lumma Analysis. \r\nProcess 4360 is seen connecting to its C2, 104.21.88[.]119 via port 80 (T1071 – Application Layer Protocol). HTTP POST\r\nrequests “/api” to the host ensurerecommendedd[.]pw were observed.\r\nCrackedCantil malware analysis\r\n The HTTP POST requests made by Process 4360\r\nIn the HTTP POST requests, behavior nearly identical to “T6OBqC4lLuNgq7EqPk6LjxrX.exe” (process 1588) were\r\nobserved, where various archive files containing Browser (Edge, Firefox) information, system information, and\r\nscreenshots were exfiltrated via HTTP. Additionally, an archive file containing Chrome Browser information was observed\r\nfor Process 4360, and this was opened in a this sample.\r\nCrackedCantil malware analysis\r\nThe Network Stream comparison\r\nUnarchiving “file4.zip” reveals various files containing sensitive information related to Chrome. For example, the\r\n“Chrome/Default/History” contained the Chrome Browser history, which included the Google search query “ida pro crack\r\ndownload”. It also included the URL of sites we have previously visited in Analyzing the Behavior in a Sandbox section.\r\nCrackedCantil malware analysis\r\nA section of “Chrome/Default/History”\r\nhttps://any.run/cybersecurity-blog/crackedcantil-breakdown/\r\nPage 10 of 20\n\nRedLine\r\nRedLine is a .NET malware written in C#, and was first identified in 2020. RedLine is known to act as an infostealer that\r\ncollects information like passwords, credit cards, cookies, location, and more. Additionally, RedLine can be used to deliver\r\nmore malware, like ransomware, RATs, trojans, miners, and more. More information on RedLine can be found in\r\nANY.RUN’s RedLine Malware Trends.\r\nProcess 6280: AppLaunch.exe\r\nThe initial PrivateLoader “setup.exe” (process 4440) spawns “nNjCpnjCODqx6RJUBNXhaAHF.exe” (process 5764).\r\nThis spawns “AppLaunch.exe” (process 6280), and is detected as RedLine.\r\nCrackedCantil malware analysis\r\nRedLine is detected\r\nThe “AppLaunch.exe” (process 6280) is located in “C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\”. This is a part\r\nof the Microsoft .NET Framework for version 4.0.30319, and is usually used for launching applications based on the .NET\r\nFramework. However, the RedLine payload is known to be injected into “AppLaunch.exe” and other legitimate processes\r\nto conduct malicious activities while evading detection. More details can be found in Netskope’s RedLine Stealer\r\nAnalysis. \r\nProcess 6280 was seen repeatedly connecting to 45.15[.]156.187 over port 23929 (T1571 – Non-Standard Port):\r\nCrackedCantil malware analysis\r\nConnections to 45.15[.]156.187 via port 23929 by Process 6280\r\nThe contents of the uploaded data were identical, which contained “net.tcp://45.15.156[.]187:23929/”:\r\nCrackedCantil malware analysis\r\nThe malware configuration for RedLine reveals the C2, Botnet and Keys. The Botnet is “LogsDiller Cloud (Telegram:\r\n@logsdillabot)”, according to OSINT this account sells various logs.\r\nCrackedCantil malware analysis\r\nThe Malware Configuration for “AppLaunch.exe”\r\nRisePro\r\nRisePro is an information-stealing malware first identified in 2022. It is known to steal credit card, password, and crypto-wallet information. RisePro is written in C++, and employs a system of embedded DLL dependencies. More information\r\non RisePro can be found in ANY.RUN’s RisePro Malware Analysis: Exploring C2 Communication of a New Version.\r\nProcess 3004: 3Pvvg68HWOfBwJ9BdOsWgpEz.exe\r\nThe initial PrivateLoader “setup.exe” (process 4440) spawns “3Pvvg68HWOfBwJ9BdOsWgpEz.exe” (process 3004),\r\nwhich is detected as RisePro.\r\nCrackedCantil malware analysis\r\nRisePro is detected\r\nhttps://any.run/cybersecurity-blog/crackedcantil-breakdown/\r\nPage 11 of 20\n\nProcess 3004 runs a command that creates a scheduled task called “OfficeTrackerNMP131 HR” and\r\n“OfficeTrackerNMP131 LG”. This runs “C:\\ProgramData\\OfficeTrackerNMP131\\OfficeTrackerNMP131.exe” on an\r\nhourly basis and at user logon with the highest privilege, namely “admin” (T1497.003 – Virtualization/Sandbox, and\r\nT1053.005 – Scheduled Task/Job: Scheduled Task).\r\nCrackedCantil malware analysis\r\nProcess 3004 runs the lines surrounded in green.\r\nThis executable is dropped by Process 3004:\r\nCrackedCantil malware analysis\r\nProcess 3004 drops “C:\\ProgramData\\OfficeTrackerNMP131\\OfficeTrackerNMP131.exe”\r\nThe “OfficeTrackerNMP131.exe” (process 3940) is run from the Task Scheduler after the system reboot (T1497.003, and\r\nT1053.005). Detonating “OfficeTrackerNMP131.exe” independently inside a the sample reveals that it’s a RisePro\r\nmalware. \r\nThe “3Pvvg68HWOfBwJ9BdOsWgpEz.exe” (process 3004) creates a file in the startup directory, namely\r\n“C:\\Users\\admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\FANBooster131.lnk”. Persistence\r\nmay be achieved by adding a program to a startup folder, which causes the referenced program to be executed upon log-in\r\n(T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder).\r\nCrackedCantil malware analysis\r\nProcess 3004 creates files in the Startup directory\r\nThe “FANBooster131.lnk” is a LNK file, which is a shortcut that points to\r\n“C:\\Users\\admin\\AppData\\Local\\Temp\\FANBooster131\\FANBooster131.exe”:\r\nCrackedCantil malware analysis\r\n“FANBooster131.lnk” points to “FANBooster131.exe”\r\n“FANBooster131.exe” is dropped by Process 3004, and has the exact same hash as “OfficeTrackerNMP131.exe”. The\r\n“FANBooster131.exe” (process 7056) starts upon user login. Detonating “FANBooster131.exe” independently inside this\r\nexample reveals that it’s also a RisePro malware.\r\nCrackedCantil malware analysis\r\nProcess 3004 drops “C:\\Users\\admin\\AppData\\Local\\Temp\\FANBooster131\\FANBooster131.exe”\r\nProcess 5076: Iq4tpcuftnMe73YjwlKR3YVy.exe\r\nThe initial PrivateLoader “setup.exe” (process 4440) spawns “Iq4tpcuftnMe73YjwlKR3YVy.exe” (process 5076), which is\r\ndetected as RisePro.\r\nCrackedCantil malware analysis\r\nSimilar to “3Pvvg68HWOfBwJ9BdOsWgpEz.exe” (process 3004), the “Iq4tpcuftnMe73YjwlKR3YVy.exe” (process\r\n5076) creates a scheduled task called “OfficeTrackerNMP1 LG” and “OfficeTrackerNMP1 HR“. This runs\r\n“C:\\ProgramData\\OfficeTrackerNMP1\\OfficeTrackerNMP1.exe” at user logon and on an hourly basis with the highest\r\nhttps://any.run/cybersecurity-blog/crackedcantil-breakdown/\r\nPage 12 of 20\n\nprivilege, namely “admin”. Detonating “OfficeTrackerNMP1.exe” independently inside a sample reveals that it’s also a\r\nRisePro malware.\r\nCrackedCantil malware analysis\r\nProcess 5076 runs the lines surrounded in green\r\nThe Malware Configuration contained the C2 IP addresses, which was 193[.]223.132.51 and 195[.]20.16.45.\r\nCrackedCantil malware analysis\r\nAmadey\r\nAmadey is a very versatile malware first identified in 2018, and can act as a loader or an infostealer. It can perform a wide\r\nrange of malicious activities, including reconnaissance, data exfiltration, and loading more payloads. More information on\r\nAmadey can be found in ANY.RUN’s Amadey Malware Trends.\r\nProcess 4124: 5RfuRxo3fpxiWkD42DRCixRe.exe\r\nThe initial PrivateLoader “setup.exe” (process 4440) spawns another PrivateLoader “wlC578T8hWfvZ2yJxLzrF38Y.exe”\r\n(process 1916). This spawns “5RfuRxo3fpxiWkD42DRCixRe.exe” (process 4124), which is detected as Amadey.\r\nCrackedCantil malware analysis\r\nAmadey is detected\r\nProcess 4124 creates a scheduled task called “5RfuRxo3fpxiWkD42DRCixRe.exe” that runs\r\n“C:\\Users\\admin\\Pictures\\Minor Policy\\5RfuRxo3fpxiWkD42DRCixRe.exe“ every minute.\r\nCrackedCantil malware analysis\r\nProcess 4124 uses the Task Scheduler to run other applications,\r\nProcess 4124 also changes the autorun value in the registry. The Registry key\r\n“HKEY_CURRENT_USER\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\USER SHELL\r\nFOLDERS” stores the paths to important system folders for the current user, which includes the Desktop, Startup, etc. For\r\n“STARTUP”, the value is now “%USERPROFILE%\\APPDATA\\ROAMING\\MICROSOFT\\WINDOWS\\START\r\nMENU\\PROGRAMS\\STARTUP”. This means that the path to the Startup folder has been changed by Process 4124, and\r\nwhatever that is in “AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup” will now execute every time\r\nupon login (T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder).\r\nCrackedCantil malware analysis\r\nProcess 4124 creates autorun value in the registry\r\nThese are the files in the “AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup” directory, and include\r\nLNK files that point to RisePro malware (FANBooster131.exe ANY.RUN task, PowerExpertNT.exe ANY.RUN task):\r\nCrackedCantil malware analysis\r\nThe files under the “AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup” directory\r\nStealc\r\nhttps://any.run/cybersecurity-blog/crackedcantil-breakdown/\r\nPage 13 of 20\n\nStealc is an information-stealing malware first identified in 2023. It is written in C and utilizes WinAPI functions, and is\r\nknown to steal sensitive information from browsers and exfiltrate the information to the C2 using HTTP POST requests.\r\nThe development of Stealc relies on other stealers such as Vidar, Racoon, Redline, and Mars. More information on Stealc\r\ncan be found in Malpedia’s Stealc.\r\nProcess 2412: hzQj407t3pAeMkmtH8lxdDg1.exe\r\nThe initial PrivateLoader “setup.exe” (process 4440) spawns “hzQj407t3pAeMkmtH8lxdDg1.exe” (process 2412), which\r\nis detected as Stealc.\r\nCrackedCantil malware analysis\r\nStealc is detected\r\n“hzQj407t3pAeMkmtH8lxdDg1.exe” (process 2412) is located in “C:\\Users\\admin\\Pictures\\Minor Policy\\”, and is seen\r\nconnecting to its C2, 5.42.64[.]41 via port 80. HTTP POST request “/40d570f44e84a454.php” to the host 5.42.64[.]41 was\r\nobserved:\r\nCrackedCantil malware analysis\r\nThe Network Stream for Process 2412 between 5.42.64[.]41:80 and VM:52705\r\nHowever, Process 2412 crashes after a while. Detonating “hzQj407t3pAeMkmtH8lxdDg1.exe” independently in the task\r\nreveals the malware configuration, which includes the C2, Keys, and Strings:\r\nCrackedCantil malware analysis\r\nThe Malware Configuration for “hzQj407t3pAeMkmtH8lxdDg1.exe”\r\nSocks5Systemz\r\nSocks5Systemz is a proxy bot malware that is known to infect devices through PrivateLoader and Amadey.\r\nSocks5Systemz turns infected devices into traffic-forwarding proxies for malicious traffic and connects to its C2 server\r\nwith a DGA. More information on Socks5Systemz can be found in BleepingComputer’s Socks5Systemz proxy service\r\ninfects 10,000 systems worldwide.\r\nProcess 6364: DTPanelQT.exe\r\nThe initial PrivateLoader “setup.exe” (process 4440) spawns “69wM7sx_H1qc_If9hwYqEhWr.exe” (process 4960), which\r\nspawns “69wM7sx_H1qc_If9hwYqEhWr.tmp” (process 5560). This spawns “DTPanelQT.exe” (process 6364), which is\r\ndetected as Socks5Systemz.\r\nCrackedCantil malware analysis\r\nSocks5Systemz is detected\r\nProcess 6364 was seen connecting to its C2, 185.196.8[.]22 via port 80 (T1071 – Application Layer Protocol). Numerous\r\nGET requests to the host ercwwol[.]ua were observed:\r\nCrackedCantil malware analysis\r\n The HTTP GET requests and the Network Stream for Process 6364\r\nIt is also seen connecting to 176.9.47[.]240 via port 2023, which is a non-typical protocol and port pairing (T1571 – Non-Standard Port):\r\nhttps://any.run/cybersecurity-blog/crackedcantil-breakdown/\r\nPage 14 of 20\n\nCrackedCantil malware analysis\r\nConnections to 176.9.47[.]240 via port 2023 by Process 6364\r\nThe data sent to 176.9.47[.]240 via port 2023 appears to be a bunch of IP addresses and the port in the syntax “[IP\r\nADDRESS]:[PORT];”, and all the contents were identical:\r\nCrackedCantil malware analysis\r\nThe Network Stream\r\nProcess 4120: TacDecoLIB.exe\r\nThe initial PrivateLoader “setup.exe” (process 4440) spawns “H0jrwuNM7IG2q266V2EfAiVo.exe” (process 4548), which\r\nspawns “rjcJoThBdrYU.exe” (process 6880), which also spawns “rjcJoThBdrYU.tmp” (process 4900). This spawns\r\n“TacDecoLIB.exe” (process 4120), which is also detected as Socks5Systemz.\r\nCrackedCantil malware analysis\r\nSocks5Systemz process tree\r\nProcess 4120 was also seen connecting to its C2, 185.196.8[.]22 via port 80, and 176.9.47[.]240 via port 2023. This is the\r\nsame as “DTPanelQT.exe” (process 6364), except to the host aitmrzn[.]ru instead of ercwwol[.]ua. The data sent to\r\n176.9.47[.]240 via port 2023 appears to be a bunch of IP addresses and the port, which was identical to Process 6364.\r\nCrackedCantil malware analysis\r\n The HTTP GET requests by Process 4120\r\nSTOP\r\nSTOP is ransomware that encrypts user data, and the encrypted file extensions include .hhaz, .djvuu, .ljaz, and more.\r\nDJVU is a variant of the STOP ransomware and can include several layers of obfuscation which makes analysis more\r\ndifficult. STOP/DJVU was first seen in 2018, and known to use AES-256, and Salsa20 for encryption. DJVU is known to\r\ncollaborate with other malware, for example, it works with infostealer malware to steal sensitive information before the\r\nfiles are encrypted. More information on STOP/DJVU can be found in BlackBerry’s DJVU: The Ransomware That Seems\r\nStrangely Familiar.\r\nProcess 6412: TzjwSXczmD2hOVANbz7L7Roc.exe\r\nThe initial PrivateLoader “setup[.]exe” (process 4440) spawns “TzjwSXczmD2hOVANbz7L7Roc[.]exe” (process 4944),\r\nwhich spawns “TzjwSXczmD2hOVANbz7L7Roc[.]exe” (process 6380), which spawns\r\n“TzjwSXczmD2hOVANbz7L7Roc[.]exe” (process 6808). This finally spawns “TzjwSXczmD2hOVANbz7L7Roc[.]exe”\r\n(process 6412). This is detected as STOP.\r\nCrackedCantil malware analysis\r\nSTOP is detected\r\nIt uses the line “–Admin IsNotAutoStart IsNotTask”, meaning that it runs using admin privileges, and specifies to not\r\nautomatically start or run as a task. The purpose is likely to allow the infostealers (Lumma, RedLine, RisePro, Amadey,\r\nStealc) to steal sensitive information before the ransomware encrypts the files.\r\nCrackedCantil malware analysis\r\nThe Network Stream\r\nhttps://any.run/cybersecurity-blog/crackedcantil-breakdown/\r\nPage 15 of 20\n\nIt was seen making HTTP GET requests “/test2/get.php?pid=47DCC01E8C1FE7754757A5DC66C0F42F\u0026first=true” to\r\nthe host zexeq[.]com, and the response contained a public key (in green). The MAC address for the system is\r\n52:54:00:4a:ad:11, and converting this to Upper Case and generating the MD5 hash reveals that it is identical to the string\r\nin the GET request (in red):\r\nCrackedCantil malware analysis\r\nProcess 6328: TzjwSXczmD2hOVANbz7L7Roc.exe\r\nAfter the system reboot, the process “TzjwSXczmD2hOVANbz7L7Roc.exe” (process 2404) spawns\r\n“TzjwSXczmD2hOVANbz7L7Roc.exe” (process 6328), which is detected as STOP.\r\nCrackedCantil malware analysis\r\nSTOP process tree\r\nThis time, it uses the line “–AutoStart” to automatically start:\r\nCrackedCantil malware analysis\r\nThe lines surrounded in green are used to specify the task options\r\nProcess 6328 creates a file “geo[1].json” under\r\n“C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\J0KBFYBW\\”. This JSON file contains EXIF, which\r\nincludes location information such as the City, Country, Ip, Latitude, Longitude, Region, etc.\r\nCrackedCantil malware analysis\r\nThe attributes and contents of “geo[1].json” in Static Discovering\r\nA few seconds after reboot and login, it starts encrypting files and appends the “.hhaz” extension (T1486 – Data Encrypted\r\nfor Impact).\r\nCrackedCantil malware analysis\r\nProcess 6328 encrypts various files\r\nThe files with the .hhaz extension contained the string “{36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}” at the very end.\r\nThis is a mutex, and is used by ransomware to avoid double-encrypting files.\r\nCrackedCantil malware analysis\r\nThe contents of a .hhaz file, including the mutex\r\nConclusion\r\nThis deep dive explored the dangers of cracked software, traits and behaviors of several notorious malware families, and\r\nhow they can work together to deliver a powerful infection in a symphonious manner. \r\nThe malware symphony in this CrackedCantil included Loaders, Infostealers, Cryptominers, Proxy Bot malware, and\r\nRansomware. The Loaders (PrivateLoader, Smoke) dropped several notorious malware onto the system, the Infostealers\r\n(Lumma, RedLine, RisePro, Amadey, Stealc) stole various sensitive information before the ransomware encrypted the\r\nfiles, the Proxy Bot malware (Socks5Systemz) turned the system into a proxy bot, and the Ransomware (STOP) encrypted\r\nthe files and demanded ransom for recovery. \r\nThis malware was named “CrackedCantil” by the author (of the article, not the malware), Lena (aka LambdaMamba).\r\nhttps://any.run/cybersecurity-blog/crackedcantil-breakdown/\r\nPage 16 of 20\n\nAbout ANY.RUN\r\nANY.RUN is an interactive malware analysis sandbox that streamlines the work of SOC and DFIR teams. Our service is\r\ntrusted by 300,000 professionals worldwide who use it to investigate both emerging and persistent threats.      \r\nRequest a free trial of ANY.RUN for 14 days to explore all the features we offer.     \r\nRequest demo → \r\nAppendix 1: IOCs\r\nGoogle Groups URL: hxxps://groups.google[.]com/g/exhibitor-users/c/eQTt-Z_Bnbw\r\nShortened URL: hxxps://byltly[.]com/2wIwtU\r\nRedirect URL: hxxps://airfiltersing[.]com/CRACK+IDA+Pro+V6+8+150423+And+HEX-Rays+Decompiler+ARM+X86+X64-iDAPROl.zip\r\nFile Hosting URL: hxxps://afashionstudio[.]com/b/release.rar\r\nGoogle Groups URL: hxxps://groups.google[.]com/g/exhibitor-users/c/eQTt-Z_Bnbw\r\nShortened URL: hxxps://byltly[.]com/2wIwtU\r\nRedirect URL: hxxps://airfiltersing[.]com/CRACK+IDA+Pro+V6+8+150423+And+HEX-Rays+Decompiler+ARM+X86+X64-iDAPROl.zip\r\nFile Hosting URL: hxxps://afashionstudio[.]com/b/release.rar\r\nFilename MD5\r\nrelease.rar 57AB5E01E6E92D13AE33E587004AD918\r\nPrivateLoader\r\nFilename IP\r\nC:\\Users\\admin\\Desktop\\setup.exe\r\n185[.]216.70.235, 195[.]20.16.45, 172[.]67.75.163,\r\n34[.]117.59.81, 87[.]240.129.133, 5[.]42.64.35, 109[.]107.182.3,\r\n176[.]113.115.84, 194[.]33.191.102, 91[.]215.85.209,\r\n104[.]192.141.1, 188[.]114.97.3, 188[.]114.96.3,\r\n54[.]231.234.241, 23[.]37.62.128, 18[.]66.142.79\r\nC:\\Users\\admin\\Pictures\\Minor\r\nPolicy\\vRNddZqIkwaYVpHLFkGcr1Tk.exe\r\n195[.]20.16.45, 172[.]67.75.163, 34[.]117.59.81, 195[.]20.16.45,\r\n195[.]20.16.46, 87[.]240.129.133, 172[.]67.147.32,\r\n104[.]21.4.208\r\nC:\\Users\\admin\\Pictures\\Minor\r\nPolicy\\wlC578T8hWfvZ2yJxLzrF38Y.exe\r\n45[.]15.156.229, 172[.]67.75.163, 34[.]117.59.81,\r\n87[.]240.129.133, 185[.]172.128.19, 87[.]240.137.140\r\nhttps://any.run/cybersecurity-blog/crackedcantil-breakdown/\r\nPage 17 of 20\n\nSmoke\r\nFilename MD5\r\nC:\\Users\\admin\\Pictures\\Minor\r\nPolicy\\vvlbVE_a1T9mi81qLqDvAjYH.exe\r\nDF1CA8FEDCF81BC2A5E456465E56FCEF\r\nC:\\Users\\admin\\AppData\\Roaming\\bdutbcd DF1CA8FEDCF81BC2A5E456465E56FCEF\r\nLumma\r\nFilename MD5\r\nC:\\Users\\admin\\Pictures\\Minor Policy\\T6OBqC4lLuNgq7EqPk6LjxrX.exe 188[.]114.97.3\r\nC:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe 104[.]21.88.119\r\nFilename MD5\r\nC:\\Users\\admin\\Pictures\\Minor Policy\\T6OBqC4lLuNgq7EqPk6LjxrX.exe 188[.]114.97.3\r\nRedLine \r\nFilename IP\r\nC:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe 45[.]15.156.187\r\nRisePro\r\nFilename MD5 IP\r\nC:\\Users\\admin\\Pictures\\Minor\r\nPolicy\\3Pvvg68HWOfBwJ9BdOsWgpEz.exe\r\nEF5C1EC128AC1822358D9281DCF3B710 193[.]233.132.51\r\nC:\\Users\\admin\\Pictures\\Minor\r\nPolicy\\Iq4tpcuftnMe73YjwlKR3YVy.exe\r\nE8EB594C3BB064E91514C6A9C93B22FF 195[.]20.16.45\r\nAmadey\r\nFilename MD5 IP\r\nC:\\Users\\admin\\Pictures\\Minor\r\nPolicy\\5RfuRxo3fpxiWkD42DRCixRe.exe\r\n0099A99F5FFB3C3AE78AF0084136FAB3\r\n185[.]172.128.19,\r\n13[.]32.121.85,\r\n18[.]66.142.79\r\nStealc\r\nhttps://any.run/cybersecurity-blog/crackedcantil-breakdown/\r\nPage 18 of 20\n\nFilename MD5 IP\r\nC:\\Users\\admin\\Pictures\\Minor\r\nPolicy\\hzQj407t3pAeMkmtH8lxdDg1.exe\r\nC6570BB5720D82B807160D350D83EE07 5[.]42.64.41\r\nSocks5Systemz\r\nFilename IP\r\nC:\\Program Files (x86)\\DTPanelQT\\DTPanelQT.exe 172[.]67.148.28, 185[.]196.8.22, 176[.]9.47.240\r\nC:\\Program Files (x86)\\TacDecoLIB\\TacDecoLIB.exe 172[.]67.148.28, 185[.]196.8.22, 176[.]9.47.240\r\nSTOP\r\nFilename MD5 IP\r\nC:\\Users\\admin\\Pictures\\Minor\r\nPolicy\\TzjwSXczmD2hOVANbz7L7Roc.exe\r\n89F6A0761EB024C46520A74ABB7868A9\r\n188[.]114.97.3,\r\n190[.]224.203.37\r\nC:\\Users\\admin\\AppData\\Local\\9fd99086-6e14-\r\n4786-92b0-\r\n465dc82ad88d\\TzjwSXczmD2hOVANbz7L7Roc.exe\r\n89F6A0761EB024C46520A74ABB7868A9 188[.]114.97.3\r\nAppendix 2: MITRE MATRIX\r\nTA0002:\r\nExecution\r\nT1204: User Execution Rely upon specific actions by a user in order to gain execution.\r\nT1053: Scheduled Task\r\nTask scheduling functionality may be abused to facilitate\r\ninitial or recurring execution of malicious code.\r\nTA0003:\r\nPersistence\r\nT1053: Scheduled Task\r\nTask scheduling functionality may be abused to facilitate\r\ninitial or recurring execution of malicious code.\r\nT1547: Boot or Logon\r\nAutostart Execution\r\nSystem settings may be configured to automatically execute a\r\nprogram during system boot or logon to maintain persistence\r\nor gain higher-level privileges.\r\nT1176: Browser Extensions Internet browser extensions may be abused to\r\nTA0004: Privilege\r\nEscalation\r\nT1053: Scheduled Task\r\nTask scheduling functionality may be abused to facilitate\r\ninitial or recurring execution of malicious code.\r\nT1547: Boot or Logon\r\nAutostart Execution\r\nSystem settings may be configured to automatically execute a\r\nprogram during system boot or logon to maintain persistence\r\nor gain higher-level privileges.\r\nTA0005: Defense\r\nEvasion\r\nT1497:\r\nVirtualization/Sandbox\r\nEvasion\r\nVarious methods may be employed to detect and avoid\r\nvirtualization and analysis environments.\r\nhttps://any.run/cybersecurity-blog/crackedcantil-breakdown/\r\nPage 19 of 20\n\nT1562: Impair Defenses\r\nComponents of a victim environment may be maliciously\r\nmodified in order to hinder or disable defensive mechanisms.\r\nT1070: Indicator Removal\r\nArtifacts generated within systems may be deleted or modified\r\nto remove evidence of their presence or hinder defenses.\r\nTA0006:\r\nCredential Access\r\nT1552: Unsecured\r\nCredentials\r\nSearch compromised systems to find and obtain insecurely\r\nstored credentials.\r\nT1555: Credentials from\r\nPassword Stores\r\nSearch for common password storage locations to obtain user\r\ncredentials.\r\nTA0007:\r\nDiscovery\r\nT1497:\r\nVirtualization/Sandbox\r\nEvasion\r\nVarious methods may be employed to detect and avoid\r\nvirtualization and analysis environments.\r\nT1518: Software Discovery\r\nGet a listing of software and software versions that are\r\ninstalled.\r\nT1012: Query Registry Interact with the Windows Registry to gather information.\r\nT1082: System Information\r\nDiscovery\r\nGet detailed information about the operating system and\r\nhardware.\r\nTA0011:\r\nCommand and\r\nControl\r\nT1071: Application Layer\r\nProtocol\r\nCommunicate using OSI application layer protocols to avoid\r\ndetection.\r\nT1571: Non-Standard Port\r\nCommunicate using a protocol and port pairing that are\r\ntypically not associated.\r\nTA0040: Impact\r\nT1486: Data Encrypted for\r\nImpact\r\nEncrypt data on target systems or on large numbers of systems\r\nin a network to interrupt availability to system and network\r\nresources.\r\n*Not every tactics and techniques involved are included due to the complexity\r\nI am a Chief Research Officer at a cybersecurity company. My passions include investigations, experimentations, gaming,\r\nwriting, and drawing. I also like playing around with hardware, operating systems, and FPGAs. I enjoy assembling things\r\nas well as disassembling things! In my spare time, I do CTFs, threat hunting, and write about them. I am fascinated by\r\nsnakes, which includes the Snake Malware! Check out:\r\nMy website\r\nMy LinkedIn profile\r\nSource: https://any.run/cybersecurity-blog/crackedcantil-breakdown/\r\nhttps://any.run/cybersecurity-blog/crackedcantil-breakdown/\r\nPage 20 of 20",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://any.run/cybersecurity-blog/crackedcantil-breakdown/"
	],
	"report_names": [
		"crackedcantil-breakdown"
	],
	"threat_actors": [],
	"ts_created_at": 1775434436,
	"ts_updated_at": 1775791258,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/67d57821edabc8568a2be2ec4cbe9e3a25d4aed1.pdf",
		"text": "https://archive.orkl.eu/67d57821edabc8568a2be2ec4cbe9e3a25d4aed1.txt",
		"img": "https://archive.orkl.eu/67d57821edabc8568a2be2ec4cbe9e3a25d4aed1.jpg"
	}
}