Threat Research

CrackedCantil: Malware Work Together

AnyRun

This analysis details a multi-stage infection dubbed “CrackedCantil” that uses cracked-software lures and PrivateLoader to deploy a suite of loaders, stealers, miners, proxy bots, and STOP ransomware. The report traces infection artifacts, C2 communications, persistence and evasion techniques, and file-encryption behavior. #CrackedCantil #PrivateLoader

Keypoints

  • Infection begins via cracked-software distribution (release.rar → setup.exe), where user execution launches PrivateLoader which downloads multiple payloads.
  • PrivateLoader spawns numerous secondary payloads (Smoke, Lumma, RedLine, RisePro, Amadey, Stealc, Socks5Systemz, STOP) and communicates with multiple C2 IPs over HTTP and nonstandard ports.
  • Loaders (Smoke, PrivateLoader) inject into system processes and modify browser extensions and scheduled tasks for persistence and sandbox/time-based evasion (e.g., GoogleUpdateTaskMachineQC, OfficeTracker tasks, Startup folder shortcuts).
  • Infostealers (Lumma, RedLine, RisePro, Amadey, Stealc) collect browser histories, cookies, login data, system info and screenshots, bundling them into archives and exfiltrating via HTTP POST multipart/form-data observed in PCAPs.
  • Socks5Systemz converts hosts into proxy bots, issuing GET/POST and custom port traffic and sending lists of IP:port entries; miners (updater.exe, WR64.sys) are deployed and scheduled to run at boot.
  • STOP/DJVU ransomware runs later in the chain, appends extensions like .hhaz/.djvuu, creates ransom notes, and uses a mutex to prevent double encryption.

MITRE Techniques

  • [T1204] User Execution – Initial compromise relies on user action: (‘Double-clicking on “setup.exe” will execute the application.’)
  • [T1053] Scheduled Task – Adversaries create/modify scheduled tasks for persistence and execution: (‘creates a scheduled task called “OfficeTrackerNMP131 HR” and “OfficeTrackerNMP131 LG”.’)
  • [T1547] Boot or Logon Autostart Execution – Persistence via startup entries and registry autorun changes: (‘Process 4124 also changes the autorun value in the registry.’)
  • [T1176] Browser Extensions – Abused browser extension folder to maintain access: (‘modifying files in the Chrome extension folder’)
  • [T1497] Virtualization/Sandbox Evasion – Time-based and scheduled execution used to evade analysis: (‘to evade analysis environments with time-based methods’)
  • [T1562.001] Impair Defenses: Disable or Modify Tools – Malware modifies Defender exclusions to avoid detection: (‘tell the Windows Defender to ignore the current user’s profile folder … during scans.’)
  • [T1070] Indicator Removal – Remove or alter artifacts to hinder detection: (‘Artifacts generated within systems may be deleted or modified to remove evidence of their presence or hinder defenses.’)
  • [T1552] Unsecured Credentials – Search for insecurely stored credentials on compromised systems: (‘Search compromised systems to find and obtain insecurely stored credentials.’)
  • [T1555] Credentials from Password Stores – Harvest from password/storage locations (browsers): (‘Search for common password storage locations to obtain user credentials.’)
  • [T1518] Software Discovery – Gather installed software/version info (used by stealers): (‘Get a listing of software and software versions that are installed.’)
  • [T1012] Query Registry – Use registry queries for discovery/persistence checks: (‘Interact with the Windows Registry to gather information.’)
  • [T1082] System Information Discovery – Collect OS/hardware data for profiling: (‘Get detailed information about the operating system and hardware.’)
  • [T1071] Application Layer Protocol – C2 over HTTP for commands and exfiltration: (‘HTTP requests “/api/tracemap.php” and “/api/firegate.php” were made to the host 185[.]216.70.235 and 195.20.16[.]45’)
  • [T1571] Non-Standard Port – Use of atypical ports for C2 (e.g., 23929, 2023): (‘Process 6280 was seen repeatedly connecting to 45.15[.]156.187 over port 23929’)
  • [T1486] Data Encrypted for Impact – Ransomware encrypts files and appends extensions: (‘a bunch of processes are spawned … the “.hhaz” extension is added to the files, indicating they were encrypted’)

Indicators of Compromise

  • [Domains/URLs] distribution & download hosts – afashionstudio[.]com (release.rar), airfiltersing[.]com (redirect), and groups.google[.]com (initial post)
  • [Shortened URL] initial lure – byltly[.]com/2wIwtU (redirects to malicious host)
  • [IP Addresses] C2 and payload hosts – 185[.]216.70.235, 195[.]20.16.45 (and multiple other C2 IPs listed)
  • [Filenames] delivered/executed artifacts – release.rar, setup.exe, updater.exe, OfficeTrackerNMP131.exe, TzjwSXczmD2hOVANbz7L7Roc.exe
  • [File hashes] archive and payload MD5s – release.rar MD5 57AB5E01E6E92D13AE33E587004AD918; STOP sample MD5 89F6A0761EB024C46520A74ABB7868A9 (and other hashes listed)
  • [Mutex/Artifact] ransomware mutex and extensions – mutex {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}, encrypted extensions .hhaz and .djvuu

In the observed technical procedure, the attack chain began with a user-driven download of a password‑protected archive (release.rar) from malicious hosting domains; extracting and executing setup.exe launched a PrivateLoader instance that immediately fetched and executed multiple secondary payloads. PrivateLoader spawned additional loader instances and droppers which communicated with several C2 servers over HTTP (e.g., requests to “/api/tracemap.php” and “/api/firegate.php”), often sending Base64/encrypted blobs; distinct payloads included Smoke (code injection into explorer.exe), RedLine (NET-based stealer using net.tcp to 45.15.156[.]187:23929), Lumma/Stealc/RisePro/Amadey (collecting browser data, system info and screenshots), Socks5Systemz (proxy bot behavior with GET/POST and nonstandard port traffic), and a miner disguised as updater.exe/WR64.sys.

Persistence and evasion techniques were implemented via scheduled tasks and startup entries (examples: GoogleUpdateTaskMachineQC, OfficeTrackerNMP131 tasks, LNK in Startup), registry modifications to redirect the Startup folder, and Defender exclusion commands to skip scanning user and Program Files paths. Infostealers packaged browser artifacts (Edge/Chrome/Firefox histories, Login Data, Cookies) into zip archives and exfiltrated them using multipart/form-data HTTP POSTs captured in PCAPs; analysts extracted these uploaded zip files from the PCAPs to reveal stolen content and system snapshots.

Finally, the STOP/DJVU ransomware component executed later (with flags indicating Admin/AutoStart behavior), created geo and ID artifacts (geo[1].json, generated ID based on MAC MD5), and appended file extensions such as .hhaz while embedding a mutex to avoid double-encryption; a ransom note (_readme.txt) and decryption video link were dropped for the victim. Read more: https://any.run/cybersecurity-blog/crackedcantil-breakdown/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint