Overview

overview

10

Static

static

3

e25cbaf3f1...18.exe

windows7-x64

10

e25cbaf3f1...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    06-04-2024 10:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e25cbaf3f12e860c2ab4654d70902e67_JaffaCakes118.exe

  • Size

    630KB

  • MD5

    e25cbaf3f12e860c2ab4654d70902e67

  • SHA1

    ccb92bcfd20f2dd2653d6949b8868249a9dc89ab

  • SHA256

    f3c94062ec97824744849119db80e25f7ff29eb464996484f91f87d5c923e7eb

  • SHA512

    0f3fb1ef18402e2af5aa01f5ab9db36b2a1e547ebf4bf8b6d69d6fa7239b4ec4c7374160c750ad9d316edc14011fe7675f2f56a49cd5ff6058eb72365af4bca6

  • SSDEEP

    12288:GR/JZdzym/dZbUOEq8tftv0InEmkXwoE:GRRZdmmVZbuDlsInEVXw

Score
10/10
cryptbotdiscoveryspywarestealer

Malware Config

Extracted

Family

cryptbot

C2

ewakyc72.top

moraiw07.top
Attributes
  • payload_url

    http://winfyn10.top/download.php?file=lv.exe

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • CryptBot payload 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of FindShellTrayWindow 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e25cbaf3f12e860c2ab4654d70902e67_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e25cbaf3f12e860c2ab4654d70902e67_JaffaCakes118.exe"
    1⤵
    • Checks processor information in registry
    • Suspicious use of FindShellTrayWindow
    PID:2032

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\3i3LyraoFYj\2u5PGZfIps.zip
    Filesize

    36KB

    MD5

    b07c5c274abf215505c2ed658db4d34d

    SHA1

    65ff24cc86dfe6537a0daebf4b14bf98be2203bd

    SHA256

    55501d663548609b496d2f1b1d0c13491f6a7045d300a7a05f9fdaf79ea46730

    SHA512

    6ba6d813c529343ab86f9e96d7ef4caca9577dfe11d07362b531b4bbc033fb98192be304e4fcfaa90b3f55decff7769e0ba8e2cfa9bf5e1608f592c8b9ea6310

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\3i3LyraoFYj\_Files\_Information.txt
    Filesize

    1KB

    MD5

    99c3646cd7947355364276aeb107954a

    SHA1

    53f5510f3115ee50befb1776576142bf76aa4052

    SHA256

    b08278f6d137d8f12344bdfb3414aaf65205211e14717b7b5c731fce41718b92

    SHA512

    4e097e977a4ba957c51c5f397161bb45a6069d47898985d0f5b8e41ef4c97889cb5a4ec41ab649699d5d93153ba491b40dbe86e54c747f7d6341954a64b2c455

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\3i3LyraoFYj\_Files\_Information.txt
    Filesize

    3KB

    MD5

    01c6ee1809b36278b64f449cc4fd0f89

    SHA1

    534d4bc2e99c7c2f446db3c233b0462b059643e3

    SHA256

    ce8fd3c8b64869d81b9e54f50f15fc8d17093889f3800f92d1c378303250172e

    SHA512

    90de0296f57002cd24dadf2c0773b764de983a82f1a01710952d57b55f3f69b3711d971f87b0680038fddda970de735f524b095fc3f0a6e19f3b59aed6071de9

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\3i3LyraoFYj\_Files\_Information.txt
    Filesize

    4KB

    MD5

    672e4e75fe116ca3335fe8a8c95f3be4

    SHA1

    81741828b637d29b325fc73e01bfbcfa0ef47787

    SHA256

    761d02fec261e1ac9cc7a9c39d9264a2085b54e02b1d71044157afe51e490d8f

    SHA512

    4373edbecb8bd5a4f6f44bf76057dbe78826bb5eb60ed05408d57fb238b289a62942f9eb8f9e6c54d66b5c9fde5ca89ffad921265f2edab44d428c976deebfe2

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\3i3LyraoFYj\_Files\_Screen_Desktop.jpeg
    Filesize

    43KB

    MD5

    f3211ee825ac93c89381ba46c763b361

    SHA1

    3b7aea6f92a50c78cd58aa3413cbe155da699d7b

    SHA256

    2928c085246bce1687cd65a31d53f5a756a08ce0245bb4a850533ab4270fd8dc

    SHA512

    97853ccfac5d37ad872ffa74e207743023107b453e33460ce8bfca39171354d130b8bac52058710ce15c391ff23c3441f5a084e6a3eb54743ebe91bf94bd2088

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\3i3LyraoFYj\files_\system_info.txt
    Filesize

    1KB

    MD5

    8cf9378cf2f175d7e0a0d8ce0ad9b026

    SHA1

    afcc9677e27272a9b2ffd4a9df60f9a7412062ae

    SHA256

    616d5a6de69846cf3f4349322f9dc1a13e3eca01459be5cc01df98d244ac2752

    SHA512

    8289abd8bd490dda1dd07c09cd4df744ff51be15c58058b651945da9b7057e95760c1178d3aec5afcfeb23027f4bd149da5653416a45fd1ce8844b31842c9f13

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\3i3LyraoFYj\files_\system_info.txt
    Filesize

    3KB

    MD5

    2b0d347a9724ceb667ed19f0ce346ecc

    SHA1

    971d2813cdff46f3f29fe43736bf9af62be7e70e

    SHA256

    0b32db3f354e8af5e7e8cd6ff8e851fcda5849cccc15c2e02719834c7c7bf282

    SHA512

    8b3dc16a98dba6e4e6d985d8e4d07d20af6713bce832dc9854f582298ec90b10c4566c3fcbe3486ca396e641f287b2f1449ca4ad56af889ceba109f77d338bc1

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\3i3LyraoFYj\files_\system_info.txt
    Filesize

    3KB

    MD5

    bc2bc12882c50a7088d941a8234d5b6c

    SHA1

    3e058b28bcaa24b5cd3b8e0f514420b98b8175ee

    SHA256

    733d278a5ca92a650e025f1b75ffb6edfc686e1e3908a87909c9188679e9d71a

    SHA512

    2a972d39fe7280b3524c0be7d37570b804d1b45e3fa7463bd128a85a89a8405da059a170b9d8c2339f94b712479d33c1e531dbb14be9bd9f00540024328e14f2

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\3i3LyraoFYj\files_\system_info.txt
    Filesize

    3KB

    MD5

    8a71e3a152463a6cc68118fbbfad6042

    SHA1

    e4a7bd9cb6cbee004c34119c200a0cc096cd9143

    SHA256

    82a5db7eb4e7fa8318f585d4c3b1e6a4bea334cc6e29e3a3f64bef5b1b8f2df1

    SHA512

    28f6f3361d0c60796989e5ae7d8bd03423fe919d4456cccbe544972a8899b4bfb0e287a48a66a7fd2ccdb997875181ceba7c5c1596bca0dc99a38783355241b4

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\3i3LyraoFYj\files_\system_info.txt
    Filesize

    4KB

    MD5

    5cc53c39417dcffba9d44bedceaf50a5

    SHA1

    b8645c356832b5b9c9ae1cb2baa463a4bf18a875

    SHA256

    f12e4d66ae3a00d6e2c52276349498eb1881c3a5dfbe60c9f6bd4ecbf7c8351f

    SHA512

    18f59782b032066bbe985d2f3b0774d8167eb377a2da0dbc5ea17a792c9802edcd00d2afb73dd58fb2364f11d5b65e3d9b55073fbfa6a3a9c221d9c73bea2c4a

    Download Submit
  • memory/2032-4-0x00000000014F0000-0x00000000014F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2032-3-0x0000000000400000-0x000000000146F000-memory.dmp
    Filesize

    16.4MB

    Download
  • memory/2032-1-0x0000000001510000-0x0000000001610000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/2032-221-0x0000000000400000-0x000000000146F000-memory.dmp
    Filesize

    16.4MB

    Download
  • memory/2032-223-0x0000000001510000-0x0000000001610000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/2032-226-0x00000000014F0000-0x00000000014F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2032-2-0x0000000000350000-0x00000000003F0000-memory.dmp
    Filesize

    640KB

    Download