Overview

overview

10

Static

static

3

e882a1dd4b...18.exe

windows10-2004-x64

10

Inespresso.xlm

windows7-x64

1

Inespresso.xlm

windows10-2004-x64

1

Nemica.xlm

windows7-x64

1

Nemica.xlm

windows10-2004-x64

1

Ora.xlm

windows7-x64

1

Ora.xlm

windows10-2004-x64

1

Sara.xlm

windows7-x64

1

Sara.xlm

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e882a1dd4b17dc254c6480775eacc7bc_JaffaCakes118

  • Size

    1.7MB

  • Sample

    240408-1tmmtsch95

  • MD5

    e882a1dd4b17dc254c6480775eacc7bc

  • SHA1

    0f0b5c5dbc4cd3e02009f774e352808712ed607b

  • SHA256

    fcd0904bb17ffe18d018643fc90e7e02889c529b529a8a88e7c527403874379f

  • SHA512

    bb9675f4a9b37e63163c9d810baa3ed1ec3a192b117543aad85ff9a04b07d6aedd80a6d090e623dd583838287f1aa8f0731627f838508a4dbe4bf044c01857fe

  • SSDEEP

    49152:fUKc27m5MIBgW8kLYhNI55KYCOqSwh7Q:fUKcTeIJMk+L9

Score
10/10
cryptbotdiscoverypersistencespywarestealer

Malware Config

Extracted

Family

cryptbot

C2

smainz71.top

moriwi07.top
Attributes
  • payload_url

    http://guruzo10.top/download.php?file=lv.exe

Targets

    • Target

      e882a1dd4b17dc254c6480775eacc7bc_JaffaCakes118

    • Size

      1.7MB

    • MD5

      e882a1dd4b17dc254c6480775eacc7bc

    • SHA1

      0f0b5c5dbc4cd3e02009f774e352808712ed607b

    • SHA256

      fcd0904bb17ffe18d018643fc90e7e02889c529b529a8a88e7c527403874379f

    • SHA512

      bb9675f4a9b37e63163c9d810baa3ed1ec3a192b117543aad85ff9a04b07d6aedd80a6d090e623dd583838287f1aa8f0731627f838508a4dbe4bf044c01857fe

    • SSDEEP

      49152:fUKc27m5MIBgW8kLYhNI55KYCOqSwh7Q:fUKcTeIJMk+L9

    Score
    10/10
    cryptbotdiscoverypersistencespywarestealer

    • CryptBot

      A C++ stealer distributed widely in bundle with other software.

      spywarestealercryptbot

    • CryptBot payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral1

    • Target

      Inespresso.xlm

    • Size

      872KB

    • MD5

      cf31bde37831552fab013aaf8c9f4be6

    • SHA1

      159fc03c0d082e6c110afa148e7300354015100c

    • SHA256

      bd6b8c5d28904d2b863702b1903f7a916b1233675e3b2a57330855de90e335cd

    • SHA512

      b3e543eef5d17165aed0b608a32c66149660bdf763f507063304e893d74132e167e3e28df8ff32a0e6dce01d3843a5a5c14a0c6754e131cf82c6efe618ed0c1b

    • SSDEEP

      12288:8pVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31twoPTdFxgawV2M01:8T3E53Myyzl0hMf1tr7Caw8M01

    Score
    1/10
    behavioral2behavioral3

    • Target

      Nemica.xlm

    • Size

      894KB

    • MD5

      a04bbed6affbcb15ccce225509cd9ca1

    • SHA1

      a7db9bd56c0abeb9c15fc0deae26c445db95073f

    • SHA256

      27f09926063ca744ba9f0afb85d45df7b4165f757a1ec88a6f68411591c9e005

    • SHA512

      963ef7669e8b1b3eed613da2edd00abb54d5854d2ec93eafcfafa2eaa9f4766b72edecc37134f59727fe1622b59f435583bcc3eecae500cc1e6a2b703f870aa9

    • SSDEEP

      24576:LsahnkIOrsrSLe4wP57uKCHvOmTYfSSFVQ8y:bk5s00P5aKOvOFSSFVQd

    Score
    1/10
    behavioral4behavioral5

    • Target

      Ora.xlm

    • Size

      456B

    • MD5

      18b24f12fdd4bd6d5efb8cfbdb678913

    • SHA1

      f5c907df748cce46ed713cae112c5db4a36ba040

    • SHA256

      560533a9c03a9ec0befcfe79bbda4af6302b57a567eff87f0a8b74043b427340

    • SHA512

      c2d019d4e6fbdf22809914d8cd15570f9ac64c0f5cb3bdcbcbb346fa3c1082a564926ceb058337f32c6897f0a620203f2d296bae65516a3dc5436cac2098781a

    Score
    1/10
    behavioral6behavioral7

    • Target

      Sara.xlm

    • Size

      648KB

    • MD5

      ba75521f7c6ecec854204a48473fbdca

    • SHA1

      c07e7a94203325034a513e93edd5da776e6546a2

    • SHA256

      1b20777078d78e8af6cce703229ee3a1d890f5a91e192923a4ef9c6b64336b25

    • SHA512

      41cb3346993b18a17d395bad25291882cdd2d4b91dce587c4397a8d952e71f6593b13d1c73d6b578c54ac9ba50b93e6c4f4d8247cfc5b5f0546de8f8c94f4a2a

    • SSDEEP

      6144:I0UV2T1RP49ZEfDGCnafNYS2R74NGSjrhtmrJuiWQvchSgbJb8BdqGsuYZVDuXDX:Z1tEcBQGKrhZiLsdaqTz6KqR

    Score
    1/10
    behavioral8behavioral9

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

5
T1112

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

11
T1012

System Information Discovery

11
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks