Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
08-04-2024 23:22
Behavioral task
behavioral1
Sample
e8abf51b99ff390aad5f8044e88ac806_JaffaCakes118.exe
Resource
win7-20240220-en
General
-
Target
e8abf51b99ff390aad5f8044e88ac806_JaffaCakes118.exe
-
Size
2.5MB
-
MD5
e8abf51b99ff390aad5f8044e88ac806
-
SHA1
0004179b8721abb457d17c6ede713ddb1152640a
-
SHA256
8a7ab275acf36cb7306f18f953b72f45213904632243a8290d8868008b5f4ae2
-
SHA512
a01cb76c58a3cd1d96fdb128ea9707e4af163b2531980c1b5b07826fdd2456e1e95fadc31317456eba13d9a4bf74e22f222817e48033194833927bb74a531c87
-
SSDEEP
49152:okFvNW035OI9Q/RKs2f8I08WWKH9FXBj0EjtCOmHgYxrhebg+b:ooNxJO0Q6E/8WN9j0iDmHgYObVb
Malware Config
Extracted
cryptbot
veotyc21.top
morpib02.top
-
payload_url
http://tynoev02.top/download.php?file=lv.exe
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
e8abf51b99ff390aad5f8044e88ac806_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ e8abf51b99ff390aad5f8044e88ac806_JaffaCakes118.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
e8abf51b99ff390aad5f8044e88ac806_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion e8abf51b99ff390aad5f8044e88ac806_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion e8abf51b99ff390aad5f8044e88ac806_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/3048-0-0x0000000000400000-0x0000000000A8F000-memory.dmp themida behavioral2/memory/3048-2-0x0000000000400000-0x0000000000A8F000-memory.dmp themida behavioral2/memory/3048-3-0x0000000000400000-0x0000000000A8F000-memory.dmp themida behavioral2/memory/3048-114-0x0000000000400000-0x0000000000A8F000-memory.dmp themida behavioral2/memory/3048-116-0x0000000000400000-0x0000000000A8F000-memory.dmp themida behavioral2/memory/3048-119-0x0000000000400000-0x0000000000A8F000-memory.dmp themida behavioral2/memory/3048-122-0x0000000000400000-0x0000000000A8F000-memory.dmp themida behavioral2/memory/3048-125-0x0000000000400000-0x0000000000A8F000-memory.dmp themida behavioral2/memory/3048-129-0x0000000000400000-0x0000000000A8F000-memory.dmp themida behavioral2/memory/3048-132-0x0000000000400000-0x0000000000A8F000-memory.dmp themida behavioral2/memory/3048-135-0x0000000000400000-0x0000000000A8F000-memory.dmp themida behavioral2/memory/3048-138-0x0000000000400000-0x0000000000A8F000-memory.dmp themida behavioral2/memory/3048-141-0x0000000000400000-0x0000000000A8F000-memory.dmp themida behavioral2/memory/3048-144-0x0000000000400000-0x0000000000A8F000-memory.dmp themida behavioral2/memory/3048-147-0x0000000000400000-0x0000000000A8F000-memory.dmp themida behavioral2/memory/3048-150-0x0000000000400000-0x0000000000A8F000-memory.dmp themida behavioral2/memory/3048-153-0x0000000000400000-0x0000000000A8F000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
e8abf51b99ff390aad5f8044e88ac806_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA e8abf51b99ff390aad5f8044e88ac806_JaffaCakes118.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
e8abf51b99ff390aad5f8044e88ac806_JaffaCakes118.exepid process 3048 e8abf51b99ff390aad5f8044e88ac806_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
e8abf51b99ff390aad5f8044e88ac806_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 e8abf51b99ff390aad5f8044e88ac806_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString e8abf51b99ff390aad5f8044e88ac806_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
e8abf51b99ff390aad5f8044e88ac806_JaffaCakes118.exepid process 3048 e8abf51b99ff390aad5f8044e88ac806_JaffaCakes118.exe 3048 e8abf51b99ff390aad5f8044e88ac806_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e8abf51b99ff390aad5f8044e88ac806_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e8abf51b99ff390aad5f8044e88ac806_JaffaCakes118.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\EsKCUGGnY\TXCiolsjBdfdC.zipFilesize
51KB
MD5815a4dd361e62e82b62355aee8d48ad0
SHA1141fb85b0a60ca0c1f1994e3fdfb7538b50e9c76
SHA25643bba85c5993ffd7885855f33ecdd29c6a18e829078e9352495ccc84fb94f75c
SHA512ba3e835772551132c2a5d15b28ebfbf215419ab96749eef84c2833109bdc90f1ffa9d602b797e1bae2c698a5b5921bf716201a49df775fffef62437bc4afd46b
-
C:\Users\Admin\AppData\Local\Temp\EsKCUGGnY\_Files\_Information.txtFilesize
3KB
MD5ce3767e4f84dbb50ff1f5f3508746095
SHA1aa20fe7a77351b63132a48b7ce13908aca909324
SHA256a6b3aa58a8e134ced437f81732289e1856cc1c321c3e8ab0f4a8edcc68df208b
SHA512a0f5ab2246e6c6358851551dda1124764f374a08b6cb87907aaecf1b70fb42b278c0c3690fe961eda9e9659543108bb29ed0d6fe761d8128ade98c1ca10b339b
-
C:\Users\Admin\AppData\Local\Temp\EsKCUGGnY\_Files\_Information.txtFilesize
4KB
MD572e2c62ffec6aa687fd2255008902de8
SHA15c94324bfa40725014bcef9939e2d0c6e172f5cf
SHA25628e1efe9060a47baa8dc005734454dc587576612229df52dfe83f5b7975f1fdc
SHA5126a211cc1c075cf2f1f8591d2fefa77ae93d976bab4f0cda52d174757a46cbf57d0b3850591fe4ab90e201eaf9e30e6b68d45777a873b557cba214408e2a856b2
-
C:\Users\Admin\AppData\Local\Temp\EsKCUGGnY\_Files\_Screen_Desktop.jpegFilesize
56KB
MD5ff78f9185b9ee7ea0e9adf576979743b
SHA1ad4e70a602d6e2bc0719ed9493f2c9ac384d5d3d
SHA256e2a4c157fabf6642882fd6d22c2f083dc21a2b4a6867ca2245ef2b6609042cbc
SHA51283c034a41c12fbc6c5765173b623f845e63c29c9bec7f7194e50047ff28153e49069241a1d4147e322d0e5eaa3a748e008ce2bfd4b7df86436c44b543bca9f72
-
memory/3048-119-0x0000000000400000-0x0000000000A8F000-memory.dmpFilesize
6.6MB
-
memory/3048-129-0x0000000000400000-0x0000000000A8F000-memory.dmpFilesize
6.6MB
-
memory/3048-2-0x0000000000400000-0x0000000000A8F000-memory.dmpFilesize
6.6MB
-
memory/3048-114-0x0000000000400000-0x0000000000A8F000-memory.dmpFilesize
6.6MB
-
memory/3048-116-0x0000000000400000-0x0000000000A8F000-memory.dmpFilesize
6.6MB
-
memory/3048-1-0x00000000774A4000-0x00000000774A6000-memory.dmpFilesize
8KB
-
memory/3048-0-0x0000000000400000-0x0000000000A8F000-memory.dmpFilesize
6.6MB
-
memory/3048-122-0x0000000000400000-0x0000000000A8F000-memory.dmpFilesize
6.6MB
-
memory/3048-125-0x0000000000400000-0x0000000000A8F000-memory.dmpFilesize
6.6MB
-
memory/3048-3-0x0000000000400000-0x0000000000A8F000-memory.dmpFilesize
6.6MB
-
memory/3048-132-0x0000000000400000-0x0000000000A8F000-memory.dmpFilesize
6.6MB
-
memory/3048-135-0x0000000000400000-0x0000000000A8F000-memory.dmpFilesize
6.6MB
-
memory/3048-138-0x0000000000400000-0x0000000000A8F000-memory.dmpFilesize
6.6MB
-
memory/3048-141-0x0000000000400000-0x0000000000A8F000-memory.dmpFilesize
6.6MB
-
memory/3048-144-0x0000000000400000-0x0000000000A8F000-memory.dmpFilesize
6.6MB
-
memory/3048-147-0x0000000000400000-0x0000000000A8F000-memory.dmpFilesize
6.6MB
-
memory/3048-150-0x0000000000400000-0x0000000000A8F000-memory.dmpFilesize
6.6MB
-
memory/3048-153-0x0000000000400000-0x0000000000A8F000-memory.dmpFilesize
6.6MB