Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
08-04-2024 02:16
Static task
static1
Behavioral task
behavioral1
Sample
e667be12287ccb2fddbc1644e0b4ec76_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
e667be12287ccb2fddbc1644e0b4ec76_JaffaCakes118.exe
-
Size
768KB
-
MD5
e667be12287ccb2fddbc1644e0b4ec76
-
SHA1
7b4a31d9d7cef13d648b3fa51c547fcb23c66b8d
-
SHA256
c6145d071ca19409a854d7c94cd3da92a50db5561a747ea29fda9e7a734678f1
-
SHA512
82ecef0e88aca89efac381dde32f201553b8a770e480ba9c851c493fd6fa2e10a4eac933581b0e61269a3f653748a8688c87493a316a3de84ae0081cfaa4cd59
-
SSDEEP
12288:k0B3qFl33VV2yJYhm1M4GBJQnX1cOW1y40KJnmSjLbzAqMCvKOnxEuui:nBKf20wmy4IZv1V06nmSLzAzF8xEX
Malware Config
Extracted
cryptbot
ewadmw53.top
morexn05.top
-
payload_url
http://winorm07.top/download.php?file=lv.exe
Signatures
-
CryptBot payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4848-2-0x0000000005000000-0x00000000050E1000-memory.dmp family_cryptbot behavioral2/memory/4848-3-0x0000000000400000-0x00000000032BC000-memory.dmp family_cryptbot behavioral2/memory/4848-228-0x0000000000400000-0x00000000032BC000-memory.dmp family_cryptbot behavioral2/memory/4848-230-0x0000000005000000-0x00000000050E1000-memory.dmp family_cryptbot -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
e667be12287ccb2fddbc1644e0b4ec76_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation e667be12287ccb2fddbc1644e0b4ec76_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4016 4848 WerFault.exe e667be12287ccb2fddbc1644e0b4ec76_JaffaCakes118.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
e667be12287ccb2fddbc1644e0b4ec76_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString e667be12287ccb2fddbc1644e0b4ec76_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 e667be12287ccb2fddbc1644e0b4ec76_JaffaCakes118.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 964 timeout.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
e667be12287ccb2fddbc1644e0b4ec76_JaffaCakes118.exepid process 4848 e667be12287ccb2fddbc1644e0b4ec76_JaffaCakes118.exe 4848 e667be12287ccb2fddbc1644e0b4ec76_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
e667be12287ccb2fddbc1644e0b4ec76_JaffaCakes118.execmd.exedescription pid process target process PID 4848 wrote to memory of 1360 4848 e667be12287ccb2fddbc1644e0b4ec76_JaffaCakes118.exe cmd.exe PID 4848 wrote to memory of 1360 4848 e667be12287ccb2fddbc1644e0b4ec76_JaffaCakes118.exe cmd.exe PID 4848 wrote to memory of 1360 4848 e667be12287ccb2fddbc1644e0b4ec76_JaffaCakes118.exe cmd.exe PID 1360 wrote to memory of 964 1360 cmd.exe timeout.exe PID 1360 wrote to memory of 964 1360 cmd.exe timeout.exe PID 1360 wrote to memory of 964 1360 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e667be12287ccb2fddbc1644e0b4ec76_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e667be12287ccb2fddbc1644e0b4ec76_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\apHveiPeFIWsF & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\e667be12287ccb2fddbc1644e0b4ec76_JaffaCakes118.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 13042⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4848 -ip 48481⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\apHveiPeFIWsF\BFONLK~1.ZIPFilesize
867KB
MD56fd2c5feb27cd81752775996baa918a9
SHA1147bb5dde0a65da47318a05e0aeb914537482598
SHA2564f6fed26c1e9a71143d4784a609ffea61ecd6b94ae577379b7a9e5cb8b3bc0f6
SHA512a4d839135dc40d438ed99e4264c1e4f14258ed3bd83b45bd0722035d94edb36e2a5f6997c8b32546868d7ea95a6bf9a987a76f1ff9e8219615a507fd87468269
-
C:\Users\Admin\AppData\Local\Temp\apHveiPeFIWsF\WPMQBA~1.ZIPFilesize
867KB
MD5570212bf3a8ec7407c5ca1b8af51742d
SHA15b91b6cbd61a99bf3c665a213a1b070fe340a7f7
SHA2566a7ff2880eae8f2f2b0bfec0f5a6bdd281d163aef2b69b0facca5f3cdb81bbbc
SHA5124bf4928e568fefd7fbaf547e7d8b15652cb4287720d237fa20d6ec886f1a262b4b7c1759f18af385bb76b1501377bbf5ecf5a6770731e77f203ecda130b3d29a
-
C:\Users\Admin\AppData\Local\Temp\apHveiPeFIWsF\_Files\_Files\GrantSubmit.txtFilesize
822KB
MD56a0587c3738a8137627530eeda52c628
SHA115ec1915cdf9983ec505d493420d70b1f1163c20
SHA256d608b8002a27a6b9e522846a82812e20d511e376509f35232215e2314fab336c
SHA5125669fb2b5e0990acbb5d719df4d2963fc5ee993de1557335cdbcbcb8aa96c5a13b6a01c7c57f7727d285183a6273ee4802886c126b4a7689ab5864e91ee3ab6a
-
C:\Users\Admin\AppData\Local\Temp\apHveiPeFIWsF\_Files\_Information.txtFilesize
2KB
MD5b2d9e0df087e2b5ba8b95ad1875670a2
SHA1297f4f55504e087fa56558417644681928fd2947
SHA256ce7a7b988c8fc923610e15c9298e1a6f21b5bbd8439b7f6983b86f5a241c487f
SHA5120bd459b2d4aa3fc0962da9a7f56b1de08d1d3ac682b8a86dd601c9c5f6278ef93fef292c0ce51132b81232deb989214be9c335029a82192dcc7d75dbbede7caf
-
C:\Users\Admin\AppData\Local\Temp\apHveiPeFIWsF\_Files\_Information.txtFilesize
7KB
MD5dca3fcf4dfbe93b3c88e16ebc6dfb029
SHA194349eef2d9e17f3482a6dc87b80ffd610c17e9a
SHA2568463ed6d872d7c23c517a71229197d61d4d2c315f37b8f320bd0ab15cb8d12d7
SHA512db713843b7d5c385ab25ed65d3aa70287dbf496c341ea6f5a985773dce73383f4586018bc3738ca2c3a77e2987bd7ab37359099dc1110d180df98986c216114f
-
C:\Users\Admin\AppData\Local\Temp\apHveiPeFIWsF\_Files\_Screen_Desktop.jpegFilesize
49KB
MD59bbd99871a296abc9aeeaca810f62ead
SHA17ab634eda3d96ef94b7400674eb971b93a2aee94
SHA25658021ff051a65ebe183efee5a4fb1db9ada496894a767e592ae3552a30f6536f
SHA5126e05c64a1d1d5b197af131d8aec868038b15402d1003d79379a47030a1291eb24c9e75ba4eeef93497422488f5bb764b0d8bcc1b1fe45ad16794fc4992d93c55
-
C:\Users\Admin\AppData\Local\Temp\apHveiPeFIWsF\files_\system_info.txtFilesize
1KB
MD53e4e3fccf66716a3568f3f4e3a88ef0d
SHA12203b16103274c787ed6fdfb75a34c3ab5cdce7e
SHA2561ad7bd5158fab69f8b7fec5fb926258b75217e74a6c7f00a1ce72a45a3f32fb0
SHA5126dacb5713bc823187bc8dbabf0a53be10cce3ecef3d5c6152d474c8f8e8a952c3a04f3d93aa708a85b5c238ba0b54595c6ae4affb48545d0ed2c4d65bb99033f
-
C:\Users\Admin\AppData\Local\Temp\apHveiPeFIWsF\files_\system_info.txtFilesize
2KB
MD59396f6843fe636d2f8aaf999cdfc170c
SHA1f16246187604e6d0abe036253e0172772b4fe737
SHA2566b2c883415524b7ec36e25e955cee43641355f755206a8651b3c467f96cf454a
SHA5123282f5ba198e545aca2d440e5fe8c8661fe2d50cc74bf523d31d16134c6a60abf39710ec7a981e65ce44d1961bd67ea70203d5089604a3685051e403ad461dc9
-
C:\Users\Admin\AppData\Local\Temp\apHveiPeFIWsF\files_\system_info.txtFilesize
7KB
MD51651131e966f925ecc063e64db4d9162
SHA157384bc1f7637068c70f2372f043eb7976552bb5
SHA256f788f010acb7d82f6ed69152464147cc30c2504df7f1cd2b88aa8d068c886ee0
SHA5122dfa540d7577df58a244f25cdfce453eeaaf1b047c88a36684f55bdf8b115a9d4381c5ba4cf5eab2efd5dc473c8e9cd3bfdb3a6fccb4b40a4d76274a7a8f48a8
-
memory/4848-2-0x0000000005000000-0x00000000050E1000-memory.dmpFilesize
900KB
-
memory/4848-3-0x0000000000400000-0x00000000032BC000-memory.dmpFilesize
46.7MB
-
memory/4848-1-0x00000000032E0000-0x00000000033E0000-memory.dmpFilesize
1024KB
-
memory/4848-228-0x0000000000400000-0x00000000032BC000-memory.dmpFilesize
46.7MB
-
memory/4848-230-0x0000000005000000-0x00000000050E1000-memory.dmpFilesize
900KB