Overview

overview

10

Static

static

7

eb6b6b4f09...18.exe

windows7-x64

10

eb6b6b4f09...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    165s
  • max time network
    173s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    10-04-2024 15:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eb6b6b4f0970c825bbde733784027a52_JaffaCakes118.exe

  • Size

    3.0MB

  • MD5

    eb6b6b4f0970c825bbde733784027a52

  • SHA1

    33e928ccbe9fb3088a0e94ece28b39cc9ccac8ef

  • SHA256

    c9cf9521886aaa99c317b33c9fd5a8f82be1fe61d8616bc6ce8a10c4d26b6e21

  • SHA512

    debe1809b3f8d0011979a852bc6dd7c63ea1e1b1648c66f1db611caf27ac5c988c384bdfaebaef8f59fc1750954675270057e1949917752b38ea7baad6fa24d6

  • SSDEEP

    49152:RPO2xOD0wD6XH67JeVIE1iplrlhwaT4dn/kFjkOWS356NhOHYGWOBJZ8bCd4YIg:R22a0oJeKEwBln4dcFjCC6NhEvWOvk

Score
10/10
cryptbotdiscoveryevasionspywarestealerthemidatrojan

Malware Config

Extracted

Family

cryptbot

C2

bundky32.top

morfug03.top
Attributes
  • payload_url

    http://tobhay04.top/download.php?file=lv.exe

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • CryptBot payload 8 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 10 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eb6b6b4f0970c825bbde733784027a52_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\eb6b6b4f0970c825bbde733784027a52_JaffaCakes118.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    PID:2420

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

4
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\TouomNrqr\_Files\_Information.txt
    Filesize

    8KB

    MD5

    843d34957b75928c2fc0b98da004e564

    SHA1

    3a8a48f24954f19a28390a70830ea692e1f31a13

    SHA256

    928e33bbf8a84cdb5fe894faecf646d771990fccb938653d637da94a0a063382

    SHA512

    b61cf1974af0fdddbe6cbbc503dbfba9017c2c57183a2068f784d0c9565b87a9ced497cd46c4da6d8e3235c98e7f095efd8c6fe61ca939ea0c90ccf9c6741b8b

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\TouomNrqr\_Files\_Screen_Desktop.jpeg
    Filesize

    51KB

    MD5

    0dfe9f34f0e57796f84d498e4464c646

    SHA1

    0bd779c9671471be6d6e0b27491fe4d70b8046e9

    SHA256

    a3e10f71598857033faf857896df1f80ffac7ebf25269ba073ae43c8e9b5bc93

    SHA512

    b6923b50004bf21fdab61f4c0d6207aac04ef3bbd01d9a29d9cc452f455b0320220544b064133a19830b49362208af6117252551c601c9046f483e2d8c1e1a6c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\TouomNrqr\files_\system_info.txt
    Filesize

    744B

    MD5

    8345caf5712822c8cc33cf2999417969

    SHA1

    d150e6151837a6ab997863500d455284e2188fd0

    SHA256

    5b662ad03c07d527dacdbe4210fff53465f3aeebde4e61ee67db7367bb202f38

    SHA512

    06cf94a9fe770f348124facb7e472754e64bf9337ccee96aa603bcf62cd6c2a28c544c006cdcd270d3106e0fe2b95cc829d02286bc4da3459eecd1cc33186267

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\TouomNrqr\files_\system_info.txt
    Filesize

    8KB

    MD5

    162c8f646a6a4e1a09c6fe493745fc4a

    SHA1

    1200a1f0c88980b4914ec6b53a00929bb7afa88b

    SHA256

    6e607ecb1a7e8b9b2c19a3998e4108f79b1a253ad5e758953258482dcde2ba77

    SHA512

    37ce3a82fa275df5d6af022d2770049e80f3f76576e9cb4248ebfe9051e94e52e48a73bdfd04feee5a27a0cdf3ee59080b55c9802139558778c4c1c24a5c3c85

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\TouomNrqr\pidExTpjNdFQx.zip
    Filesize

    44KB

    MD5

    674149611941a643af8ba229d5b457b3

    SHA1

    4f15e8525ba0fbb14b9d162db5b15692f3c61048

    SHA256

    898910272310d099db79c47eb9e3dbc76ecaa625a2ad33aacadcd4c8208aaa5b

    SHA512

    5598cca9623540b7ffaaf6b48a29dbe14d299fc8ac2803449dc74d61615cbe205eb1b8dcc639b40231aeccb7680ba99f4c5316516d535d280218d3c189030442

    Download Submit
  • memory/2420-5-0x0000000000A00000-0x0000000001189000-memory.dmp
    Filesize

    7.5MB

    Download
  • memory/2420-6-0x0000000000A00000-0x0000000001189000-memory.dmp
    Filesize

    7.5MB

    Download
  • memory/2420-7-0x0000000000A00000-0x0000000001189000-memory.dmp
    Filesize

    7.5MB

    Download
  • memory/2420-220-0x0000000000360000-0x0000000000361000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2420-4-0x0000000000A00000-0x0000000001189000-memory.dmp
    Filesize

    7.5MB

    Download
  • memory/2420-2-0x0000000000A00000-0x0000000001189000-memory.dmp
    Filesize

    7.5MB

    Download
  • memory/2420-1-0x0000000077480000-0x0000000077482000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2420-0-0x0000000000A00000-0x0000000001189000-memory.dmp
    Filesize

    7.5MB

    Download
  • memory/2420-225-0x0000000000A00000-0x0000000001189000-memory.dmp
    Filesize

    7.5MB

    Download
  • memory/2420-229-0x0000000000360000-0x0000000000361000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2420-3-0x0000000000A00000-0x0000000001189000-memory.dmp
    Filesize

    7.5MB

    Download
  • memory/2420-248-0x0000000000A00000-0x0000000001189000-memory.dmp
    Filesize

    7.5MB

    Download
  • memory/2420-252-0x0000000000A00000-0x0000000001189000-memory.dmp
    Filesize

    7.5MB

    Download