Analysis
-
max time kernel
146s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10-04-2024 16:09
Static task
static1
Behavioral task
behavioral1
Sample
eb749e44a75448c807d0af28f8b83e66_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
eb749e44a75448c807d0af28f8b83e66_JaffaCakes118.exe
-
Size
623KB
-
MD5
eb749e44a75448c807d0af28f8b83e66
-
SHA1
f00ecf94d2ca07d843242b23b1d6e9f92d80c0ce
-
SHA256
56086c245c079cb9345f744d6c352931877ea6aa2286950f9451d3ec372d6e19
-
SHA512
f8ee99ab474ba6b797a2d5eddc1245080ff3272576fcdc3bfc5c9d32154ac2b20ddf0939fc98f2d4e66e81f89582f0a0e8a92996896bc29fc478cdd40a3b60c4
-
SSDEEP
12288:eKOR/0vrmf7SehkqWtVHd/me+NI7E7936QNq3PDQw2k:q/0vwkBtVHd/mNNS/DQ
Malware Config
Extracted
cryptbot
bunopq12.top
morkix01.top
-
payload_url
http://tobdol01.top/download.php?file=lv.exe
Signatures
-
CryptBot payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/1372-2-0x0000000002570000-0x0000000002610000-memory.dmp family_cryptbot behavioral2/memory/1372-3-0x0000000000400000-0x0000000002406000-memory.dmp family_cryptbot behavioral2/memory/1372-208-0x0000000000400000-0x0000000002406000-memory.dmp family_cryptbot behavioral2/memory/1372-213-0x0000000002570000-0x0000000002610000-memory.dmp family_cryptbot -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
eb749e44a75448c807d0af28f8b83e66_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 eb749e44a75448c807d0af28f8b83e66_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString eb749e44a75448c807d0af28f8b83e66_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
eb749e44a75448c807d0af28f8b83e66_JaffaCakes118.exepid process 1372 eb749e44a75448c807d0af28f8b83e66_JaffaCakes118.exe 1372 eb749e44a75448c807d0af28f8b83e66_JaffaCakes118.exe
Processes
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tEctOcA\XXd4lgvVxoifZy.zipFilesize
36KB
MD583b8b00dd52b28ffdd8602eff4c009d1
SHA1838c0a214d74025b4e040a46cff33223a746466b
SHA256e58f7d86fe6a0539daf08e244eba78fcbdc860e3a5eb16566bab2997584af5b4
SHA5121c12b3a5fc141c9fc763bad9a9e951739754b84c6e07b8855ac647b009c6257204fbd22293549f5584b0e2f225fc8dc84f3e5dd52b393ad14a41ac80dcd53e44
-
C:\Users\Admin\AppData\Local\Temp\tEctOcA\_Files\_Information.txtFilesize
1KB
MD5c8ef139c0cea6a6925c960e9932ea1f1
SHA134e2b94d065df4511e2dfc1b247d666c08924801
SHA2563355affb2ab5afac06692f5af9df4cbb9ac1f2bee4342f3aaaed02f81b47e953
SHA512339fba4c922e39a385645f51a6413a4909094df5776aae4e41b374b4e0ee01d35c8818bfe2ccf9bda2c3d32ea0f3b822b8e2007035e05d7de0b9bbf313a9f3f1
-
C:\Users\Admin\AppData\Local\Temp\tEctOcA\_Files\_Information.txtFilesize
4KB
MD5d502cbeda7099b79bfc074330b28bc3c
SHA16dabd5ceb85685bfe0f2226f257232558a18334d
SHA2561c739526f03431d5453e464c98f94a39dcb016fdb08ab69dff20de7dedaef87c
SHA512e060e176e1f970de567706a4ec1108b48828f0f5b10be08200c95414fc9aefe96dd1e8967388cec92667798252b199436e7c289f72f5ac221027f52c0b134f65
-
C:\Users\Admin\AppData\Local\Temp\tEctOcA\_Files\_Screen_Desktop.jpegFilesize
42KB
MD589238944be9ea08b78c6186c3225c058
SHA179991bc4811041340dab68c3414c1aa1c2a95699
SHA2567d986ff796481bbaa18e317a400519479e123c08f3b7d988092c7fab3cb4de20
SHA512f22536bb1191552becd6fecfa5e7469ec99a07d0fb99ef7e9c821f37c54804d5c1129f5eea784569d602f623eba696d5e29922e0fe0e9e3c518800c2858fb961
-
C:\Users\Admin\AppData\Local\Temp\tEctOcA\files_\system_info.txtFilesize
1KB
MD5999f9d0e86729c8ca852b49e2c9f5c2c
SHA1e91a46ce7c8e47d39d2db31fda45b480e12202ae
SHA25636bfceefaa0603eea560ed383d22e9fe0482657aea62c6107b0ee8461aa608e8
SHA512f1e579d68fabdb63228d8908461062b3a7632a83dbed23a80d32ab61047e3b1ad679d7f18aedfdb61d8d26111791abc80e1a5c574752cc58beab97f4390de35a
-
C:\Users\Admin\AppData\Local\Temp\tEctOcA\files_\system_info.txtFilesize
7KB
MD536f84514825e6f581496f09f1c5dbc0c
SHA1b39815a0df2b1f94baade5163a77e9da266c0fbf
SHA2561b8f80220d96deb40bd51d1dbe0415841d90d3cb03e7262bea0c945ba5b1a9f7
SHA512d4bc795b57e8649aa1c99549ef036eaa2c865c066d5f49d9862b09a1842414f7d1e9a07152544abc30dc7bfc579e36ab6713bdce2a697bd2d9be98b647597b75
-
C:\Users\Admin\AppData\Local\Temp\tEctOcA\g7ZLcNL6gk1d4.zipFilesize
36KB
MD5ea96a543ff7166e1f8256206be718100
SHA1880ae20dd637f7e1a37a4be23c46e2480487a4b3
SHA2563968d4309995b17331a8c77188b38d02cb72aab8bf4373d14e850a15774faf91
SHA512ae70006462e4860bd6932f567de2ab2ac558da64171e20219d66f800ec3a639549361b0682159d407f03580e3dc3bcad26845b4c321967a1ce3f69749b227156
-
memory/1372-3-0x0000000000400000-0x0000000002406000-memory.dmpFilesize
32.0MB
-
memory/1372-1-0x0000000002610000-0x0000000002710000-memory.dmpFilesize
1024KB
-
memory/1372-208-0x0000000000400000-0x0000000002406000-memory.dmpFilesize
32.0MB
-
memory/1372-2-0x0000000002570000-0x0000000002610000-memory.dmpFilesize
640KB
-
memory/1372-212-0x0000000002610000-0x0000000002710000-memory.dmpFilesize
1024KB
-
memory/1372-213-0x0000000002570000-0x0000000002610000-memory.dmpFilesize
640KB