Overview

overview

10

Static

static

3

eb749e44a7...18.exe

windows7-x64

10

eb749e44a7...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-04-2024 16:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eb749e44a75448c807d0af28f8b83e66_JaffaCakes118.exe

  • Size

    623KB

  • MD5

    eb749e44a75448c807d0af28f8b83e66

  • SHA1

    f00ecf94d2ca07d843242b23b1d6e9f92d80c0ce

  • SHA256

    56086c245c079cb9345f744d6c352931877ea6aa2286950f9451d3ec372d6e19

  • SHA512

    f8ee99ab474ba6b797a2d5eddc1245080ff3272576fcdc3bfc5c9d32154ac2b20ddf0939fc98f2d4e66e81f89582f0a0e8a92996896bc29fc478cdd40a3b60c4

  • SSDEEP

    12288:eKOR/0vrmf7SehkqWtVHd/me+NI7E7936QNq3PDQw2k:q/0vwkBtVHd/mNNS/DQ

Score
10/10
cryptbotdiscoveryspywarestealer

Malware Config

Extracted

Family

cryptbot

C2

bunopq12.top

morkix01.top
Attributes
  • payload_url

    http://tobdol01.top/download.php?file=lv.exe

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • CryptBot payload 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of FindShellTrayWindow 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eb749e44a75448c807d0af28f8b83e66_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\eb749e44a75448c807d0af28f8b83e66_JaffaCakes118.exe"
    1⤵
    • Checks processor information in registry
    • Suspicious use of FindShellTrayWindow
    PID:1372

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tEctOcA\XXd4lgvVxoifZy.zip
    Filesize

    36KB

    MD5

    83b8b00dd52b28ffdd8602eff4c009d1

    SHA1

    838c0a214d74025b4e040a46cff33223a746466b

    SHA256

    e58f7d86fe6a0539daf08e244eba78fcbdc860e3a5eb16566bab2997584af5b4

    SHA512

    1c12b3a5fc141c9fc763bad9a9e951739754b84c6e07b8855ac647b009c6257204fbd22293549f5584b0e2f225fc8dc84f3e5dd52b393ad14a41ac80dcd53e44

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tEctOcA\_Files\_Information.txt
    Filesize

    1KB

    MD5

    c8ef139c0cea6a6925c960e9932ea1f1

    SHA1

    34e2b94d065df4511e2dfc1b247d666c08924801

    SHA256

    3355affb2ab5afac06692f5af9df4cbb9ac1f2bee4342f3aaaed02f81b47e953

    SHA512

    339fba4c922e39a385645f51a6413a4909094df5776aae4e41b374b4e0ee01d35c8818bfe2ccf9bda2c3d32ea0f3b822b8e2007035e05d7de0b9bbf313a9f3f1

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tEctOcA\_Files\_Information.txt
    Filesize

    4KB

    MD5

    d502cbeda7099b79bfc074330b28bc3c

    SHA1

    6dabd5ceb85685bfe0f2226f257232558a18334d

    SHA256

    1c739526f03431d5453e464c98f94a39dcb016fdb08ab69dff20de7dedaef87c

    SHA512

    e060e176e1f970de567706a4ec1108b48828f0f5b10be08200c95414fc9aefe96dd1e8967388cec92667798252b199436e7c289f72f5ac221027f52c0b134f65

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tEctOcA\_Files\_Screen_Desktop.jpeg
    Filesize

    42KB

    MD5

    89238944be9ea08b78c6186c3225c058

    SHA1

    79991bc4811041340dab68c3414c1aa1c2a95699

    SHA256

    7d986ff796481bbaa18e317a400519479e123c08f3b7d988092c7fab3cb4de20

    SHA512

    f22536bb1191552becd6fecfa5e7469ec99a07d0fb99ef7e9c821f37c54804d5c1129f5eea784569d602f623eba696d5e29922e0fe0e9e3c518800c2858fb961

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tEctOcA\files_\system_info.txt
    Filesize

    1KB

    MD5

    999f9d0e86729c8ca852b49e2c9f5c2c

    SHA1

    e91a46ce7c8e47d39d2db31fda45b480e12202ae

    SHA256

    36bfceefaa0603eea560ed383d22e9fe0482657aea62c6107b0ee8461aa608e8

    SHA512

    f1e579d68fabdb63228d8908461062b3a7632a83dbed23a80d32ab61047e3b1ad679d7f18aedfdb61d8d26111791abc80e1a5c574752cc58beab97f4390de35a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tEctOcA\files_\system_info.txt
    Filesize

    7KB

    MD5

    36f84514825e6f581496f09f1c5dbc0c

    SHA1

    b39815a0df2b1f94baade5163a77e9da266c0fbf

    SHA256

    1b8f80220d96deb40bd51d1dbe0415841d90d3cb03e7262bea0c945ba5b1a9f7

    SHA512

    d4bc795b57e8649aa1c99549ef036eaa2c865c066d5f49d9862b09a1842414f7d1e9a07152544abc30dc7bfc579e36ab6713bdce2a697bd2d9be98b647597b75

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tEctOcA\g7ZLcNL6gk1d4.zip
    Filesize

    36KB

    MD5

    ea96a543ff7166e1f8256206be718100

    SHA1

    880ae20dd637f7e1a37a4be23c46e2480487a4b3

    SHA256

    3968d4309995b17331a8c77188b38d02cb72aab8bf4373d14e850a15774faf91

    SHA512

    ae70006462e4860bd6932f567de2ab2ac558da64171e20219d66f800ec3a639549361b0682159d407f03580e3dc3bcad26845b4c321967a1ce3f69749b227156

    Download Submit
  • memory/1372-3-0x0000000000400000-0x0000000002406000-memory.dmp
    Filesize

    32.0MB

    Download
  • memory/1372-1-0x0000000002610000-0x0000000002710000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/1372-208-0x0000000000400000-0x0000000002406000-memory.dmp
    Filesize

    32.0MB

    Download
  • memory/1372-2-0x0000000002570000-0x0000000002610000-memory.dmp
    Filesize

    640KB

    Download
  • memory/1372-212-0x0000000002610000-0x0000000002710000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/1372-213-0x0000000002570000-0x0000000002610000-memory.dmp
    Filesize

    640KB

    Download