Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
15-04-2024 23:40
Static task
static1
Behavioral task
behavioral1
Sample
f23000a51a7ac80b39bab71e83c3983a_JaffaCakes118.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral2
Sample
Aggiogati.pptx
Resource
win7-20240221-en
Behavioral task
behavioral3
Sample
Aggiogati.pptx
Resource
win10v2004-20240412-en
Behavioral task
behavioral4
Sample
Fresco.pptx
Resource
win7-20231129-en
Behavioral task
behavioral5
Sample
Fresco.pptx
Resource
win10v2004-20240226-en
Behavioral task
behavioral6
Sample
Pel.pptx
Resource
win7-20240221-en
Behavioral task
behavioral7
Sample
Pel.pptx
Resource
win10v2004-20240412-en
Behavioral task
behavioral8
Sample
Seduce.pptx
Resource
win7-20240221-en
Behavioral task
behavioral9
Sample
Seduce.pptx
Resource
win10v2004-20240412-en
General
-
Target
f23000a51a7ac80b39bab71e83c3983a_JaffaCakes118.exe
-
Size
1.5MB
-
MD5
f23000a51a7ac80b39bab71e83c3983a
-
SHA1
647a3ce6cfc9e4a4f5c952678d8c7bda038a14f5
-
SHA256
bd7020c913d0170d15354c8e693a4b2469d2332768ef477c702bd1c51e41887c
-
SHA512
e7193498cea1d3a56a4a207c3f94aff45b591d4dc95b2ba67830a1252dd79560b63c8abdb36216f90e74fae22123c38f82b606953551ca54f1b015ca987ee7f3
-
SSDEEP
24576:VyEptD7sRjWDFtr9xE8OoNTtfvJeqkIftCstIt2J5CNmfh8+IED471iuejTya:jZARsFtrTRbdtw4tC0LkyqED4xiuej
Malware Config
Extracted
cryptbot
ewaqfe45.top
morjau04.top
-
payload_url
http://winhaf05.top/download.php?file=lv.exe
Signatures
-
CryptBot payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2020-25-0x00000000042C0000-0x0000000004363000-memory.dmp family_cryptbot behavioral1/memory/2020-26-0x00000000042C0000-0x0000000004363000-memory.dmp family_cryptbot behavioral1/memory/2020-27-0x00000000042C0000-0x0000000004363000-memory.dmp family_cryptbot behavioral1/memory/2020-29-0x00000000042C0000-0x0000000004363000-memory.dmp family_cryptbot behavioral1/memory/2020-246-0x00000000042C0000-0x0000000004363000-memory.dmp family_cryptbot -
Executes dropped EXE 2 IoCs
Processes:
Vorra.exe.comVorra.exe.compid process 4160 Vorra.exe.com 2020 Vorra.exe.com -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
f23000a51a7ac80b39bab71e83c3983a_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" f23000a51a7ac80b39bab71e83c3983a_JaffaCakes118.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Vorra.exe.comdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Vorra.exe.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Vorra.exe.com -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Vorra.exe.compid process 2020 Vorra.exe.com 2020 Vorra.exe.com -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
f23000a51a7ac80b39bab71e83c3983a_JaffaCakes118.execmd.execmd.exeVorra.exe.comdescription pid process target process PID 2464 wrote to memory of 2832 2464 f23000a51a7ac80b39bab71e83c3983a_JaffaCakes118.exe cmd.exe PID 2464 wrote to memory of 2832 2464 f23000a51a7ac80b39bab71e83c3983a_JaffaCakes118.exe cmd.exe PID 2464 wrote to memory of 2832 2464 f23000a51a7ac80b39bab71e83c3983a_JaffaCakes118.exe cmd.exe PID 2464 wrote to memory of 1240 2464 f23000a51a7ac80b39bab71e83c3983a_JaffaCakes118.exe cmd.exe PID 2464 wrote to memory of 1240 2464 f23000a51a7ac80b39bab71e83c3983a_JaffaCakes118.exe cmd.exe PID 2464 wrote to memory of 1240 2464 f23000a51a7ac80b39bab71e83c3983a_JaffaCakes118.exe cmd.exe PID 1240 wrote to memory of 3640 1240 cmd.exe cmd.exe PID 1240 wrote to memory of 3640 1240 cmd.exe cmd.exe PID 1240 wrote to memory of 3640 1240 cmd.exe cmd.exe PID 3640 wrote to memory of 4904 3640 cmd.exe findstr.exe PID 3640 wrote to memory of 4904 3640 cmd.exe findstr.exe PID 3640 wrote to memory of 4904 3640 cmd.exe findstr.exe PID 3640 wrote to memory of 4160 3640 cmd.exe Vorra.exe.com PID 3640 wrote to memory of 4160 3640 cmd.exe Vorra.exe.com PID 3640 wrote to memory of 4160 3640 cmd.exe Vorra.exe.com PID 3640 wrote to memory of 4032 3640 cmd.exe PING.EXE PID 3640 wrote to memory of 4032 3640 cmd.exe PING.EXE PID 3640 wrote to memory of 4032 3640 cmd.exe PING.EXE PID 4160 wrote to memory of 2020 4160 Vorra.exe.com Vorra.exe.com PID 4160 wrote to memory of 2020 4160 Vorra.exe.com Vorra.exe.com PID 4160 wrote to memory of 2020 4160 Vorra.exe.com Vorra.exe.com
Processes
-
C:\Users\Admin\AppData\Local\Temp\f23000a51a7ac80b39bab71e83c3983a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f23000a51a7ac80b39bab71e83c3983a_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c rgmLAtaO2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Pel.pptx2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^zhstQWiUaSsAnmkEODbzVxaWPpDrIiPtovZYFBuQSwQDdEWokoffoLwZVcgHzrklejseAhZhbHAUDOGlhxSmSAWbcqephnvOQFArhTIXpeSAlucuPrzYkLaCdUGAkPqYlMtYhCXzLUdQHchgE$" Aggiogati.pptx4⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vorra.exe.comVorra.exe.com o4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vorra.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vorra.exe.com o5⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 304⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Aggiogati.pptxFilesize
872KB
MD5f435197ac66954c9aaa768c402bb2f6e
SHA181cb16becf08ab1cb2d88c1a0d51872aac7af78f
SHA256682c0c70fdc6522a9ee445de9439348405b945ef9707b983ddf3e88c869ea576
SHA512ca39a95f003340290b4ae5037313432061c1213f976253bbda8b5149f0f1e295cacbc43dbe63fa1cc54e5336a3161eac7962f73afad775a4122ad23f0330117b
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fresco.pptxFilesize
733KB
MD56ef148867d1e6e66271e86d6bfab3869
SHA1589cfd4129777c088f4b53f5dc723ada5f51b302
SHA2560768633b95a60df47da99c4f6c92cb703c61e547652e6831ff918a9c48ae7720
SHA5128ba444184340843551dbe1dbec38f15a8a30aa3e97811e300b4fcae2c791254c84576d3b8d7299cca48ae0a3a8e443bbc71d0325283df7a46773747ef72b41e3
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pel.pptxFilesize
487B
MD5b508376c348b13291d124eab9cce3534
SHA126e23e157da1b214a98d84c581c103a97d2f4121
SHA256a0a6240b767c17f2bbe16985044599f369fdee62ee626a4326e975edbb01a9b4
SHA512018c7dcf04180da81065647d957e4d08e40ee7e6ca93fe70ab6bfa49ab8532fcd40fe9add8ddc09816e343f04174b1d3e3dc16ba4cd7c93545814fc1992256b8
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Seduce.pptxFilesize
634KB
MD5c5a42d35b245941d0acde1ecc0858cd2
SHA1d34859da52fe96c5ea0b580d24dd05404af91a89
SHA2560f7917bc1c77ced2004a06f52195e492fcbc4a1bee59f345dd8210df14e12e4c
SHA512a6d283988467152fe85fa9bac1f6dbd7fa88631af90198d10b912b5589186b1a8920ec3f8a6fee5ce3c58c415c860ab429b10c1d1c77de2a3f4c91843ee63564
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vorra.exe.comFilesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\xkjn6FMRF\KaKqXPhjTXhUZK.zipFilesize
42KB
MD5ab9bc2835ccd8fa5b9c290ec1a29c7f4
SHA12874714bba2adf4a777980889a2ef2d5a6727dc7
SHA256fe42b7da297d1b6c711f3d21883a80804a608a09b6b9f21c77b5abf383990127
SHA5128e2a1e4831974bd8bc0c5184eeaa89d9dcd9918e5178fb958be65b12e4f6c706100dddaa91b834017ba59a8b9f3d6adc05517c380b7d1de7e904dfa094742669
-
C:\Users\Admin\AppData\Local\Temp\xkjn6FMRF\_Files\_Information.txtFilesize
1KB
MD5cf4404592f917064610dfe0dde2194d3
SHA1148165f8c44d1703b9cea9e117867e414743edbf
SHA2564ca35a9d3f01bededd78f7dc93906c4b3e4f2f5ac7fe63a983c11a6e86f4d259
SHA512fec14d10e2893296aed2b5abf0b91d96b3ba289cc0f50fb6a2829477941b1a66e3a4f454bc00a7451dcd589dc4841315805ad5cfa3953a8300b9d02d2a6d36e5
-
C:\Users\Admin\AppData\Local\Temp\xkjn6FMRF\_Files\_Information.txtFilesize
1KB
MD5e144d7a7ec1a47765105946f0082c493
SHA13e3fc338f298bf4bb9f5523a4b3270aa5aa46561
SHA2562981f1c76b87ea87b50737ff097555a4bd50b72cc97daec85c353a990daaa829
SHA5125c5eec8c80f156b8b814c5f0f8543fd86013663ed70381ec896e33eaff1c4051f87d86d6538d988513cc6ff3cdbcf06fe4015d47d795b9621ff3a7e5d5320196
-
C:\Users\Admin\AppData\Local\Temp\xkjn6FMRF\_Files\_Information.txtFilesize
2KB
MD54ac36deb1875f2abb046dfa9dfd026f7
SHA1a7581d0ef08500799eb683024da0b4522e9b58fd
SHA256722c27fe3cd9dcd8af85be58ba57ef212e3c3ad621bef7f3349741cc8078e35b
SHA512673bd86a4299e681da8f3b28d2febb1eef93e8f0ba6abf7db548879d79d313da7d404dbf9722e07014f5a2a8b36dd7468dd5619ccd7fbb221d278f1b89166c37
-
C:\Users\Admin\AppData\Local\Temp\xkjn6FMRF\_Files\_Information.txtFilesize
3KB
MD58beead6343eaa0ed9d9e26cc417706a9
SHA1392608490cbe613ef9b0c9951cf30b90fd125d3c
SHA256e79ee751421276863f86192ba46a68bc2a3444c851365ff08d67bd742b1d9867
SHA512f11e1f7ed3fcf86b5bad9768d6b59798ec03f3cfcd46373a1b896776748ea743bed2087f43f11db235ca4d6ba4f9dc36f02673276955b48b00bba1844db877b3
-
C:\Users\Admin\AppData\Local\Temp\xkjn6FMRF\_Files\_Information.txtFilesize
4KB
MD5e468964823f2f298e8e71284bbf3be3a
SHA1a20f2433acba4e0854834f489363780aaaf7a27a
SHA256da19a372c8108f02bd8561014e5d0e04ab567bd2f4f470cc5159d216c4eabadd
SHA51253dab2c993cf9b05722539699406356e11c87d7bed0f12aa25c1433d8f512dbb3285490c81310deaf329514d44b4ce9447069a165b54a6f9b7d5b3e2cec4d260
-
C:\Users\Admin\AppData\Local\Temp\xkjn6FMRF\_Files\_Screen_Desktop.jpegFilesize
48KB
MD57801d65ffb97c6690cf48dabf5e295dd
SHA1b26367bde7ef928b08189aef6fb948cf2d53231f
SHA256675455888056031b192d7258bacc58a49e3c384648a38ae7b27014d07a7c8223
SHA512b4d00c360531744a5fa78f63368e6e2218fc3f13f8a2cfe453afb766ef440a65ae7ea2f369b91b1eb39723829a160753602eb418e6474b1ecad33bb4b6d6757d
-
C:\Users\Admin\AppData\Local\Temp\xkjn6FMRF\files_\system_info.txtFilesize
694B
MD559ab4bc79958f52451a1eeb80ac8ef97
SHA1ca9417383653bfff9df33ec0a7ec828bb22b1958
SHA256131d00e1c09d0ae269cdd57c0c6bab1ebf676407e5d7361667552523ea76cfda
SHA512c89acc4fc4609c63a72a48a063efc0a441dae7a3a89a76078bac66f053c8963acaef014a9fe7c0a4536cdc0520389fcfdbe8631550039d66e3359cd09d550960
-
C:\Users\Admin\AppData\Local\Temp\xkjn6FMRF\files_\system_info.txtFilesize
7KB
MD5ea2875163176a5ebedf615590169e1e0
SHA12d0392d11ee7904ae6120da2cf33465375a80e0a
SHA2564d19f77ef1e248478297ee44530bddfdadefc74fc8570e0a6a0cbc28a49f1146
SHA5120f30a55a8bf850345a0a28b1ca624d0f8548926e2a9b467f67110eb2a356af59ce94fbf1681ec6dbc76455a59d99f2bf46f55be674aecca23940e0197e5415da
-
memory/2020-21-0x0000000004150000-0x0000000004151000-memory.dmpFilesize
4KB
-
memory/2020-29-0x00000000042C0000-0x0000000004363000-memory.dmpFilesize
652KB
-
memory/2020-27-0x00000000042C0000-0x0000000004363000-memory.dmpFilesize
652KB
-
memory/2020-26-0x00000000042C0000-0x0000000004363000-memory.dmpFilesize
652KB
-
memory/2020-25-0x00000000042C0000-0x0000000004363000-memory.dmpFilesize
652KB
-
memory/2020-24-0x00000000042C0000-0x0000000004363000-memory.dmpFilesize
652KB
-
memory/2020-23-0x00000000042C0000-0x0000000004363000-memory.dmpFilesize
652KB
-
memory/2020-22-0x00000000042C0000-0x0000000004363000-memory.dmpFilesize
652KB
-
memory/2020-246-0x00000000042C0000-0x0000000004363000-memory.dmpFilesize
652KB