Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
15-04-2024 04:15
Behavioral task
behavioral1
Sample
f048e67cc8bab2caf9435c2b90d50e98_JaffaCakes118.exe
Resource
win7-20240215-en
General
-
Target
f048e67cc8bab2caf9435c2b90d50e98_JaffaCakes118.exe
-
Size
3.2MB
-
MD5
f048e67cc8bab2caf9435c2b90d50e98
-
SHA1
355013d007818be0492a9901e49b4b08eca97c07
-
SHA256
a0d24046e0163fe30edd9cf0c27f3a4cd59435b95c2da05bfcfa329c240bf7a2
-
SHA512
c558df1942ce5634ba1ef23cdf467338a2ce757a0c74c20f19db6ffa158cff718bca550dc1848b462f874f330dff4fd08947b50e9b33d3bd516dae39c7bddcee
-
SSDEEP
49152:jMb83QBX4PU0ga6edgVVO90D9naQEQEdFEqSpRZFWwDxtKfrtDCV+m1SYj:jWX4PU076TV89S9nhRzqSRy6SLmj
Malware Config
Extracted
cryptbot
bunole21.top
moreid02.top
Signatures
-
CryptBot payload 8 IoCs
Processes:
resource yara_rule behavioral1/memory/2952-3-0x0000000000940000-0x0000000001134000-memory.dmp family_cryptbot behavioral1/memory/2952-4-0x0000000000940000-0x0000000001134000-memory.dmp family_cryptbot behavioral1/memory/2952-6-0x0000000000940000-0x0000000001134000-memory.dmp family_cryptbot behavioral1/memory/2952-5-0x0000000000940000-0x0000000001134000-memory.dmp family_cryptbot behavioral1/memory/2952-7-0x0000000000940000-0x0000000001134000-memory.dmp family_cryptbot behavioral1/memory/2952-8-0x0000000000940000-0x0000000001134000-memory.dmp family_cryptbot behavioral1/memory/2952-9-0x0000000000940000-0x0000000001134000-memory.dmp family_cryptbot behavioral1/memory/2952-10-0x0000000000940000-0x0000000001134000-memory.dmp family_cryptbot -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
f048e67cc8bab2caf9435c2b90d50e98_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ f048e67cc8bab2caf9435c2b90d50e98_JaffaCakes118.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
f048e67cc8bab2caf9435c2b90d50e98_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion f048e67cc8bab2caf9435c2b90d50e98_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion f048e67cc8bab2caf9435c2b90d50e98_JaffaCakes118.exe -
Processes:
resource yara_rule behavioral1/memory/2952-0-0x0000000000940000-0x0000000001134000-memory.dmp themida behavioral1/memory/2952-3-0x0000000000940000-0x0000000001134000-memory.dmp themida behavioral1/memory/2952-4-0x0000000000940000-0x0000000001134000-memory.dmp themida behavioral1/memory/2952-2-0x0000000000940000-0x0000000001134000-memory.dmp themida behavioral1/memory/2952-6-0x0000000000940000-0x0000000001134000-memory.dmp themida behavioral1/memory/2952-5-0x0000000000940000-0x0000000001134000-memory.dmp themida behavioral1/memory/2952-7-0x0000000000940000-0x0000000001134000-memory.dmp themida behavioral1/memory/2952-8-0x0000000000940000-0x0000000001134000-memory.dmp themida behavioral1/memory/2952-9-0x0000000000940000-0x0000000001134000-memory.dmp themida behavioral1/memory/2952-10-0x0000000000940000-0x0000000001134000-memory.dmp themida -
Processes:
f048e67cc8bab2caf9435c2b90d50e98_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA f048e67cc8bab2caf9435c2b90d50e98_JaffaCakes118.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
f048e67cc8bab2caf9435c2b90d50e98_JaffaCakes118.exepid process 2952 f048e67cc8bab2caf9435c2b90d50e98_JaffaCakes118.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
f048e67cc8bab2caf9435c2b90d50e98_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 f048e67cc8bab2caf9435c2b90d50e98_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString f048e67cc8bab2caf9435c2b90d50e98_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
f048e67cc8bab2caf9435c2b90d50e98_JaffaCakes118.exepid process 2952 f048e67cc8bab2caf9435c2b90d50e98_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f048e67cc8bab2caf9435c2b90d50e98_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f048e67cc8bab2caf9435c2b90d50e98_JaffaCakes118.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2952-0-0x0000000000940000-0x0000000001134000-memory.dmpFilesize
8.0MB
-
memory/2952-1-0x0000000077A90000-0x0000000077A92000-memory.dmpFilesize
8KB
-
memory/2952-3-0x0000000000940000-0x0000000001134000-memory.dmpFilesize
8.0MB
-
memory/2952-4-0x0000000000940000-0x0000000001134000-memory.dmpFilesize
8.0MB
-
memory/2952-2-0x0000000000940000-0x0000000001134000-memory.dmpFilesize
8.0MB
-
memory/2952-6-0x0000000000940000-0x0000000001134000-memory.dmpFilesize
8.0MB
-
memory/2952-5-0x0000000000940000-0x0000000001134000-memory.dmpFilesize
8.0MB
-
memory/2952-7-0x0000000000940000-0x0000000001134000-memory.dmpFilesize
8.0MB
-
memory/2952-8-0x0000000000940000-0x0000000001134000-memory.dmpFilesize
8.0MB
-
memory/2952-9-0x0000000000940000-0x0000000001134000-memory.dmpFilesize
8.0MB
-
memory/2952-10-0x0000000000940000-0x0000000001134000-memory.dmpFilesize
8.0MB