Analysis
-
max time kernel
147s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
16-04-2024 03:29
Static task
static1
Behavioral task
behavioral1
Sample
f295b6024d248163f14b87bc6aed9db5_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
f295b6024d248163f14b87bc6aed9db5_JaffaCakes118.exe
-
Size
675KB
-
MD5
f295b6024d248163f14b87bc6aed9db5
-
SHA1
b16d00942ca755d99f061ec63411c5cdd521f64c
-
SHA256
03f1f8cb65e89c21c87f0e04c65dace4d48c708dd175056e581516bd94c50bfa
-
SHA512
c52252e801997ae01487cb57e3eec2b2b92303a49fceba676fd746c5c2e6d8c6fc8d60c25f7de07794893c0d43ebcc6b786eea68188df222e980df8542a49063
-
SSDEEP
12288:JmfR9Cu6Hml1T4pOJK6DzMJKtB61OPu7faLc5kSEkwVgyo22tDtuejoWXNj0p6Pj:YCu6Hmz456fMJI8O4hY+yoltDwetKp6
Malware Config
Extracted
cryptbot
ewaqly46.top
morjau04.top
-
payload_url
http://winhaf05.top/download.php?file=lv.exe
Signatures
-
CryptBot payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/1900-2-0x0000000004F40000-0x0000000004FE0000-memory.dmp family_cryptbot behavioral2/memory/1900-3-0x0000000000400000-0x00000000032A4000-memory.dmp family_cryptbot behavioral2/memory/1900-111-0x0000000000400000-0x00000000032A4000-memory.dmp family_cryptbot behavioral2/memory/1900-220-0x0000000000400000-0x00000000032A4000-memory.dmp family_cryptbot behavioral2/memory/1900-222-0x0000000004F40000-0x0000000004FE0000-memory.dmp family_cryptbot -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
f295b6024d248163f14b87bc6aed9db5_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 f295b6024d248163f14b87bc6aed9db5_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString f295b6024d248163f14b87bc6aed9db5_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
f295b6024d248163f14b87bc6aed9db5_JaffaCakes118.exepid process 1900 f295b6024d248163f14b87bc6aed9db5_JaffaCakes118.exe 1900 f295b6024d248163f14b87bc6aed9db5_JaffaCakes118.exe
Processes
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\VpesB8i3H\_Files\_Information.txtFilesize
1KB
MD5857c6a6a4f264665f4c31046362f3c4a
SHA1b4e24b68b804158cee1750c1ca00e170d57cb1ef
SHA256296083cf654b98ecce0e4eeaccca61b4931d8daeb981e49589ec8f10e4c864a6
SHA512bd421a7feb20bbc1033c73c96a78c9637b50203ef62c308263f69112908f925d0c0e00e46ed4b88dccadcbe4f7a119e82dd0b120faceb3c15a80bec76f02d5d5
-
C:\Users\Admin\AppData\Local\Temp\VpesB8i3H\_Files\_Information.txtFilesize
4KB
MD5b45adb49924f7e89961a5583fd555771
SHA102fa03ef4f9631f083e63b2531ee88646a2472e6
SHA2561bea253db3c57bcadb2be4100134b8460b6865cdfd158d017b37b0c3c38813ca
SHA512faf9a0bd2dab38e65917ff91894070d283b60b578b57c09b984290070ab569a53760c5c5198e0ca5a6685dbbe9132b27c5221a436bd52f7b467fa0156d98e310
-
C:\Users\Admin\AppData\Local\Temp\VpesB8i3H\_Files\_Screen_Desktop.jpegFilesize
50KB
MD5c04c65fdb9fed32de09cfa5aeb8fc475
SHA14a90c9fb2b73990e501424ceaa3341ed40598a32
SHA2567aba1dd1c21195f5214b830fe4bcbd15cc81ac2af15a88c6c51b42419b9adc50
SHA5129053877d021ab91de3a3b3140813c0e53e925d6e3423b38ca2c4ba441a3092d4516937ed04ac311aee219625f7d054915f11373f03aecfbdf47fe67d5fef2c8b
-
C:\Users\Admin\AppData\Local\Temp\VpesB8i3H\ehvaK2GAcJX.zipFilesize
44KB
MD5789337889c364137f7a5ba7880cdf672
SHA1bbb923cf720d14f55a589d81e07fd10612287457
SHA256c580c1b4763f0feb4984cc6e1b694cc3c23491d7fb8c4469596508bac709d245
SHA5123cd7809ffea365f6e3ec9cd097ac4d09515bcdf207241c478ef8be723b127c5ddd76ca5cc6a6e0da5801539f866c940339f2cdc0a24a20893adc08a72b91a3af
-
C:\Users\Admin\AppData\Local\Temp\VpesB8i3H\files_\system_info.txtFilesize
7KB
MD59693f093154d6c40527891f216f6ad43
SHA155c26700da7b4b93620eea2484955b5199f9d57c
SHA2563a84eeef28cef7fe91e3050e5cafba6eb6f40bbb3ff97004d8ab1aa698a39005
SHA512997d26233ba92af3f10ce7d51ccd9c26039cdd82cd79e943622da6b92257274b598d0d6c7fc2f27113f9fae072a8515aba7eb1726f72730d670b3d1ddce7965f
-
C:\Users\Admin\AppData\Local\Temp\VpesB8i3H\zXKnjAgy0MQ6U.zipFilesize
44KB
MD5c2d06e1569041214efe7e307c749a682
SHA1a6577201b6344c10fe176457de4cdf0b407c84ad
SHA25601f08d8844d703bb87f940191969e8ef58fbb1dfb6d3c3c22dcd63f104cbdbdd
SHA5122d9dd368cff775ac30043a2d9d5316c50cd9b6bec39f5dae00383d82e0d21bddedb911bd9a5ec8e721f8c7185c913556598787f57cc18dcb2179f378f9c058f6
-
memory/1900-111-0x0000000000400000-0x00000000032A4000-memory.dmpFilesize
46.6MB
-
memory/1900-1-0x0000000003310000-0x0000000003410000-memory.dmpFilesize
1024KB
-
memory/1900-220-0x0000000000400000-0x00000000032A4000-memory.dmpFilesize
46.6MB
-
memory/1900-221-0x0000000003310000-0x0000000003410000-memory.dmpFilesize
1024KB
-
memory/1900-222-0x0000000004F40000-0x0000000004FE0000-memory.dmpFilesize
640KB
-
memory/1900-3-0x0000000000400000-0x00000000032A4000-memory.dmpFilesize
46.6MB
-
memory/1900-2-0x0000000004F40000-0x0000000004FE0000-memory.dmpFilesize
640KB