Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16-04-2024 04:57
Static task
static1
Behavioral task
behavioral1
Sample
f2bd0df5311675a26219beb6a7ecf4c3_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f2bd0df5311675a26219beb6a7ecf4c3_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
f2bd0df5311675a26219beb6a7ecf4c3_JaffaCakes118.exe
-
Size
1.5MB
-
MD5
f2bd0df5311675a26219beb6a7ecf4c3
-
SHA1
a7bd8e4857dfbb5186f822868422a25628c8981c
-
SHA256
20f73e57b047b1b45f2537f0780b17cd5ad2324a60bacfd05ebf796f8ff51da3
-
SHA512
756052c3ddce25b2987464d01f2532ecd1b876ee279a2ac6c09cb725819bcfcb986dc1ad029747ccef27ab284c25c252151f9fb5ceecaa6b6d6fe7f7075bf14d
-
SSDEEP
24576:KGFBn/Vm6itNg/LpSxvsfC3KIZGhbOvYbCXOg8EpGw65lMuwDS14fbUaEmAlUEFn:FFBnNmlCjoxZZdvYbCXOTzwWvwG10bC+
Malware Config
Extracted
cryptbot
ewazda75.top
moraiw07.top
-
payload_url
http://winfyn10.top/download.php?file=lv.exe
Signatures
-
CryptBot payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2692-28-0x0000000003AB0000-0x0000000003B53000-memory.dmp family_cryptbot behavioral1/memory/2692-30-0x0000000003AB0000-0x0000000003B53000-memory.dmp family_cryptbot behavioral1/memory/2692-29-0x0000000003AB0000-0x0000000003B53000-memory.dmp family_cryptbot behavioral1/memory/2692-31-0x0000000003AB0000-0x0000000003B53000-memory.dmp family_cryptbot behavioral1/memory/2692-251-0x0000000003AB0000-0x0000000003B53000-memory.dmp family_cryptbot -
Executes dropped EXE 2 IoCs
Processes:
Obliare.exe.comObliare.exe.compid process 2648 Obliare.exe.com 2692 Obliare.exe.com -
Loads dropped DLL 2 IoCs
Processes:
cmd.exeObliare.exe.compid process 2516 cmd.exe 2648 Obliare.exe.com -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
f2bd0df5311675a26219beb6a7ecf4c3_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" f2bd0df5311675a26219beb6a7ecf4c3_JaffaCakes118.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Obliare.exe.comdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Obliare.exe.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Obliare.exe.com -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Obliare.exe.compid process 2692 Obliare.exe.com 2692 Obliare.exe.com -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
f2bd0df5311675a26219beb6a7ecf4c3_JaffaCakes118.execmd.execmd.exeObliare.exe.comdescription pid process target process PID 2868 wrote to memory of 2892 2868 f2bd0df5311675a26219beb6a7ecf4c3_JaffaCakes118.exe dllhost.exe PID 2868 wrote to memory of 2892 2868 f2bd0df5311675a26219beb6a7ecf4c3_JaffaCakes118.exe dllhost.exe PID 2868 wrote to memory of 2892 2868 f2bd0df5311675a26219beb6a7ecf4c3_JaffaCakes118.exe dllhost.exe PID 2868 wrote to memory of 2892 2868 f2bd0df5311675a26219beb6a7ecf4c3_JaffaCakes118.exe dllhost.exe PID 2868 wrote to memory of 2500 2868 f2bd0df5311675a26219beb6a7ecf4c3_JaffaCakes118.exe cmd.exe PID 2868 wrote to memory of 2500 2868 f2bd0df5311675a26219beb6a7ecf4c3_JaffaCakes118.exe cmd.exe PID 2868 wrote to memory of 2500 2868 f2bd0df5311675a26219beb6a7ecf4c3_JaffaCakes118.exe cmd.exe PID 2868 wrote to memory of 2500 2868 f2bd0df5311675a26219beb6a7ecf4c3_JaffaCakes118.exe cmd.exe PID 2500 wrote to memory of 2516 2500 cmd.exe cmd.exe PID 2500 wrote to memory of 2516 2500 cmd.exe cmd.exe PID 2500 wrote to memory of 2516 2500 cmd.exe cmd.exe PID 2500 wrote to memory of 2516 2500 cmd.exe cmd.exe PID 2516 wrote to memory of 2536 2516 cmd.exe findstr.exe PID 2516 wrote to memory of 2536 2516 cmd.exe findstr.exe PID 2516 wrote to memory of 2536 2516 cmd.exe findstr.exe PID 2516 wrote to memory of 2536 2516 cmd.exe findstr.exe PID 2516 wrote to memory of 2648 2516 cmd.exe Obliare.exe.com PID 2516 wrote to memory of 2648 2516 cmd.exe Obliare.exe.com PID 2516 wrote to memory of 2648 2516 cmd.exe Obliare.exe.com PID 2516 wrote to memory of 2648 2516 cmd.exe Obliare.exe.com PID 2516 wrote to memory of 2588 2516 cmd.exe PING.EXE PID 2516 wrote to memory of 2588 2516 cmd.exe PING.EXE PID 2516 wrote to memory of 2588 2516 cmd.exe PING.EXE PID 2516 wrote to memory of 2588 2516 cmd.exe PING.EXE PID 2648 wrote to memory of 2692 2648 Obliare.exe.com Obliare.exe.com PID 2648 wrote to memory of 2692 2648 Obliare.exe.com Obliare.exe.com PID 2648 wrote to memory of 2692 2648 Obliare.exe.com Obliare.exe.com PID 2648 wrote to memory of 2692 2648 Obliare.exe.com Obliare.exe.com
Processes
-
C:\Users\Admin\AppData\Local\Temp\f2bd0df5311675a26219beb6a7ecf4c3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f2bd0df5311675a26219beb6a7ecf4c3_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\dllhost.exedllhost.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Tese.cda2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^SkrprNmxsapVXgwQJIfBGsUyrxvnNVjZIUgrROXCmqXbKCPONriyOFRAsXuJsqHvuphrqXYVLNeFxvcAEILJNukeeNMTIhknzBsAgMNPyjzqDkuV$" Far.cda4⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Obliare.exe.comObliare.exe.com q4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Obliare.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Obliare.exe.com q5⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 304⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Far.cdaFilesize
872KB
MD5e8965baeaf038d5abe64c8eb90cc3e19
SHA1d1e45c2432106e09625c70f0d3c456fca26132ff
SHA256b6d20957a61943a9bc2f6ace4170a5c631c774e35d22382cc6f60c39514ffbae
SHA5121f4eda3751d27df9b702ce6a1c1471307a3e7947ff9959ea895fab19d34057e68868d6e93712bfe3aa4ef8cab663c13c51a04412de6173a7c4f87db5d4d1e333
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sogni.cdaFilesize
634KB
MD533ea431acdc54eb20055057f41e6fc6e
SHA1efdc7197e542a048873b464640abf48bde6e0855
SHA25639afe9026b4c30249948f45bb4a1fcadba83642b5af0e7da03583ef58a8e10d1
SHA51259b1dc7ca075c14520068bd9eadcbb6c561b182190671edc1b3f0426db7e4d95e4e950b1aa788b52386f96d2ddb523a6c447ddb6b6b8757fb16f0bec612e1567
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Splendore.cdaFilesize
745KB
MD51bbdc57424a53f6a10b2692db95066a8
SHA11ce47faa742a4312abd9ee1d6e67ad04b45afae2
SHA2564ca0f711bdef0fdcd6dfc84fa03189555afe30e7c335a243e89bf702d9892e46
SHA5129dc675231c47bcb3d60c054f72a1c198cc490f88ed49f781bb679166913694782b43d732107738fb99cb2a74c90fd84503c19dcb10a0971518061af8cc956d4b
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tese.cdaFilesize
459B
MD505e2ab200a15fe20d618c59990c8b9f3
SHA1ceb19d0006b3372187582f880242fb718046fc8a
SHA256bdc88dfbfe456b5b1c21bd69e8588654e7a7c2105f740cade301e0f91a5795db
SHA5121a3f3538aaea1092ad6fe1c633f8dbe5e669cf88bf3f750c82d517713011387da3a76e4c8fd8c3a355decb4e1b532bb22f852e5ddb4b9d6b74c0090ab806d332
-
C:\Users\Admin\AppData\Local\Temp\xl1gUwl\_Files\_Information.txtFilesize
8KB
MD529f4cabb3977d2a6afbd4e9797d51c2a
SHA17451a91eb6f29b9d80afa6fadd7ea076ebc2bc85
SHA2569ead3b76ba7d2a9ce3974b46e5cd49cac8dbd10ad02526d71985e97476165398
SHA512237b94da5e29e653832238492eac349e3f36ca58c9f2f4c8812e5299277332f7c99b7a1751cc0aa7873369114ab6b3fa6d25eb158683b327e68ae746f0b1610e
-
C:\Users\Admin\AppData\Local\Temp\xl1gUwl\_Files\_Screen_Desktop.jpegFilesize
46KB
MD542d6fff7668a4d04d71cbddec33d6375
SHA1666b6b2957a705eb025939dc98f7108c4eee4275
SHA2569425b8513a1084bd9673ff001040251f6542d431ed1a456cd78a8e3fa2405777
SHA5121e0f8d8bafc82ed81f52385f8a41e60475a71a1087c5c3ef2c928346b4a591415380ae91d317456430332c2d02361a390c6b43a96ddfe164915b84a9aa6505ef
-
C:\Users\Admin\AppData\Local\Temp\xl1gUwl\files_\system_info.txtFilesize
696B
MD57eb8596b07f16e34807211b691dca44e
SHA1671810f83020cee65f10af10d066d8b84698a989
SHA25618c11675255e79d371cbd63fff9e3452d0b8902e995c4ddd6bc8929c424afc34
SHA512e0e2d99e436bc7714e7068405ca0a9ba0701753e9c560f786691a56e16ec9a015fa49c294e8ae6484bad566560d9bbec010aa4eb9fc876736bce60387dbc449c
-
C:\Users\Admin\AppData\Local\Temp\xl1gUwl\files_\system_info.txtFilesize
4KB
MD5bb298be6bd096801f720278876c6032b
SHA17f0815e57e4a7d00082f3195429998930f0de52c
SHA25604fec950cc359c3d072c4c728d9f92880690a6576d261a4743db777119d29dbb
SHA5128a0e3c3dc31274a19c1914530d8b9d5c4cc38dfeec8e74212d91835a7177fd8d4ca1acefb02b988f5066125fe583587e65773522131e9c1494282cad6c1a9b79
-
C:\Users\Admin\AppData\Local\Temp\xl1gUwl\gpPe54FN1r5.zipFilesize
39KB
MD5e6b41675ac7c33e82936c0e59c257461
SHA104e3aabdb59eba3311ec78a34cb3e1bbb2838daf
SHA2567e5239411a193dcc5c2bca0b44e28b3e24d56e94d87f16dc733580d70c312d32
SHA5122f258c455016f3fea8643d421f99c659bf4e3e8ed328917c3ef07be77dc2d2ce2b439db032be6e904cac7611488a9feddcc4098950895a549dee739a2fc72d1c
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Obliare.exe.comFilesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
memory/2692-24-0x00000000001D0000-0x00000000001D1000-memory.dmpFilesize
4KB
-
memory/2692-29-0x0000000003AB0000-0x0000000003B53000-memory.dmpFilesize
652KB
-
memory/2692-31-0x0000000003AB0000-0x0000000003B53000-memory.dmpFilesize
652KB
-
memory/2692-32-0x00000000007F0000-0x00000000007F1000-memory.dmpFilesize
4KB
-
memory/2692-30-0x0000000003AB0000-0x0000000003B53000-memory.dmpFilesize
652KB
-
memory/2692-28-0x0000000003AB0000-0x0000000003B53000-memory.dmpFilesize
652KB
-
memory/2692-27-0x0000000003AB0000-0x0000000003B53000-memory.dmpFilesize
652KB
-
memory/2692-26-0x0000000003AB0000-0x0000000003B53000-memory.dmpFilesize
652KB
-
memory/2692-251-0x0000000003AB0000-0x0000000003B53000-memory.dmpFilesize
652KB
-
memory/2692-252-0x00000000007F0000-0x00000000007F1000-memory.dmpFilesize
4KB
-
memory/2692-25-0x0000000003AB0000-0x0000000003B53000-memory.dmpFilesize
652KB