Overview

overview

10

Static

static

7

f7ba2efd98...18.exe

windows7-x64

10

f7ba2efd98...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-04-2024 09:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f7ba2efd987b381e0c29b0984e5e70c7_JaffaCakes118.exe

  • Size

    3.0MB

  • MD5

    f7ba2efd987b381e0c29b0984e5e70c7

  • SHA1

    ca58a2b25db53350c7d34b87dad0de9c502efdb0

  • SHA256

    1841b6808fba0d7a5e5797f22e59a909e585224a34e00addb748e72c65df834b

  • SHA512

    caff94b299b055245863ff990922501be0195e9f7cb5c38dd253411d139c581e42b42d23e544c8f548a4f1a7009e21acb22c17a244bbfb5dfce8bcf65511739b

  • SSDEEP

    49152:gwK0mNLHT37jEl2urpN719dc3j4QAxUHfNubfqB0YluIBbiSVXYJvo5u1qyIstm5:81TradNlc3kQUUlWfqmyuInxuqVyJti

Score
10/10
cryptbotdiscoveryevasionspywarestealerthemidatrojan

Malware Config

Extracted

Family

cryptbot

C2

fokwit54.top

morfiw05.top
Attributes
  • payload_url

    http://nybpic07.top/download.php?file=lv.exe

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 11 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f7ba2efd987b381e0c29b0984e5e70c7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f7ba2efd987b381e0c29b0984e5e70c7_JaffaCakes118.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    PID:4196

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

4
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\bIQGaInd\_Files\_Information.txt
    Filesize

    1KB

    MD5

    4a94d8e0d4623aa84f03eb292de1e5b8

    SHA1

    4b2ece6483d012c5e35a64177b95410fe8f30c98

    SHA256

    03f3189723c71dc7044fc0b37d234e6f7dd0e8943f29b510554c3b9f5e10c774

    SHA512

    f2dcdc6356bd3705a7824df2cf56c20d1c9de6ddf04cccf3def19c5b867422d56d44a4a80c1a9306f6b8496e70d2f6a46c42b1b712f1b6c6afdcbdabb187b8b4

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\bIQGaInd\_Files\_Information.txt
    Filesize

    1KB

    MD5

    9abdffdc863235367c2180766e373adb

    SHA1

    e404b4ff4bda0d20483672f99a3719c0be645f1e

    SHA256

    2749d1ce5558683d1af51a5f21c1cf45069dc9b57980249a5158b466f590a80a

    SHA512

    830479093aa23650a464f358a40550ec58b27b5f6caddd8190fea896d976567914e365e13013fb2e075d4d53dfe57c8abd9e97efd4cb7d9dcea77ddd843bdadc

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\bIQGaInd\_Files\_Information.txt
    Filesize

    3KB

    MD5

    e33b7b9d308ee26d27a3828541575b97

    SHA1

    445ec98857ccc64c00e54e4d17ee33ff50792771

    SHA256

    98eedbe59a6964d3cae380379f51c10f6e379153ed8dea001c1a2f0626ca5720

    SHA512

    4c0ef40186e18abba8ec417779bea54a7a2b08f53ebf0c6a602110dec57f9aa4a9290e51213df7e7ae90f81ae1791a83c1d0a0344c12229d57dee51d8d3fc261

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\bIQGaInd\_Files\_Information.txt
    Filesize

    5KB

    MD5

    9491b3fb13eef6cc9649b8df909728c5

    SHA1

    41b9df6d1a66261326b4e876830d11b13e10c37e

    SHA256

    d2e4823f6a46728962602a30e0ee01ed03dbac1f7a1fa66738a79649cd7f8ca0

    SHA512

    f9e7adea32bc3bdafb4ce50d540b06bfac7a9d82cfa128cb52724871a9f266f2f42a7a70dde75613fb9ac0c2f1c10846b605e2960153fe3db3ff7ea3ccb6e242

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\bIQGaInd\_Files\_Screen_Desktop.jpeg
    Filesize

    53KB

    MD5

    32ae8d7f91838d904158c1cb3729cc07

    SHA1

    a3e69b452fa8a236b1cbbd6aa457a16e72c60459

    SHA256

    dc44a6b312b36c811f57766ce83e4798234a972f437fd9acf73e014065ca28a2

    SHA512

    58e245126273fab31e1db61db087fb29ff8a38af9beeac48dbcb0c467909728ed5c99ea331cb56f24c5267cd952a362f8e254543ad12cd125b4faa6a028ee0fc

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\bIQGaInd\files_\system_info.txt
    Filesize

    1KB

    MD5

    113635b3697b6d66bc7470139f2b026e

    SHA1

    4654c5f46feebbc398468777dabfcadfd8dde7fc

    SHA256

    c7a3242ca7aea2de81a20420dcfd97fdd7a48e8b7c285de51ea7d0a7c11316f7

    SHA512

    fed8d06c8ab06754ffa6640eb53c34d8d3526362f29a099ed645195de232ebf7212d55ae029c986a181e318f40ebb497cc95aa767264d975c61476f59006f319

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\bIQGaInd\files_\system_info.txt
    Filesize

    1KB

    MD5

    f0fe8cf937c76ec5a4faa8c96d84b1c2

    SHA1

    603d93a6066be12edbea4adf00fe09d095b60e2b

    SHA256

    d470e8f54ddf9c0775275ed9c2eb82a80cc80d7863aa98be216b47a68e22dc54

    SHA512

    3483b0157454c8ef4014d6aa7838308ff4b58efa0becd713a0a59cc2217b53c935d857b2129177a5a233f83c73b007ed7dd2f82d6383cb86732ee04adf09c08d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\bIQGaInd\files_\system_info.txt
    Filesize

    7KB

    MD5

    c4b935785b46f380cfaa633dc7befe60

    SHA1

    4c2b764128810d8bedafd6ba2176bbb0d775316d

    SHA256

    4f38921392eb7dcd9326eae4dd2eed703b1f3c49e4c4a21f18faa962f4d0fe48

    SHA512

    42549d981a41cd9d23b7497a55b1cbc3a314550ec8965ac02433786d90ba693ab046267586fbe7a6b287b9ded665a999c6fb3be6f40d6b8733ffca8da8ceb967

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\bIQGaInd\pVcTYoMoNICFD.zip
    Filesize

    48KB

    MD5

    c126c02d842d84a4ddc809f0be36131d

    SHA1

    e5dfd51040909632b2721d51f2943e4f6ded17cb

    SHA256

    3d66ec15cd8324845083a1ebdf04c5c17fdde1b6f0ecff18ee74bb953d107688

    SHA512

    7bee24dfa6ad8afefeeb20c539e5f156b5967b64b4669e8fcf582f7e974d4e5ea0658f04d4f6de508e954655a41bd615c8fe5b404e9472de27c00f6da7e519cc

    Download Submit
  • memory/4196-5-0x0000000000910000-0x00000000010A1000-memory.dmp
    Filesize

    7.6MB

    Download
  • memory/4196-8-0x0000000000910000-0x00000000010A1000-memory.dmp
    Filesize

    7.6MB

    Download
  • memory/4196-4-0x0000000000910000-0x00000000010A1000-memory.dmp
    Filesize

    7.6MB

    Download
  • memory/4196-3-0x0000000000910000-0x00000000010A1000-memory.dmp
    Filesize

    7.6MB

    Download
  • memory/4196-2-0x0000000000910000-0x00000000010A1000-memory.dmp
    Filesize

    7.6MB

    Download
  • memory/4196-1-0x00000000778A4000-0x00000000778A6000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4196-0-0x0000000000910000-0x00000000010A1000-memory.dmp
    Filesize

    7.6MB

    Download
  • memory/4196-6-0x0000000000910000-0x00000000010A1000-memory.dmp
    Filesize

    7.6MB

    Download
  • memory/4196-220-0x0000000000910000-0x00000000010A1000-memory.dmp
    Filesize

    7.6MB

    Download
  • memory/4196-226-0x0000000000910000-0x00000000010A1000-memory.dmp
    Filesize

    7.6MB

    Download
  • memory/4196-7-0x0000000000910000-0x00000000010A1000-memory.dmp
    Filesize

    7.6MB

    Download
  • memory/4196-235-0x0000000000910000-0x00000000010A1000-memory.dmp
    Filesize

    7.6MB

    Download