Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
19-04-2024 23:23
Static task
static1
Behavioral task
behavioral1
Sample
fb660cd8294a2f697bc610d746833d91_JaffaCakes118.exe
Resource
win7-20240220-en
General
-
Target
fb660cd8294a2f697bc610d746833d91_JaffaCakes118.exe
-
Size
760KB
-
MD5
fb660cd8294a2f697bc610d746833d91
-
SHA1
e9cfc83ec806592a49bd094e2bbc07c937e0c9e2
-
SHA256
28877275c2c938f24cd0bf43f2c0cef090c58b7a85a988b2f6dff4970660b07d
-
SHA512
10da1e75c4aeb3df811dd22a2da4528227f8d7350bfa5992ef6cc4f3f8822e2c7ffdf897040635c1476f95b0112f13376be7cb849a8dea81455db73056329c92
-
SSDEEP
12288:n0JPFOR1iusUfrhWlR7b00lfTu+PaOpGEIyl+fnbKx/Dpclca1lUSvsNdH1GXiD:KOR1iusUT0L7fTuMNuydFaYSgHcXi
Malware Config
Extracted
cryptbot
ewaisg12.top
morvay01.top
-
payload_url
http://winezo01.top/download.php?file=lv.exe
Signatures
-
CryptBot payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/1284-2-0x0000000002140000-0x0000000002221000-memory.dmp family_cryptbot behavioral2/memory/1284-3-0x0000000000400000-0x00000000004E5000-memory.dmp family_cryptbot behavioral2/memory/1284-223-0x0000000000400000-0x00000000004E5000-memory.dmp family_cryptbot behavioral2/memory/1284-233-0x0000000002140000-0x0000000002221000-memory.dmp family_cryptbot -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
fb660cd8294a2f697bc610d746833d91_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation fb660cd8294a2f697bc610d746833d91_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4796 1284 WerFault.exe fb660cd8294a2f697bc610d746833d91_JaffaCakes118.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
fb660cd8294a2f697bc610d746833d91_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 fb660cd8294a2f697bc610d746833d91_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString fb660cd8294a2f697bc610d746833d91_JaffaCakes118.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 4084 timeout.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
fb660cd8294a2f697bc610d746833d91_JaffaCakes118.exepid process 1284 fb660cd8294a2f697bc610d746833d91_JaffaCakes118.exe 1284 fb660cd8294a2f697bc610d746833d91_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
fb660cd8294a2f697bc610d746833d91_JaffaCakes118.execmd.exedescription pid process target process PID 1284 wrote to memory of 1272 1284 fb660cd8294a2f697bc610d746833d91_JaffaCakes118.exe cmd.exe PID 1284 wrote to memory of 1272 1284 fb660cd8294a2f697bc610d746833d91_JaffaCakes118.exe cmd.exe PID 1284 wrote to memory of 1272 1284 fb660cd8294a2f697bc610d746833d91_JaffaCakes118.exe cmd.exe PID 1272 wrote to memory of 4084 1272 cmd.exe timeout.exe PID 1272 wrote to memory of 4084 1272 cmd.exe timeout.exe PID 1272 wrote to memory of 4084 1272 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb660cd8294a2f697bc610d746833d91_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fb660cd8294a2f697bc610d746833d91_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\vIHNdGSqGWE & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\fb660cd8294a2f697bc610d746833d91_JaffaCakes118.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 14002⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1284 -ip 12841⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\vIHNdGSqGWE\DZMJMW~1.ZIPFilesize
37KB
MD55385a747c33e6c26598873fbd498778f
SHA115ce1ee4f5a7525260430e05b298073be6a571a0
SHA25628748aff1fa00f294e35895daeda739449466fd8a5859235e44f91eb41b5c95e
SHA5127b0411d0bb05f6d510b712dddced69684df9282bc8dac9758c2eff051ab52a3ec8a286571c41d449e17c4f5d1bb795ec24b4beea8ddf2d96c42a74d6384f7fef
-
C:\Users\Admin\AppData\Local\Temp\vIHNdGSqGWE\YFUAXY~1.ZIPFilesize
37KB
MD5e765903538f06810641d6ea47829b5a7
SHA15bf1e8c0cd91b883a7fcb07df8b2533d8494f180
SHA256c355e3a91278242aa66b3f84575eb159b2e6bf68fea49456725fe27c3c31672b
SHA512d7f5e549eb4e9d36704b632d4e51cbbf2b3bae16c4fd25265e7bc5c3e784d3e8a05d3cbe2b70c655669d99bfa1fc6ea53ecaac2adfa2ee93dadf7a77b8640567
-
C:\Users\Admin\AppData\Local\Temp\vIHNdGSqGWE\_Files\_INFOR~1.TXTFilesize
7KB
MD51528a770e1013a8b0d8359b6f4483c17
SHA1a668822bcb54333430f16c130ad6b548f56c8dc1
SHA256496e6fe3f1444c5dc98308c82e9dd447a04456603769b926f13f7894f58a52e4
SHA512231f68a079774b5312026b98ac68d16668e5317c93967b202d63d69373cbf6fd52d1402f5139bcafe9f6193456a25a6b5045236b1c12c6b58ca2dccbb9074e9d
-
C:\Users\Admin\AppData\Local\Temp\vIHNdGSqGWE\_Files\_Information.txtFilesize
1KB
MD52ac579113668ca516899238f045e02db
SHA1c1f3aedd93c027930fb87e350fc1c13483639219
SHA256d383537ba9d9b8b8a43d09deb1ec212e707d31241fcc906d493c38a4af0d3cb2
SHA5124a30f92782e220a2e60f37c5dffabd5e114585a5d0543c7f4433639a9c76fedd5234eb1a1f7213161005255a061814a4823d265516920fd4353d1accc5f8d397
-
C:\Users\Admin\AppData\Local\Temp\vIHNdGSqGWE\_Files\_Information.txtFilesize
4KB
MD5cf721ca009fc40320f5185bbc9e5f045
SHA16dfbbad329464be5688c49a24706702c95647888
SHA2567fff3d0094e5ba52f8540c68c139cdd0db51e81c03f1714ff999555fcb476b92
SHA512244f02fce54996d61329184555b0829fe3d174e7a7d7d61d025c4cb21472bb6a2ec88f340fcd95749f470d81d075687f5177be504c566da8c56584e1d2cc217e
-
C:\Users\Admin\AppData\Local\Temp\vIHNdGSqGWE\_Files\_Screen_Desktop.jpegFilesize
43KB
MD5630a3ffde64cd7efadd191dccbfc78bf
SHA105bda8e84dc67c5a2a988fea941ffef2726be6aa
SHA25693ce6ba6339e4e7d7b893debabb9dd0e46db73eb94de003cfffca97221a6b72d
SHA5121e96bf38c13ad4aeff38c901d6e785d1494d11b97946d2d9985188c871d9ef5d296f1895bcf5057b0e8fdf830253d3738a5b5c2418f0fabd6d50babdb463cffc
-
C:\Users\Admin\AppData\Local\Temp\vIHNdGSqGWE\files_\system_info.txtFilesize
7KB
MD5dfcb40acc4ed42c04efa5fe30c395225
SHA16ce531c06cd85c453ff21cf8be4edbec9570e305
SHA256e2c35465482610131bc4eb29e8ebf1de064901df13588987f4330bd2b718ee69
SHA51240bd9a4b05038c1e16c15dbefebe3ecd76069f981efac70706130d1db84ab67204a3495f5197fb34accdf82a452ab60dbcedba6125fb1148c313ccaf782f31f4
-
memory/1284-223-0x0000000000400000-0x00000000004E5000-memory.dmpFilesize
916KB
-
memory/1284-224-0x00000000005D0000-0x00000000006D0000-memory.dmpFilesize
1024KB
-
memory/1284-1-0x00000000005D0000-0x00000000006D0000-memory.dmpFilesize
1024KB
-
memory/1284-3-0x0000000000400000-0x00000000004E5000-memory.dmpFilesize
916KB
-
memory/1284-2-0x0000000002140000-0x0000000002221000-memory.dmpFilesize
900KB
-
memory/1284-233-0x0000000002140000-0x0000000002221000-memory.dmpFilesize
900KB