Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
19-04-2024 01:50
Static task
static1
Behavioral task
behavioral1
Sample
f93df5b9d273ec9921943e36de014dfc_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
f93df5b9d273ec9921943e36de014dfc_JaffaCakes118.exe
-
Size
759KB
-
MD5
f93df5b9d273ec9921943e36de014dfc
-
SHA1
95d42a9e6c989ebd15b24c2ae997b142f5c063cd
-
SHA256
194c939150cd885553cc6e02f1c8dbe5fb7bf327556245d76d6ea165ec959670
-
SHA512
4fd5fbc6cd08367de3bbf71d05dd5ef0dd205ee8655b4511ff6249db2d47870a8173fee158a66bab55d8bcf5c02cb4f402584d23274fd8184d24264657e60cf0
-
SSDEEP
12288:afyWzL1hFtK0pMQS3NRLSbL/3PiSQ9GLLsHBsVIdEJ6p206Z0yY9qigKekeqn/:sL1hFtK+9vPc9G4BsZP0RyABePqn/
Malware Config
Extracted
cryptbot
smarew72.top
moriwi07.top
-
payload_url
http://guruzo10.top/download.php?file=lv.exe
Signatures
-
CryptBot payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/3900-2-0x00000000022C0000-0x00000000023A1000-memory.dmp family_cryptbot behavioral2/memory/3900-3-0x0000000000400000-0x00000000004E5000-memory.dmp family_cryptbot behavioral2/memory/3900-223-0x0000000000400000-0x00000000004E5000-memory.dmp family_cryptbot behavioral2/memory/3900-232-0x00000000022C0000-0x00000000023A1000-memory.dmp family_cryptbot -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
f93df5b9d273ec9921943e36de014dfc_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\Control Panel\International\Geo\Nation f93df5b9d273ec9921943e36de014dfc_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4652 3900 WerFault.exe f93df5b9d273ec9921943e36de014dfc_JaffaCakes118.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
f93df5b9d273ec9921943e36de014dfc_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 f93df5b9d273ec9921943e36de014dfc_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString f93df5b9d273ec9921943e36de014dfc_JaffaCakes118.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 4712 timeout.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
f93df5b9d273ec9921943e36de014dfc_JaffaCakes118.exepid process 3900 f93df5b9d273ec9921943e36de014dfc_JaffaCakes118.exe 3900 f93df5b9d273ec9921943e36de014dfc_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
f93df5b9d273ec9921943e36de014dfc_JaffaCakes118.execmd.exedescription pid process target process PID 3900 wrote to memory of 4248 3900 f93df5b9d273ec9921943e36de014dfc_JaffaCakes118.exe cmd.exe PID 3900 wrote to memory of 4248 3900 f93df5b9d273ec9921943e36de014dfc_JaffaCakes118.exe cmd.exe PID 3900 wrote to memory of 4248 3900 f93df5b9d273ec9921943e36de014dfc_JaffaCakes118.exe cmd.exe PID 4248 wrote to memory of 4712 4248 cmd.exe timeout.exe PID 4248 wrote to memory of 4712 4248 cmd.exe timeout.exe PID 4248 wrote to memory of 4712 4248 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f93df5b9d273ec9921943e36de014dfc_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f93df5b9d273ec9921943e36de014dfc_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\BvwgWdgV & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\f93df5b9d273ec9921943e36de014dfc_JaffaCakes118.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 12522⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3900 -ip 39001⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\BvwgWdgV\IOTFIB~1.ZIPFilesize
44KB
MD5feb866487134327c2f60ae208cbbde93
SHA199601a780dc7b4da4d7bc2dd6db917b4bc370252
SHA256709816e9b2da07e6a89d80400f9b69f4ada641c500967c9ff666d31db3e92a6e
SHA5121ba2210b8327c9d36217745256ac0970223c768ebdb730dadf88feccf9eb02877ce8f0cbcface2c298a505dab10fbb59c04a244d438a27b700d76bfe64e0112b
-
C:\Users\Admin\AppData\Local\Temp\BvwgWdgV\SCCXQK~1.ZIPFilesize
44KB
MD5cefb3855e3c44a57bbe727d380884ed9
SHA1d2653b2e16cd721ad993aceb6d21d027ce1f7375
SHA256b69083ff955738403ba38fedd0321fe568d19933ef422529e2093cab15aa8a53
SHA512c0607d1809ea2546c8a53aca9d22c62a362b0892eb79f2042b3f2a22cf903481476d94ef4a14b107b638213138aecd6ac1f6fad93d0f65c83d507b8b8a123435
-
C:\Users\Admin\AppData\Local\Temp\BvwgWdgV\_Files\_INFOR~1.TXTFilesize
7KB
MD54dc0a371da04290e6a569e8ba9b72104
SHA11d3fed478b5774297751e762739fdb634f122cda
SHA256da5938472218a6fc38d80fb808d5007c647b5f4f93787f1ad70be1f1ddcafa10
SHA51221e28a3046667730aec0e5295717990409e099481849b9b8a615643910ef1bb8c8b22fb79da4ae5ad8ad6a9505fc733a38834183aae17bf851f3611bbfcf72d4
-
C:\Users\Admin\AppData\Local\Temp\BvwgWdgV\_Files\_Information.txtFilesize
4KB
MD57c36932d4a173dc0a37999ceb5948e75
SHA143a33af493389048f394ff56d6ed0a510b5b3c5b
SHA256da6e07d54975dc44948644a19f12e63dc82e4bcf5164813e5f0933f474bac9af
SHA51291a17408ef07713c45509a1969af0f8294569ee8f2ba87bd8a144c484761ce63edf9ec135641eb83a4160981ead49b531a04365d0c93235b3946a138d955e931
-
C:\Users\Admin\AppData\Local\Temp\BvwgWdgV\_Files\_Screen_Desktop.jpegFilesize
49KB
MD55352f627e32d358d3ec577b36a8279b2
SHA1e81e6a6fe3c32772414e6eb681a9fa4af5aadad5
SHA256ce79fa500617628eaaaf6b25e9b20e2776bb7a90457fab1043e3f547185d511c
SHA5125f6c5f7d5e45d2d5d7591939afa21045cdecddf11e9bdee93e29d975fd0141d64f2a78ffca65ad0ecb1ffeb7119f957e1475f8c00347b7025ff718efbd2c7467
-
C:\Users\Admin\AppData\Local\Temp\BvwgWdgV\files_\system_info.txtFilesize
1KB
MD59a6802e0f2ad35fb1b4c8075fa7d3fbe
SHA19b34b34fa16a43b4440e99aa8b61e6763c8e6b1d
SHA256deac04fbb10d985bcec67f97b4cd10cb2e7c4b85384a91ed82f6974b9ca4edea
SHA5120850100ffb14820133727e245d1840e9f2bd6ebe522490ed41fb413aa142da82388a4eccebca27b3e54017dd8124d851f3b009d5a94154fa2e0f0091f6819951
-
C:\Users\Admin\AppData\Local\Temp\BvwgWdgV\files_\system_info.txtFilesize
7KB
MD5a1840cad6fc551737978b2ce2b656390
SHA1f557c21d1511dce718c052a989ff7b6fddd199ba
SHA256180785f1593de58a846092727bd07f8959f95fc51619e8439e957f4da1fb2bcd
SHA51280a9efaa41a0ab528351f0f67f6b7c099547bd518ac6cc580360c64a804fc6ee3d3494c17d0677dab8b55928df398b1a0aed426b937672e0a128ba444c876c0d
-
memory/3900-223-0x0000000000400000-0x00000000004E5000-memory.dmpFilesize
916KB
-
memory/3900-1-0x0000000000720000-0x0000000000820000-memory.dmpFilesize
1024KB
-
memory/3900-3-0x0000000000400000-0x00000000004E5000-memory.dmpFilesize
916KB
-
memory/3900-2-0x00000000022C0000-0x00000000023A1000-memory.dmpFilesize
900KB
-
memory/3900-230-0x0000000000720000-0x0000000000820000-memory.dmpFilesize
1024KB
-
memory/3900-232-0x00000000022C0000-0x00000000023A1000-memory.dmpFilesize
900KB