Overview

overview

10

Static

static

3

ff0a0fb60f...18.exe

windows7-x64

10

ff0a0fb60f...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    21-04-2024 10:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ff0a0fb60f802d18b357b8b3506909de_JaffaCakes118.exe

  • Size

    586KB

  • MD5

    ff0a0fb60f802d18b357b8b3506909de

  • SHA1

    7ea1041d0287adcfe5189fcc6f84cb449220647c

  • SHA256

    21a27023f4316ff356a2ff7d5c8ef5431d65217da4496820d8865666fe8cd11e

  • SHA512

    377523a9a7b72bc03c2d40e71f27055ae89490ad776972eb8894469b395e4291c50ac951bf288d84d0e3ecdd9fc4c92976c8a7a2e37801dc5a99d9ab9542bbbe

  • SSDEEP

    12288:2XoxQ9UJJrIU9/wL6Zzil5DtDELVsLffMjiOc5ogA5bssQ:2uQ98TJFuZsVsLkmVodJss

Score
10/10
cryptbotdiscoveryspywarestealer

Malware Config

Extracted

Family

cryptbot

C2

ewayab32.top

morxeg03.top
Attributes
  • payload_url

    http://winxob04.top/download.php?file=lv.exe

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • CryptBot payload 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of FindShellTrayWindow 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ff0a0fb60f802d18b357b8b3506909de_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ff0a0fb60f802d18b357b8b3506909de_JaffaCakes118.exe"
    1⤵
    • Checks processor information in registry
    • Suspicious use of FindShellTrayWindow
    PID:2460

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\3sIKCMwP8XR\YpIGosNYiqd.zip
    Filesize

    38KB

    MD5

    0684a68a4c8b49d9f2cc1c3d421b7eb8

    SHA1

    96ef90f720e91e675f1a6d9468292cc70ebec7dc

    SHA256

    054f8a66769e841c403c3dee7b08b64008f5acdd8d299b52aba0cfb0a1fb0d31

    SHA512

    c6c9d03b08cc35adcf6bfd5ad88d3381766915bd3bc4a32009e2797f7091675f7f437f080d060df7e33ba3b2bf428b5b7602fa08c4cc8b18eaea3eaf08b89fd5

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\3sIKCMwP8XR\_Files\_Information.txt
    Filesize

    1KB

    MD5

    b77b5332f632f12205dcb33ce2f150c1

    SHA1

    24fdf058a120287be33cc95ce9842a9b7fb05e7c

    SHA256

    a9a53bfdbb6b161496cb293b4a6c33e3c6946c366ff4c1feb9a57f69360ff0fd

    SHA512

    90f62e788c9d91914edabf77754613e4e4161054ce48425bc5b81d6316e8593be7cfccb168fff8e0882dad8e5fa5b73882448787278d5a7892a62ec8507704b3

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\3sIKCMwP8XR\_Files\_Information.txt
    Filesize

    3KB

    MD5

    765ee2f8766d572a4169abf76db8c743

    SHA1

    022afa751e42a82d1c564c4ba623f837baffdc1f

    SHA256

    3310817406fc7b622205d32b4d2cbc62cb393d72d9149683abf1d19635fbcc56

    SHA512

    7df1d98652d21b2520567c5c5d7a63430c58d3d156e5698724a5fbb25d486bf1be3b7999782d9456b94925b550d5837be5e547518d078f6ac0a8248765ac8b52

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\3sIKCMwP8XR\_Files\_Information.txt
    Filesize

    3KB

    MD5

    9106c7ce759fca3dab3dd6db923b40f5

    SHA1

    a061dca9023254e86355269aa7232bccf3cd2bdc

    SHA256

    a9703a0463beadd171d329dfd0fa010759fea04cd9d276cded6dee08abc419d1

    SHA512

    5cf836da7dbe6111bb8eced0366de1bceb15776c0f06ff8d77b7879ca25fe005d0d3d56d3b6c82518a4eaf963bbe31f9b2b03ad337217811de954dbe3e70fc1f

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\3sIKCMwP8XR\_Files\_Information.txt
    Filesize

    8KB

    MD5

    3cec0af8ba9c7ef738a51117f9db32fc

    SHA1

    b7cf0648e96df27e37390cfdf101f191ff75d162

    SHA256

    4ba47a8a019cd28a0a6e0e1aff8f700a699412cb48c5e206b981000c61c80df9

    SHA512

    7afbc98c41afd9b35a25225e63eda46ba09946b6b66c000ff6739d368cde829a19559da033c569a3d04c67785057d9d2489fab040c57c250fad8a4a65146163a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\3sIKCMwP8XR\_Files\_Screen_Desktop.jpeg
    Filesize

    45KB

    MD5

    40fcf591fc648664c82250578c9a9378

    SHA1

    59ebd332646e0623838a2b55b9d05f62f3220325

    SHA256

    31de57c57474c92cbe6454e257babed513996871296af2f9ede6fad7683792e6

    SHA512

    e84be84475d524f913577a8892374ac6a368f3809e9e9955ee6115d1c4db1d8145be4a1cc8b4cc3f10965230863db37a3a77f895c493f58a2b475d6336393c9b

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\3sIKCMwP8XR\files_\system_info.txt
    Filesize

    834B

    MD5

    1266562a012754c67442228f0e596c21

    SHA1

    4a99270af9ad4c0c455fe722dfc622caffd915e0

    SHA256

    c834ab7594887655fde081b156f91edb55841ed4b45fd5b2dfebd5aad2f36a57

    SHA512

    c3b37f041c714d9aa66a3aec2734046857d95d05c3b596d84ba92df782e30edb173bace4a302555765a3be1ee1a718698adc254a4653a116b53b96aa2ef56ce6

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\3sIKCMwP8XR\files_\system_info.txt
    Filesize

    1KB

    MD5

    190ff5ddbe989667bf4f58672fa030c0

    SHA1

    3846e3f3a62bb3a76f8c7f08bfa6dcfc03b6e39b

    SHA256

    c8201906c00280a39968d1ed6e4715f5a80244219d129770774eb6858aeeee58

    SHA512

    bd33f9e1102c994707329b49e46a9fb8f78c16023a441f8e026352e9df80923c28d2cb254429ab555ec5f9a3c91de81a22130d6c69ce1a5163ddbba103c6b548

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\3sIKCMwP8XR\files_\system_info.txt
    Filesize

    3KB

    MD5

    b9a215cddbec373bb4b61fc255e36d2f

    SHA1

    45faaaa3e6bf6aafc6a33f7639318cb6d609ddf0

    SHA256

    643164831809ca0cf203f57adba81fa3f3cb3a8884b1aa52d46b6cbcc1da4e0d

    SHA512

    459404369d7fa58fd35c8bfef8ff1f16e9d3b7ec9f7b564c9d920a1d78333b9997241fd2eb857b5172d0819e77017d896f667283710a0c3bafa85f3890caf427

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\3sIKCMwP8XR\files_\system_info.txt
    Filesize

    5KB

    MD5

    81c209904f5eb1a077589a01d1b73c1d

    SHA1

    b3564721feb7dccff1d02862beaff7e473651f14

    SHA256

    ed9dd49db0def4702208ae20fc0080213149a8f9f594ef0eedb04cb89f94eb19

    SHA512

    c4c7d05a37eba102f354700a1229ec0bf7b94e51b124f072f986330db21c1e1139876e279e0a8d123abff8315609efb7b4052db5f2b6482b7d1ee52245ca3948

    Download Submit
  • memory/2460-4-0x0000000000530000-0x0000000000531000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2460-3-0x0000000000400000-0x00000000004AC000-memory.dmp
    Filesize

    688KB

    Download
  • memory/2460-1-0x00000000005D0000-0x00000000006D0000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/2460-222-0x0000000000400000-0x00000000004AC000-memory.dmp
    Filesize

    688KB

    Download
  • memory/2460-224-0x00000000005D0000-0x00000000006D0000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/2460-2-0x0000000000220000-0x00000000002C0000-memory.dmp
    Filesize

    640KB

    Download
  • memory/2460-227-0x0000000000530000-0x0000000000531000-memory.dmp
    Filesize

    4KB

    Download