Overview
overview
10Static
static
300496f5232...18.exe
windows7-x64
1000496f5232...18.exe
windows10-2004-x64
10$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDIR/UAC.dll
windows7-x64
3$PLUGINSDIR/UAC.dll
windows10-2004-x64
3$PLUGINSDI...fo.dll
windows7-x64
3$PLUGINSDI...fo.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3Two.vbs
windows7-x64
8Two.vbs
windows10-2004-x64
8looo.exe
windows7-x64
9looo.exe
windows10-2004-x64
9setup.exe
windows7-x64
10setup.exe
windows10-2004-x64
10General
-
Target
00496f52320714064d5f28deb6d27a6a_JaffaCakes118
-
Size
4.2MB
-
Sample
240426-jeaw2sbg88
-
MD5
00496f52320714064d5f28deb6d27a6a
-
SHA1
a850a5f21b92406828fb20467684deee0636dfff
-
SHA256
d2d42d0f4d3c48c6eb2caf6a64fcc1aefd8e45be05e41153f52282d06628636d
-
SHA512
972f08ca808bef4a2f67f20905ebe429e9347d1d22994060e115e1e6a361c4fae0a8fdb20b214d192c74f02e0b30317484790e94568dc518ccad1d670f9bebb4
-
SSDEEP
98304:OML/AYnVjQboteqWhLWqPFC2O+sQwLAEiYEclcWHPO+k:BL/nVj8oteq7qPU2eQw0EyciwPW
Static task
static1
Behavioral task
behavioral1
Sample
00496f52320714064d5f28deb6d27a6a_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
00496f52320714064d5f28deb6d27a6a_JaffaCakes118.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240220-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/UAC.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/UAC.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20231129-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240215-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral13
Sample
Two.vbs
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
Two.vbs
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
looo.exe
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
looo.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral17
Sample
setup.exe
Resource
win7-20240221-en
Malware Config
Extracted
cryptbot
verf01.top
Targets
-
-
Target
00496f52320714064d5f28deb6d27a6a_JaffaCakes118
-
Size
4.2MB
-
MD5
00496f52320714064d5f28deb6d27a6a
-
SHA1
a850a5f21b92406828fb20467684deee0636dfff
-
SHA256
d2d42d0f4d3c48c6eb2caf6a64fcc1aefd8e45be05e41153f52282d06628636d
-
SHA512
972f08ca808bef4a2f67f20905ebe429e9347d1d22994060e115e1e6a361c4fae0a8fdb20b214d192c74f02e0b30317484790e94568dc518ccad1d670f9bebb4
-
SSDEEP
98304:OML/AYnVjQboteqWhLWqPFC2O+sQwLAEiYEclcWHPO+k:BL/nVj8oteq7qPU2eQw0EyciwPW
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocklisted process makes network request
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
$PLUGINSDIR/System.dll
-
Size
11KB
-
MD5
bf712f32249029466fa86756f5546950
-
SHA1
75ac4dc4808ac148ddd78f6b89a51afbd4091c2e
-
SHA256
7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af
-
SHA512
13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4
-
SSDEEP
192:0N2gQuUwXzioj4KALV2upWzVd7q1QDXEbBZ8KxHdGzyS/Kx:rJoiO8V2upW7vQjS/
Score3/10 -
-
-
Target
$PLUGINSDIR/UAC.dll
-
Size
14KB
-
MD5
adb29e6b186daa765dc750128649b63d
-
SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9
-
SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
-
SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
-
SSDEEP
192:DiF6v2imI36Op/tGZGfWxdyWHD0I53vLl7WVl8e04IpDlPjs:DGVY6ClGoWxXH75T1WVl83lLs
Score3/10 -
-
-
Target
$PLUGINSDIR/UserInfo.dll
-
Size
4KB
-
MD5
c7ce0e47c83525983fd2c4c9566b4aad
-
SHA1
38b7ad7bb32ffae35540fce373b8a671878dc54e
-
SHA256
6293408a5fa6d0f55f0a4d01528eb5b807ee9447a75a28b5986267475ebcd3ae
-
SHA512
ee9f23ea5210f418d4c559628bbfb3a0f892440bcd5dc4c1901cb8e510078e4481ea8353b262795076a19055e70b88e08fee5fb7e8f35a6f49022096408df20e
Score3/10 -
-
-
Target
$PLUGINSDIR/nsDialogs.dll
-
Size
9KB
-
MD5
4ccc4a742d4423f2f0ed744fd9c81f63
-
SHA1
704f00a1acc327fd879cf75fc90d0b8f927c36bc
-
SHA256
416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6
-
SHA512
790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb
-
SSDEEP
192:SbEunjqjIcESwFlioU3M0LLF/t8t9pKSfOi:SbESjFCw6oWPFl8jfOi
Score3/10 -
-
-
Target
$PLUGINSDIR/nsExec.dll
-
Size
6KB
-
MD5
132e6153717a7f9710dcea4536f364cd
-
SHA1
e39bc82c7602e6dd0797115c2bd12e872a5fb2ab
-
SHA256
d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2
-
SHA512
9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1
-
SSDEEP
96:M/SspqrIYxLPEQhThvov3TE4/2Sa5P9QFFYzOx4uF3sbSEI5LP39sQvM:M/QUG7lhvov36S5FcUjliSEI5LuQ
Score3/10 -
-
-
Target
Two.vbs
-
Size
126B
-
MD5
c6362e3c5585f24a9e9a2712c00c52ff
-
SHA1
9259b9609313386f004328d2c306820eae01a587
-
SHA256
184ca5b2737175e0828f3546d483778c95e23720f1375deac0090c2fe415e208
-
SHA512
59ac94fdb6f41d6dc5cbea1855897759f35032ac922b936a0b39a21b6aafb0c862c5d419afa31c0b81f106f2ce06b2909cdb5fb713534fbe36202c5a4fedfeaa
Score8/10-
Blocklisted process makes network request
-
Legitimate hosting services abused for malware hosting/C2
-
-
-
Target
looo.exe
-
Size
2.0MB
-
MD5
1020f1ede8ee26e04d02d27d89f49806
-
SHA1
d87a93388d831d00bf73bdd5070459d9e93fc1de
-
SHA256
6bc6667519c0417b064ac6b0cefc19e6a1fe7ba8394d42e5b7deef878411c2fa
-
SHA512
cda1c4c82dc25a7610ff082520417061c734a36459f01a871b6f57396383a63d109cc301591f759fd3cffdb1af00deef2440d6de823f7d7d1ea893f9a3f9a319
-
SSDEEP
49152:pGQndVODSut7+iifYjTgaPOWBkEF7DmloYR9EtvTLC1ZtLBP:pGQnitqiiigaPOKWloYD6S1jL
Score9/10-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
setup.exe
-
Size
2.0MB
-
MD5
e3bd0bd352761ec4519226b2f1a99741
-
SHA1
7fb5b0edd93b0fc1b81ece790196cb8e3199dbb0
-
SHA256
f202795b0ac5d3b56baccd451ab5c43b4db104c5332eafadf8efbc5ad297b3c8
-
SHA512
3c0dc2495bbc57477b8db071c024fb940dfe7030aba86c9d5fc2f53a80b19b58d52a0309ea662eda98b8f58000cd4efef83840534c5aaaa3f819d7629d3c8cb0
-
SSDEEP
49152:AXn33uRK4OpL5Lz/UGMDISkfna30M0/O2BFkx1tPC:gHG9oL5Lz/UGMUw38/5BFezP
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-