Analysis
-
max time kernel
144s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
01-05-2024 04:05
Static task
static1
Behavioral task
behavioral1
Sample
0b0968b621bce390ddbcffe8cb910837_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
0b0968b621bce390ddbcffe8cb910837_JaffaCakes118.exe
-
Size
2.0MB
-
MD5
0b0968b621bce390ddbcffe8cb910837
-
SHA1
c82603d8a9086cfa8b7de41e74dc5d5203b87b39
-
SHA256
010a6069f6885e4a5a67e3e91759e7938a32ab157342d5e51eb168e57b73d7f7
-
SHA512
c81cf7ad2ecfa9223bc7ef30cc59fa8c7e4ccd3916405dd9b1b6079536da948dd92405ecbfcff67655fa8c0f861f7c13dc70328bf3899f7610d747557a77c3b1
-
SSDEEP
49152:WRnh8X/iBdNckR2Tqe93bRl2lYkT9H4KmEpjppTeCQB783z5hTI2bKf:WRn2PiBPckoOKRl2lPVpzeCM78jbKf
Malware Config
Extracted
cryptbot
bibinene01.top
moraass05.top
Signatures
-
CryptBot payload 16 IoCs
Processes:
resource yara_rule behavioral1/memory/2388-8-0x0000000000F10000-0x0000000001420000-memory.dmp family_cryptbot behavioral1/memory/2388-237-0x0000000000F10000-0x0000000001420000-memory.dmp family_cryptbot behavioral1/memory/2388-239-0x0000000000F10000-0x0000000001420000-memory.dmp family_cryptbot behavioral1/memory/2388-240-0x0000000000F10000-0x0000000001420000-memory.dmp family_cryptbot behavioral1/memory/2388-243-0x0000000000F10000-0x0000000001420000-memory.dmp family_cryptbot behavioral1/memory/2388-245-0x0000000000F10000-0x0000000001420000-memory.dmp family_cryptbot behavioral1/memory/2388-248-0x0000000000F10000-0x0000000001420000-memory.dmp family_cryptbot behavioral1/memory/2388-250-0x0000000000F10000-0x0000000001420000-memory.dmp family_cryptbot behavioral1/memory/2388-252-0x0000000000F10000-0x0000000001420000-memory.dmp family_cryptbot behavioral1/memory/2388-254-0x0000000000F10000-0x0000000001420000-memory.dmp family_cryptbot behavioral1/memory/2388-257-0x0000000000F10000-0x0000000001420000-memory.dmp family_cryptbot behavioral1/memory/2388-259-0x0000000000F10000-0x0000000001420000-memory.dmp family_cryptbot behavioral1/memory/2388-262-0x0000000000F10000-0x0000000001420000-memory.dmp family_cryptbot behavioral1/memory/2388-264-0x0000000000F10000-0x0000000001420000-memory.dmp family_cryptbot behavioral1/memory/2388-266-0x0000000000F10000-0x0000000001420000-memory.dmp family_cryptbot behavioral1/memory/2388-268-0x0000000000F10000-0x0000000001420000-memory.dmp family_cryptbot -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
0b0968b621bce390ddbcffe8cb910837_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 0b0968b621bce390ddbcffe8cb910837_JaffaCakes118.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
0b0968b621bce390ddbcffe8cb910837_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 0b0968b621bce390ddbcffe8cb910837_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 0b0968b621bce390ddbcffe8cb910837_JaffaCakes118.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
0b0968b621bce390ddbcffe8cb910837_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Wine 0b0968b621bce390ddbcffe8cb910837_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
0b0968b621bce390ddbcffe8cb910837_JaffaCakes118.exepid process 2388 0b0968b621bce390ddbcffe8cb910837_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
0b0968b621bce390ddbcffe8cb910837_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 0b0968b621bce390ddbcffe8cb910837_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 0b0968b621bce390ddbcffe8cb910837_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
0b0968b621bce390ddbcffe8cb910837_JaffaCakes118.exepid process 2388 0b0968b621bce390ddbcffe8cb910837_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
0b0968b621bce390ddbcffe8cb910837_JaffaCakes118.exepid process 2388 0b0968b621bce390ddbcffe8cb910837_JaffaCakes118.exe 2388 0b0968b621bce390ddbcffe8cb910837_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b0968b621bce390ddbcffe8cb910837_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0b0968b621bce390ddbcffe8cb910837_JaffaCakes118.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\HQWwxCL460B\_Files\_Information.txtFilesize
8KB
MD5eedb15997b4de4bc2077844f5d89206c
SHA15533edfbe60caf31384bdb16b32b070ddf8cf977
SHA256cfd01d110735d4aeedfd04f6da4e59b5cab1d714955f16dd45dddad7afbd2594
SHA5125b8f3788052db414ed4aee79db83216d238e99576e4c5323de88e0e015e9b968f4170e3c1a55315b5159e7ff439da12ca2eafb97a4327f509996855b90aea09b
-
C:\Users\Admin\AppData\Local\Temp\HQWwxCL460B\_Files\_Screen_Desktop.jpegFilesize
40KB
MD5acdfd5ab39830430feaa6a00ed09b29d
SHA12318018d4c35a3de2099e4ca409045f7a5131d54
SHA2567c235c4295db59bfa5cd646f3e8ccfce96099c4b133dd65a3f3c4ad4002e07b7
SHA51263d19859eee5b33a3482cb1f2a136ab05c46e5f671157633400df470e571ad1f672f841ca561736fb8d9e00211525a716f908921c5a4fb891a993ae9d51a7fa1
-
C:\Users\Admin\AppData\Local\Temp\HQWwxCL460B\files_\system_info.txtFilesize
8KB
MD5fabeeeaf246c6a32db9ed2b53eab9b99
SHA1b87f1da62eef223b53ad02e6b77f37124f5253cc
SHA2563e6611af75defbd1838dc5c153eca57399764f77c63d0b300379ce5fd484b514
SHA512a0d7031d19353cad7d4a5ee8a26cac5c0f6c1e11c37bc2966ec683f57194fe5e35b2457d2a6035c032b7da38de720b10d6271771a4173d498e73fe40e4c5d391
-
C:\Users\Admin\AppData\Local\Temp\HQWwxCL460B\qmGBmBWbLF.zipFilesize
32KB
MD585af5f3b5e86a895a85f661b8ab9a43e
SHA1368ae3f4dcbb2cbea89b548543ec39e7188174d0
SHA2567186508473daaa35ba28bf5fa00cc0e6584d1bbaeb12ee9a503f87dbcc2e75af
SHA51231aed5f66dd6a990526b8c6ba2821c6c9fe443231f10d2a793acce834ce2b56f1c647633f83ec03acb2f352003861954e5d305f90a32c4b0766e0ed8c828e70d
-
memory/2388-127-0x0000000000EE0000-0x0000000000EE1000-memory.dmpFilesize
4KB
-
memory/2388-7-0x0000000000C50000-0x0000000000C51000-memory.dmpFilesize
4KB
-
memory/2388-0-0x0000000000F10000-0x0000000001420000-memory.dmpFilesize
5.1MB
-
memory/2388-3-0x0000000000D80000-0x0000000000D81000-memory.dmpFilesize
4KB
-
memory/2388-8-0x0000000000F10000-0x0000000001420000-memory.dmpFilesize
5.1MB
-
memory/2388-13-0x0000000000AA0000-0x0000000000AA1000-memory.dmpFilesize
4KB
-
memory/2388-12-0x0000000000DA0000-0x0000000000DA1000-memory.dmpFilesize
4KB
-
memory/2388-11-0x0000000000E50000-0x0000000000E51000-memory.dmpFilesize
4KB
-
memory/2388-10-0x0000000002850000-0x0000000002851000-memory.dmpFilesize
4KB
-
memory/2388-9-0x0000000002830000-0x0000000002831000-memory.dmpFilesize
4KB
-
memory/2388-17-0x0000000000DF0000-0x0000000000DF1000-memory.dmpFilesize
4KB
-
memory/2388-16-0x0000000002970000-0x0000000002971000-memory.dmpFilesize
4KB
-
memory/2388-15-0x0000000002960000-0x0000000002961000-memory.dmpFilesize
4KB
-
memory/2388-14-0x0000000000A90000-0x0000000000A91000-memory.dmpFilesize
4KB
-
memory/2388-18-0x00000000029E0000-0x00000000029E1000-memory.dmpFilesize
4KB
-
memory/2388-4-0x0000000000F00000-0x0000000000F01000-memory.dmpFilesize
4KB
-
memory/2388-6-0x0000000000E40000-0x0000000000E41000-memory.dmpFilesize
4KB
-
memory/2388-2-0x0000000000D90000-0x0000000000D91000-memory.dmpFilesize
4KB
-
memory/2388-5-0x0000000002840000-0x0000000002841000-memory.dmpFilesize
4KB
-
memory/2388-237-0x0000000000F10000-0x0000000001420000-memory.dmpFilesize
5.1MB
-
memory/2388-239-0x0000000000F10000-0x0000000001420000-memory.dmpFilesize
5.1MB
-
memory/2388-240-0x0000000000F10000-0x0000000001420000-memory.dmpFilesize
5.1MB
-
memory/2388-241-0x00000000029E0000-0x00000000029E1000-memory.dmpFilesize
4KB
-
memory/2388-1-0x0000000077720000-0x0000000077722000-memory.dmpFilesize
8KB
-
memory/2388-243-0x0000000000F10000-0x0000000001420000-memory.dmpFilesize
5.1MB
-
memory/2388-245-0x0000000000F10000-0x0000000001420000-memory.dmpFilesize
5.1MB
-
memory/2388-248-0x0000000000F10000-0x0000000001420000-memory.dmpFilesize
5.1MB
-
memory/2388-250-0x0000000000F10000-0x0000000001420000-memory.dmpFilesize
5.1MB
-
memory/2388-252-0x0000000000F10000-0x0000000001420000-memory.dmpFilesize
5.1MB
-
memory/2388-254-0x0000000000F10000-0x0000000001420000-memory.dmpFilesize
5.1MB
-
memory/2388-257-0x0000000000F10000-0x0000000001420000-memory.dmpFilesize
5.1MB
-
memory/2388-259-0x0000000000F10000-0x0000000001420000-memory.dmpFilesize
5.1MB
-
memory/2388-262-0x0000000000F10000-0x0000000001420000-memory.dmpFilesize
5.1MB
-
memory/2388-264-0x0000000000F10000-0x0000000001420000-memory.dmpFilesize
5.1MB
-
memory/2388-266-0x0000000000F10000-0x0000000001420000-memory.dmpFilesize
5.1MB
-
memory/2388-268-0x0000000000F10000-0x0000000001420000-memory.dmpFilesize
5.1MB