Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04-05-2024 16:18
Static task
static1
Behavioral task
behavioral1
Sample
13842292b894939dabc62c2370c0094c_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
13842292b894939dabc62c2370c0094c_JaffaCakes118.exe
-
Size
4.2MB
-
MD5
13842292b894939dabc62c2370c0094c
-
SHA1
405bfa3788bcf6fbab169e90442134f4e9bedeb9
-
SHA256
9a1d6cabb8a80b1ff7ac31d8c01f3522ca64860a8b9816eda57d44d7e994ec5a
-
SHA512
6e77bea261b8100d2288f8ee8f13fef033a2dc3a8d45d4198fe955bec63b82e66d6f1d542b3767e498188251d951825caaf44e4a9a40e0f15e185f59d3e828b3
-
SSDEEP
98304:hFhmmnjy6kFUpuf0xK/7UqS+Xv7yn3EeeQ069sWU/:hFhvm6kykf0xK/TBXmn33eCsl
Malware Config
Extracted
cryptbot
bibinene01.top
moraass05.top
Signatures
-
CryptBot payload 18 IoCs
Processes:
resource yara_rule behavioral1/memory/2620-32-0x00000000003B0000-0x00000000008B7000-memory.dmp family_cryptbot behavioral1/memory/2620-249-0x00000000003B0000-0x00000000008B7000-memory.dmp family_cryptbot behavioral1/memory/2620-252-0x00000000003B0000-0x00000000008B7000-memory.dmp family_cryptbot behavioral1/memory/2620-253-0x00000000003B0000-0x00000000008B7000-memory.dmp family_cryptbot behavioral1/memory/2620-256-0x00000000003B0000-0x00000000008B7000-memory.dmp family_cryptbot behavioral1/memory/2620-257-0x00000000003B0000-0x00000000008B7000-memory.dmp family_cryptbot behavioral1/memory/2620-258-0x00000000003B0000-0x00000000008B7000-memory.dmp family_cryptbot behavioral1/memory/2620-261-0x00000000003B0000-0x00000000008B7000-memory.dmp family_cryptbot behavioral1/memory/2620-263-0x00000000003B0000-0x00000000008B7000-memory.dmp family_cryptbot behavioral1/memory/2620-265-0x00000000003B0000-0x00000000008B7000-memory.dmp family_cryptbot behavioral1/memory/2620-267-0x00000000003B0000-0x00000000008B7000-memory.dmp family_cryptbot behavioral1/memory/2620-269-0x00000000003B0000-0x00000000008B7000-memory.dmp family_cryptbot behavioral1/memory/2620-272-0x00000000003B0000-0x00000000008B7000-memory.dmp family_cryptbot behavioral1/memory/2620-274-0x00000000003B0000-0x00000000008B7000-memory.dmp family_cryptbot behavioral1/memory/2620-276-0x00000000003B0000-0x00000000008B7000-memory.dmp family_cryptbot behavioral1/memory/2620-278-0x00000000003B0000-0x00000000008B7000-memory.dmp family_cryptbot behavioral1/memory/2620-280-0x00000000003B0000-0x00000000008B7000-memory.dmp family_cryptbot behavioral1/memory/2620-282-0x00000000003B0000-0x00000000008B7000-memory.dmp family_cryptbot -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
d7.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ d7.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
d7.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion d7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion d7.exe -
Executes dropped EXE 1 IoCs
Processes:
d7.exepid process 2620 d7.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
d7.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine d7.exe -
Loads dropped DLL 7 IoCs
Processes:
13842292b894939dabc62c2370c0094c_JaffaCakes118.exed7.exepid process 1368 13842292b894939dabc62c2370c0094c_JaffaCakes118.exe 1368 13842292b894939dabc62c2370c0094c_JaffaCakes118.exe 1368 13842292b894939dabc62c2370c0094c_JaffaCakes118.exe 1368 13842292b894939dabc62c2370c0094c_JaffaCakes118.exe 2620 d7.exe 2620 d7.exe 2620 d7.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
d7.exepid process 2620 d7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
d7.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 d7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString d7.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
d7.exepid process 2620 d7.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
d7.exepid process 2620 d7.exe 2620 d7.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
13842292b894939dabc62c2370c0094c_JaffaCakes118.exedescription pid process target process PID 1368 wrote to memory of 2620 1368 13842292b894939dabc62c2370c0094c_JaffaCakes118.exe d7.exe PID 1368 wrote to memory of 2620 1368 13842292b894939dabc62c2370c0094c_JaffaCakes118.exe d7.exe PID 1368 wrote to memory of 2620 1368 13842292b894939dabc62c2370c0094c_JaffaCakes118.exe d7.exe PID 1368 wrote to memory of 2620 1368 13842292b894939dabc62c2370c0094c_JaffaCakes118.exe d7.exe PID 1368 wrote to memory of 2620 1368 13842292b894939dabc62c2370c0094c_JaffaCakes118.exe d7.exe PID 1368 wrote to memory of 2620 1368 13842292b894939dabc62c2370c0094c_JaffaCakes118.exe d7.exe PID 1368 wrote to memory of 2620 1368 13842292b894939dabc62c2370c0094c_JaffaCakes118.exe d7.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\13842292b894939dabc62c2370c0094c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\13842292b894939dabc62c2370c0094c_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\sib8587.tmp\0\d7.exe"C:\Users\Admin\AppData\Local\Temp\sib8587.tmp\0\d7.exe" /s2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\E3Ghn0UMU\_Files\_Information.txtFilesize
1KB
MD5494506d76f88acc458e683697b2297db
SHA16308f6ce554947cefb5003a60f69a5058687ac66
SHA2562078eb0ade7534f3a964d245064ac293c8108aa877fae28ec8e894b268167cd0
SHA5123a0821768fc118b18952348b9e5eeb2d90a607db3f18e3c4b43c314f0e7a890e55b9fb6e14cdf72f93cbb4e7d85697f818a0d4e32b159f54ba60d5a47f7ab343
-
C:\Users\Admin\AppData\Local\Temp\E3Ghn0UMU\_Files\_Information.txtFilesize
5KB
MD512df64d5d312967a304fd680296c132d
SHA170ee354f7280d95c1e48eb9e8e9e0daa2081aeaa
SHA2566bc1eacb0ff61d3e603608f12f598b70b4654992e599fab578ca6ac3f29ee912
SHA51252c50c4bb763dcd1a00396aa36e1094369ad64f20d325efc1867c92100fd4372f226dc441b0684722a07ba2abef6afea636cec6d8fc044aee3451c056f37492a
-
C:\Users\Admin\AppData\Local\Temp\E3Ghn0UMU\_Files\_Screen_Desktop.jpegFilesize
42KB
MD56975717f3b4ff2b49a614ab1595a870c
SHA1cbc8df35d9f12c2fec09d9dd031683db49dfbfd9
SHA2564c9553b9dee6b1c19198a1a5fefef41ed753be9f683793dc15fbe6ba26166a87
SHA51295329b07016e56a4c8e723561cd29c92fa271640d6a2bbfbed0f3878f14b673bd0e4ec170d652bb9300dcf1b968b2a1f16149f5ddc2160f4bc4d762ae632ab11
-
C:\Users\Admin\AppData\Local\Temp\E3Ghn0UMU\files_\system_info.txtFilesize
774B
MD50ab16cb39380f651a8515da3fc4a543f
SHA11d4b7ad91f27198ab51340ca054d4cb51b46862f
SHA256cc7a643928c5dbd034669c920262373adcf5a249a39b4c86ea20776995f80b0b
SHA51216b42bf24f3f17a9f2ad4181a31c67af6b1ab183d19e4044f58838c9f19c9c75d73d34a4bb3a21536d43f89d20d37a0f521cfd2eb7d46bf31c770d87259e6187
-
C:\Users\Admin\AppData\Local\Temp\E3Ghn0UMU\files_\system_info.txtFilesize
8KB
MD5dfe7d661467ca412a5a3dd4cee269949
SHA144aca68d0f74781f77a818c4dfcb908df4c13e66
SHA256704a37401596b32ea46cda87768c3c256259fcefba706843143fad8301088387
SHA5124ecf35e001f75852f57409e5bc93969656ef18f76f8eb6604b522340b43281c7a3c5f274c9b0afb18ba7f605536116939caf3f070b51a71177415f5d67afe5c5
-
C:\Users\Admin\AppData\Local\Temp\E3Ghn0UMU\vAv3bbGg6LilOZ.zipFilesize
34KB
MD54c9845452c36efbec8a7598f31ac22fe
SHA1cbcae5d6c777997747dce6bf83edec0e96e68dfe
SHA2563dbfcd0cd73ef21615ff324c3b15e8d8b7cf773ddec5e71d14d326fa7faedc61
SHA512654fba80d83a084cf33d0b6483a51218ff4d390e449856c36584bb6ec46c5710b984ff08f84057fa0d8133b35b8c98d63857783b0cee85c508216924f1546de6
-
C:\Users\Admin\AppData\Local\Temp\nst848C.tmp\Sibuia.dllFilesize
524KB
MD56a3c3c97e92a5949f88311e80268bbb5
SHA148c11e3f694b468479bc2c978749d27b5d03faa2
SHA2567938db73242aafbe80915e4ca886d38be9b7e872b93bdae1e8ee6cf4a005b7d9
SHA5126141886a889825ccdfa59a419f7670a34ef240c4f90a83bc17223c415f2fbd983280e98e67485710e449746b5bf3284907537bef6ab698a48954dd4910ddf693
-
\Users\Admin\AppData\Local\Temp\sib8587.tmp\0\d7.exeFilesize
2.0MB
MD5f7d357ad02e19287fbfdd8fc138a3662
SHA188ddb3cd546a4751d57fade705264d2b575ff35a
SHA256848ebc63155b66409cd11733c08ab85b1886009dfa895c7dc56c63079d23125f
SHA512873a7203e7c4ea6fdde068ab6d38d0355ea68820388bd92c33119082155d36d13f4cbbbc90aab9f1b4c4533e303e1b174b84c5f5bfe65dd2fbe154d13011abd4
-
\Users\Admin\AppData\Local\Temp\sib8587.tmp\SibClr.dllFilesize
51KB
MD55ea6d2ffeb1be3fc0571961d0c4c2b5f
SHA1902dfe9ae735c83fb0cb46b3e110bbf2aa80209e
SHA256508336b6a7c3226738e74f6ce969e828da904ad9f7610b9112f883a316ee9222
SHA512e81657087f451a37f06a07bf84175117fdaf75d5d8b84cbdc49497fcf88f96e259074518ea3037680d27c9eaeebd7a8df496297593fead88d7edea202a572585
-
memory/1368-14-0x000000000E580000-0x000000000E592000-memory.dmpFilesize
72KB
-
memory/1368-251-0x000000001C940000-0x000000001CE47000-memory.dmpFilesize
5.0MB
-
memory/1368-20-0x000000001C940000-0x000000001CE47000-memory.dmpFilesize
5.0MB
-
memory/1368-15-0x00000000108C0000-0x000000001097A000-memory.dmpFilesize
744KB
-
memory/1368-10-0x0000000000400000-0x0000000000536000-memory.dmpFilesize
1.2MB
-
memory/2620-249-0x00000000003B0000-0x00000000008B7000-memory.dmpFilesize
5.0MB
-
memory/2620-258-0x00000000003B0000-0x00000000008B7000-memory.dmpFilesize
5.0MB
-
memory/2620-31-0x00000000003B0000-0x00000000008B7000-memory.dmpFilesize
5.0MB
-
memory/2620-28-0x0000000001290000-0x0000000001797000-memory.dmpFilesize
5.0MB
-
memory/2620-29-0x0000000001290000-0x0000000001797000-memory.dmpFilesize
5.0MB
-
memory/2620-30-0x0000000001290000-0x0000000001797000-memory.dmpFilesize
5.0MB
-
memory/2620-252-0x00000000003B0000-0x00000000008B7000-memory.dmpFilesize
5.0MB
-
memory/2620-253-0x00000000003B0000-0x00000000008B7000-memory.dmpFilesize
5.0MB
-
memory/2620-254-0x0000000001290000-0x0000000001797000-memory.dmpFilesize
5.0MB
-
memory/2620-256-0x00000000003B0000-0x00000000008B7000-memory.dmpFilesize
5.0MB
-
memory/2620-257-0x00000000003B0000-0x00000000008B7000-memory.dmpFilesize
5.0MB
-
memory/2620-32-0x00000000003B0000-0x00000000008B7000-memory.dmpFilesize
5.0MB
-
memory/2620-24-0x00000000003B0000-0x00000000008B7000-memory.dmpFilesize
5.0MB
-
memory/2620-261-0x00000000003B0000-0x00000000008B7000-memory.dmpFilesize
5.0MB
-
memory/2620-263-0x00000000003B0000-0x00000000008B7000-memory.dmpFilesize
5.0MB
-
memory/2620-265-0x00000000003B0000-0x00000000008B7000-memory.dmpFilesize
5.0MB
-
memory/2620-267-0x00000000003B0000-0x00000000008B7000-memory.dmpFilesize
5.0MB
-
memory/2620-269-0x00000000003B0000-0x00000000008B7000-memory.dmpFilesize
5.0MB
-
memory/2620-272-0x00000000003B0000-0x00000000008B7000-memory.dmpFilesize
5.0MB
-
memory/2620-274-0x00000000003B0000-0x00000000008B7000-memory.dmpFilesize
5.0MB
-
memory/2620-276-0x00000000003B0000-0x00000000008B7000-memory.dmpFilesize
5.0MB
-
memory/2620-278-0x00000000003B0000-0x00000000008B7000-memory.dmpFilesize
5.0MB
-
memory/2620-280-0x00000000003B0000-0x00000000008B7000-memory.dmpFilesize
5.0MB
-
memory/2620-282-0x00000000003B0000-0x00000000008B7000-memory.dmpFilesize
5.0MB