Overview

overview

10

Static

static

3

1763bb2adc...18.exe

windows7-x64

10

1763bb2adc...18.exe

windows10-2004-x64

10

$PLUGINSDI...ia.dll

windows7-x64

3

$PLUGINSDI...ia.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    05-05-2024 11:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1763bb2adcedfe5bc524624aa73dc140_JaffaCakes118.exe

  • Size

    4.3MB

  • MD5

    1763bb2adcedfe5bc524624aa73dc140

  • SHA1

    2df89148a27b588a9f1a99a99e17312c43c41340

  • SHA256

    d2638877ee593334ebe913b61a62a9cb80c75493f764c416959d34fe8a99897a

  • SHA512

    92d4dc3b1dcb6793ac306bad5da80938f6d995da528a5432f7cb7655450ce035fe6d35f8d702ae46522b1f4bf127f671eb936e0f6fa28e4478c12260ff7d5337

  • SSDEEP

    98304:7fdYYywRBzkQ8LepeMMsKcjetxUGFaj2S7+aFun114T:bdfBzh8L6CsCjFAlFu1e

Score
10/10
cryptbotdiscoveryevasionspywarestealer

Malware Config

Extracted

Family

cryptbot

C2

bibinene03.top

moraass05.top

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • CryptBot payload 20 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1763bb2adcedfe5bc524624aa73dc140_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1763bb2adcedfe5bc524624aa73dc140_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2972
    • C:\Users\Admin\AppData\Local\Temp\sib1019.tmp\0\1.exe
      "C:\Users\Admin\AppData\Local\Temp\sib1019.tmp\0\1.exe" /s
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      PID:2836

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

5
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Cull2jGw\_Files\_Information.txt
    Filesize

    8KB

    MD5

    2252943940a758fb6d511b278968d3b8

    SHA1

    199fc69dd1553d3da66ff4ef4924e2e251734e6b

    SHA256

    d5a2a9c283b27d0cd16c281356391ae5f08fd714ebfda0f4d0b756ec0ef4012d

    SHA512

    4855586b6fd9ef459ee9bdb81216f1b9645b7fcf4148ba89ad07eb6598559189af0bbb7d4999e6e12331fe91b655d37d206c7a38cd3dafea07c587850fb6ef73

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Cull2jGw\_Files\_Screen_Desktop.jpeg
    Filesize

    46KB

    MD5

    0a7f42f115a9a00ceff6ad37f6c24293

    SHA1

    df5bf428997bb23ce46d80d69548b1cf933b93a8

    SHA256

    0bcb83f26ff71029b346d6bf618a65345c08161861bf7e583ef854bb0fe29342

    SHA512

    29468a6d5406e3d403660e8615144bd7ec8298fb44ede1ceb5299cbb9ceb53bf5510330e958891177f6c95c2f7cc1ac23de7175e016dbf2f5426b0665c4cc779

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Cull2jGw\files_\system_info.txt
    Filesize

    1KB

    MD5

    ff28a1e43eb7792a9f6f363dca304f7b

    SHA1

    b2e460400e6d030c7c3bdf79c02e91cfbf03421e

    SHA256

    6b01a6ed270514babd944ed9b63d89e4eeea644c59ad167af7b1df26a4700341

    SHA512

    961d8a5be7e9de3e1cd92ee876a4f5bfdcae8dececdb1ec53cdc4d502c27e7ac9adf480c4fc2ac21f686a681262c737fa1dbf357e8b3b804e3cd4290c9277b41

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Cull2jGw\files_\system_info.txt
    Filesize

    8KB

    MD5

    ed29d188da95cad102d731ec03f2482e

    SHA1

    a443f3998e5edbc15d623d492a5b39f195c97821

    SHA256

    fb4baf9612ee3437684f3c2e92b5d197dd25a4d17f434e6e21fc2507ceae3751

    SHA512

    258f0f08048b1bd880ba0edb76086ea417537af4e57089ca4a69827748bccc0b32cbd6534c17912b8d534f3cacf9066ae2881aa2182ba91e41ca26927de0faca

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Cull2jGw\qWQDi6U0jh3K.zip
    Filesize

    39KB

    MD5

    7be62358b80caef5a207cc5476332a4b

    SHA1

    f9ce96f403d9ca7775e9afd8316912eb743b1725

    SHA256

    9003e8794c2ba4c14fed758802056b8ceb30dc72cf47dba0b6c36265b02cf3a5

    SHA512

    729546f4135a8981fbc0345f891eb78d67759da048a5cb6d251491b8b5674375a9e31cfd748472d992effcf7cb07e8fba76c8efb11ced95f02c5655df7f821ac

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nsdF7C.tmp\Sibuia.dll
    Filesize

    524KB

    MD5

    6a3c3c97e92a5949f88311e80268bbb5

    SHA1

    48c11e3f694b468479bc2c978749d27b5d03faa2

    SHA256

    7938db73242aafbe80915e4ca886d38be9b7e872b93bdae1e8ee6cf4a005b7d9

    SHA512

    6141886a889825ccdfa59a419f7670a34ef240c4f90a83bc17223c415f2fbd983280e98e67485710e449746b5bf3284907537bef6ab698a48954dd4910ddf693

    Download Submit
  • \Users\Admin\AppData\Local\Temp\sib1019.tmp\0\1.exe
    Filesize

    2.1MB

    MD5

    ac7e35bcbfd470a51f449556aa1fbe9e

    SHA1

    7dd5876685e9ca21f8ff5098242ead93b8423d36

    SHA256

    637b36fdc2cb3c6b930fd6ed725211a6f71d4be69f51d78330d6010305b255ac

    SHA512

    4ed25e226970b4fc12f08a605a7066291929499926c920731c34be476947d987f659f61869daa08c0bf9dfdddcc78f449b2477f4f792eef3ea022e32a2732d53

    Download Submit
  • \Users\Admin\AppData\Local\Temp\sib1019.tmp\SibClr.dll
    Filesize

    51KB

    MD5

    5ea6d2ffeb1be3fc0571961d0c4c2b5f

    SHA1

    902dfe9ae735c83fb0cb46b3e110bbf2aa80209e

    SHA256

    508336b6a7c3226738e74f6ce969e828da904ad9f7610b9112f883a316ee9222

    SHA512

    e81657087f451a37f06a07bf84175117fdaf75d5d8b84cbdc49497fcf88f96e259074518ea3037680d27c9eaeebd7a8df496297593fead88d7edea202a572585

    Download Submit
  • memory/2836-148-0x0000000000940000-0x0000000000E4B000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2836-270-0x0000000000940000-0x0000000000E4B000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2836-292-0x0000000000940000-0x0000000000E4B000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2836-30-0x0000000077C00000-0x0000000077C02000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2836-32-0x0000000002280000-0x0000000002281000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2836-31-0x0000000002290000-0x0000000002291000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2836-37-0x0000000000941000-0x000000000099C000-memory.dmp
    Filesize

    364KB

    Download
  • memory/2836-36-0x0000000002250000-0x0000000002251000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2836-35-0x0000000002300000-0x0000000002301000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2836-34-0x0000000002580000-0x0000000002581000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2836-38-0x0000000000940000-0x0000000000E4B000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2836-33-0x0000000002490000-0x0000000002491000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2836-39-0x0000000000940000-0x0000000000E4B000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2836-290-0x0000000000940000-0x0000000000E4B000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2836-288-0x0000000000940000-0x0000000000E4B000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2836-286-0x0000000000940000-0x0000000000E4B000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2836-284-0x0000000000940000-0x0000000000E4B000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2836-282-0x0000000000940000-0x0000000000E4B000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2836-279-0x0000000000940000-0x0000000000E4B000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2836-277-0x0000000000940000-0x0000000000E4B000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2836-274-0x0000000000940000-0x0000000000E4B000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2836-260-0x0000000000940000-0x0000000000E4B000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2836-262-0x0000000000940000-0x0000000000E4B000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2836-264-0x0000000000940000-0x0000000000E4B000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2836-265-0x0000000000940000-0x0000000000E4B000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2836-266-0x0000000000940000-0x0000000000E4B000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2836-272-0x0000000000940000-0x0000000000E4B000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2836-268-0x0000000000940000-0x0000000000E4B000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2836-29-0x0000000000940000-0x0000000000E4B000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2972-10-0x000000007454E000-0x000000007454F000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2972-261-0x000000001D130000-0x000000001D63B000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2972-258-0x0000000074540000-0x0000000074C2E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2972-257-0x000000007454E000-0x000000007454F000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2972-14-0x0000000002B80000-0x0000000002B92000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2972-15-0x000000000ED20000-0x000000000EDDA000-memory.dmp
    Filesize

    744KB

    Download
  • memory/2972-19-0x0000000074540000-0x0000000074C2E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2972-25-0x0000000074540000-0x0000000074C2E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2972-27-0x000000001D130000-0x000000001D63B000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2972-28-0x000000001D130000-0x000000001D63B000-memory.dmp
    Filesize

    5.0MB

    Download