Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
05-05-2024 11:08
Static task
static1
Behavioral task
behavioral1
Sample
1763bb2adcedfe5bc524624aa73dc140_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1763bb2adcedfe5bc524624aa73dc140_JaffaCakes118.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/Sibuia.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/Sibuia.dll
Resource
win10v2004-20240419-en
General
-
Target
1763bb2adcedfe5bc524624aa73dc140_JaffaCakes118.exe
-
Size
4.3MB
-
MD5
1763bb2adcedfe5bc524624aa73dc140
-
SHA1
2df89148a27b588a9f1a99a99e17312c43c41340
-
SHA256
d2638877ee593334ebe913b61a62a9cb80c75493f764c416959d34fe8a99897a
-
SHA512
92d4dc3b1dcb6793ac306bad5da80938f6d995da528a5432f7cb7655450ce035fe6d35f8d702ae46522b1f4bf127f671eb936e0f6fa28e4478c12260ff7d5337
-
SSDEEP
98304:7fdYYywRBzkQ8LepeMMsKcjetxUGFaj2S7+aFun114T:bdfBzh8L6CsCjFAlFu1e
Malware Config
Extracted
cryptbot
bibinene03.top
moraass05.top
Signatures
-
CryptBot payload 20 IoCs
Processes:
resource yara_rule behavioral1/memory/2836-38-0x0000000000940000-0x0000000000E4B000-memory.dmp family_cryptbot behavioral1/memory/2836-39-0x0000000000940000-0x0000000000E4B000-memory.dmp family_cryptbot behavioral1/memory/2836-148-0x0000000000940000-0x0000000000E4B000-memory.dmp family_cryptbot behavioral1/memory/2836-260-0x0000000000940000-0x0000000000E4B000-memory.dmp family_cryptbot behavioral1/memory/2836-262-0x0000000000940000-0x0000000000E4B000-memory.dmp family_cryptbot behavioral1/memory/2836-264-0x0000000000940000-0x0000000000E4B000-memory.dmp family_cryptbot behavioral1/memory/2836-265-0x0000000000940000-0x0000000000E4B000-memory.dmp family_cryptbot behavioral1/memory/2836-266-0x0000000000940000-0x0000000000E4B000-memory.dmp family_cryptbot behavioral1/memory/2836-268-0x0000000000940000-0x0000000000E4B000-memory.dmp family_cryptbot behavioral1/memory/2836-270-0x0000000000940000-0x0000000000E4B000-memory.dmp family_cryptbot behavioral1/memory/2836-272-0x0000000000940000-0x0000000000E4B000-memory.dmp family_cryptbot behavioral1/memory/2836-274-0x0000000000940000-0x0000000000E4B000-memory.dmp family_cryptbot behavioral1/memory/2836-277-0x0000000000940000-0x0000000000E4B000-memory.dmp family_cryptbot behavioral1/memory/2836-279-0x0000000000940000-0x0000000000E4B000-memory.dmp family_cryptbot behavioral1/memory/2836-282-0x0000000000940000-0x0000000000E4B000-memory.dmp family_cryptbot behavioral1/memory/2836-284-0x0000000000940000-0x0000000000E4B000-memory.dmp family_cryptbot behavioral1/memory/2836-286-0x0000000000940000-0x0000000000E4B000-memory.dmp family_cryptbot behavioral1/memory/2836-288-0x0000000000940000-0x0000000000E4B000-memory.dmp family_cryptbot behavioral1/memory/2836-290-0x0000000000940000-0x0000000000E4B000-memory.dmp family_cryptbot behavioral1/memory/2836-292-0x0000000000940000-0x0000000000E4B000-memory.dmp family_cryptbot -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
1.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
1.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1.exe -
Executes dropped EXE 1 IoCs
Processes:
1.exepid process 2836 1.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
1.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Wine 1.exe -
Loads dropped DLL 5 IoCs
Processes:
1763bb2adcedfe5bc524624aa73dc140_JaffaCakes118.exepid process 2972 1763bb2adcedfe5bc524624aa73dc140_JaffaCakes118.exe 2972 1763bb2adcedfe5bc524624aa73dc140_JaffaCakes118.exe 2972 1763bb2adcedfe5bc524624aa73dc140_JaffaCakes118.exe 2972 1763bb2adcedfe5bc524624aa73dc140_JaffaCakes118.exe 2972 1763bb2adcedfe5bc524624aa73dc140_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
1.exepid process 2836 1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
1.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 1.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
1.exepid process 2836 1.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
1.exepid process 2836 1.exe 2836 1.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
1763bb2adcedfe5bc524624aa73dc140_JaffaCakes118.exedescription pid process target process PID 2972 wrote to memory of 2836 2972 1763bb2adcedfe5bc524624aa73dc140_JaffaCakes118.exe 1.exe PID 2972 wrote to memory of 2836 2972 1763bb2adcedfe5bc524624aa73dc140_JaffaCakes118.exe 1.exe PID 2972 wrote to memory of 2836 2972 1763bb2adcedfe5bc524624aa73dc140_JaffaCakes118.exe 1.exe PID 2972 wrote to memory of 2836 2972 1763bb2adcedfe5bc524624aa73dc140_JaffaCakes118.exe 1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1763bb2adcedfe5bc524624aa73dc140_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1763bb2adcedfe5bc524624aa73dc140_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\sib1019.tmp\0\1.exe"C:\Users\Admin\AppData\Local\Temp\sib1019.tmp\0\1.exe" /s2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Cull2jGw\_Files\_Information.txtFilesize
8KB
MD52252943940a758fb6d511b278968d3b8
SHA1199fc69dd1553d3da66ff4ef4924e2e251734e6b
SHA256d5a2a9c283b27d0cd16c281356391ae5f08fd714ebfda0f4d0b756ec0ef4012d
SHA5124855586b6fd9ef459ee9bdb81216f1b9645b7fcf4148ba89ad07eb6598559189af0bbb7d4999e6e12331fe91b655d37d206c7a38cd3dafea07c587850fb6ef73
-
C:\Users\Admin\AppData\Local\Temp\Cull2jGw\_Files\_Screen_Desktop.jpegFilesize
46KB
MD50a7f42f115a9a00ceff6ad37f6c24293
SHA1df5bf428997bb23ce46d80d69548b1cf933b93a8
SHA2560bcb83f26ff71029b346d6bf618a65345c08161861bf7e583ef854bb0fe29342
SHA51229468a6d5406e3d403660e8615144bd7ec8298fb44ede1ceb5299cbb9ceb53bf5510330e958891177f6c95c2f7cc1ac23de7175e016dbf2f5426b0665c4cc779
-
C:\Users\Admin\AppData\Local\Temp\Cull2jGw\files_\system_info.txtFilesize
1KB
MD5ff28a1e43eb7792a9f6f363dca304f7b
SHA1b2e460400e6d030c7c3bdf79c02e91cfbf03421e
SHA2566b01a6ed270514babd944ed9b63d89e4eeea644c59ad167af7b1df26a4700341
SHA512961d8a5be7e9de3e1cd92ee876a4f5bfdcae8dececdb1ec53cdc4d502c27e7ac9adf480c4fc2ac21f686a681262c737fa1dbf357e8b3b804e3cd4290c9277b41
-
C:\Users\Admin\AppData\Local\Temp\Cull2jGw\files_\system_info.txtFilesize
8KB
MD5ed29d188da95cad102d731ec03f2482e
SHA1a443f3998e5edbc15d623d492a5b39f195c97821
SHA256fb4baf9612ee3437684f3c2e92b5d197dd25a4d17f434e6e21fc2507ceae3751
SHA512258f0f08048b1bd880ba0edb76086ea417537af4e57089ca4a69827748bccc0b32cbd6534c17912b8d534f3cacf9066ae2881aa2182ba91e41ca26927de0faca
-
C:\Users\Admin\AppData\Local\Temp\Cull2jGw\qWQDi6U0jh3K.zipFilesize
39KB
MD57be62358b80caef5a207cc5476332a4b
SHA1f9ce96f403d9ca7775e9afd8316912eb743b1725
SHA2569003e8794c2ba4c14fed758802056b8ceb30dc72cf47dba0b6c36265b02cf3a5
SHA512729546f4135a8981fbc0345f891eb78d67759da048a5cb6d251491b8b5674375a9e31cfd748472d992effcf7cb07e8fba76c8efb11ced95f02c5655df7f821ac
-
\Users\Admin\AppData\Local\Temp\nsdF7C.tmp\Sibuia.dllFilesize
524KB
MD56a3c3c97e92a5949f88311e80268bbb5
SHA148c11e3f694b468479bc2c978749d27b5d03faa2
SHA2567938db73242aafbe80915e4ca886d38be9b7e872b93bdae1e8ee6cf4a005b7d9
SHA5126141886a889825ccdfa59a419f7670a34ef240c4f90a83bc17223c415f2fbd983280e98e67485710e449746b5bf3284907537bef6ab698a48954dd4910ddf693
-
\Users\Admin\AppData\Local\Temp\sib1019.tmp\0\1.exeFilesize
2.1MB
MD5ac7e35bcbfd470a51f449556aa1fbe9e
SHA17dd5876685e9ca21f8ff5098242ead93b8423d36
SHA256637b36fdc2cb3c6b930fd6ed725211a6f71d4be69f51d78330d6010305b255ac
SHA5124ed25e226970b4fc12f08a605a7066291929499926c920731c34be476947d987f659f61869daa08c0bf9dfdddcc78f449b2477f4f792eef3ea022e32a2732d53
-
\Users\Admin\AppData\Local\Temp\sib1019.tmp\SibClr.dllFilesize
51KB
MD55ea6d2ffeb1be3fc0571961d0c4c2b5f
SHA1902dfe9ae735c83fb0cb46b3e110bbf2aa80209e
SHA256508336b6a7c3226738e74f6ce969e828da904ad9f7610b9112f883a316ee9222
SHA512e81657087f451a37f06a07bf84175117fdaf75d5d8b84cbdc49497fcf88f96e259074518ea3037680d27c9eaeebd7a8df496297593fead88d7edea202a572585
-
memory/2836-148-0x0000000000940000-0x0000000000E4B000-memory.dmpFilesize
5.0MB
-
memory/2836-270-0x0000000000940000-0x0000000000E4B000-memory.dmpFilesize
5.0MB
-
memory/2836-292-0x0000000000940000-0x0000000000E4B000-memory.dmpFilesize
5.0MB
-
memory/2836-30-0x0000000077C00000-0x0000000077C02000-memory.dmpFilesize
8KB
-
memory/2836-32-0x0000000002280000-0x0000000002281000-memory.dmpFilesize
4KB
-
memory/2836-31-0x0000000002290000-0x0000000002291000-memory.dmpFilesize
4KB
-
memory/2836-37-0x0000000000941000-0x000000000099C000-memory.dmpFilesize
364KB
-
memory/2836-36-0x0000000002250000-0x0000000002251000-memory.dmpFilesize
4KB
-
memory/2836-35-0x0000000002300000-0x0000000002301000-memory.dmpFilesize
4KB
-
memory/2836-34-0x0000000002580000-0x0000000002581000-memory.dmpFilesize
4KB
-
memory/2836-38-0x0000000000940000-0x0000000000E4B000-memory.dmpFilesize
5.0MB
-
memory/2836-33-0x0000000002490000-0x0000000002491000-memory.dmpFilesize
4KB
-
memory/2836-39-0x0000000000940000-0x0000000000E4B000-memory.dmpFilesize
5.0MB
-
memory/2836-290-0x0000000000940000-0x0000000000E4B000-memory.dmpFilesize
5.0MB
-
memory/2836-288-0x0000000000940000-0x0000000000E4B000-memory.dmpFilesize
5.0MB
-
memory/2836-286-0x0000000000940000-0x0000000000E4B000-memory.dmpFilesize
5.0MB
-
memory/2836-284-0x0000000000940000-0x0000000000E4B000-memory.dmpFilesize
5.0MB
-
memory/2836-282-0x0000000000940000-0x0000000000E4B000-memory.dmpFilesize
5.0MB
-
memory/2836-279-0x0000000000940000-0x0000000000E4B000-memory.dmpFilesize
5.0MB
-
memory/2836-277-0x0000000000940000-0x0000000000E4B000-memory.dmpFilesize
5.0MB
-
memory/2836-274-0x0000000000940000-0x0000000000E4B000-memory.dmpFilesize
5.0MB
-
memory/2836-260-0x0000000000940000-0x0000000000E4B000-memory.dmpFilesize
5.0MB
-
memory/2836-262-0x0000000000940000-0x0000000000E4B000-memory.dmpFilesize
5.0MB
-
memory/2836-264-0x0000000000940000-0x0000000000E4B000-memory.dmpFilesize
5.0MB
-
memory/2836-265-0x0000000000940000-0x0000000000E4B000-memory.dmpFilesize
5.0MB
-
memory/2836-266-0x0000000000940000-0x0000000000E4B000-memory.dmpFilesize
5.0MB
-
memory/2836-272-0x0000000000940000-0x0000000000E4B000-memory.dmpFilesize
5.0MB
-
memory/2836-268-0x0000000000940000-0x0000000000E4B000-memory.dmpFilesize
5.0MB
-
memory/2836-29-0x0000000000940000-0x0000000000E4B000-memory.dmpFilesize
5.0MB
-
memory/2972-10-0x000000007454E000-0x000000007454F000-memory.dmpFilesize
4KB
-
memory/2972-261-0x000000001D130000-0x000000001D63B000-memory.dmpFilesize
5.0MB
-
memory/2972-258-0x0000000074540000-0x0000000074C2E000-memory.dmpFilesize
6.9MB
-
memory/2972-257-0x000000007454E000-0x000000007454F000-memory.dmpFilesize
4KB
-
memory/2972-14-0x0000000002B80000-0x0000000002B92000-memory.dmpFilesize
72KB
-
memory/2972-15-0x000000000ED20000-0x000000000EDDA000-memory.dmpFilesize
744KB
-
memory/2972-19-0x0000000074540000-0x0000000074C2E000-memory.dmpFilesize
6.9MB
-
memory/2972-25-0x0000000074540000-0x0000000074C2E000-memory.dmpFilesize
6.9MB
-
memory/2972-27-0x000000001D130000-0x000000001D63B000-memory.dmpFilesize
5.0MB
-
memory/2972-28-0x000000001D130000-0x000000001D63B000-memory.dmpFilesize
5.0MB