Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
05-05-2024 11:08
Static task
static1
Behavioral task
behavioral1
Sample
1763bb2adcedfe5bc524624aa73dc140_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1763bb2adcedfe5bc524624aa73dc140_JaffaCakes118.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/Sibuia.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/Sibuia.dll
Resource
win10v2004-20240419-en
General
-
Target
1763bb2adcedfe5bc524624aa73dc140_JaffaCakes118.exe
-
Size
4.3MB
-
MD5
1763bb2adcedfe5bc524624aa73dc140
-
SHA1
2df89148a27b588a9f1a99a99e17312c43c41340
-
SHA256
d2638877ee593334ebe913b61a62a9cb80c75493f764c416959d34fe8a99897a
-
SHA512
92d4dc3b1dcb6793ac306bad5da80938f6d995da528a5432f7cb7655450ce035fe6d35f8d702ae46522b1f4bf127f671eb936e0f6fa28e4478c12260ff7d5337
-
SSDEEP
98304:7fdYYywRBzkQ8LepeMMsKcjetxUGFaj2S7+aFun114T:bdfBzh8L6CsCjFAlFu1e
Malware Config
Extracted
cryptbot
bibinene03.top
moraass05.top
Signatures
-
CryptBot payload 20 IoCs
Processes:
resource yara_rule behavioral2/memory/3696-30-0x0000000000E10000-0x000000000131B000-memory.dmp family_cryptbot behavioral2/memory/3696-31-0x0000000000E10000-0x000000000131B000-memory.dmp family_cryptbot behavioral2/memory/3696-139-0x0000000000E10000-0x000000000131B000-memory.dmp family_cryptbot behavioral2/memory/3696-246-0x0000000000E10000-0x000000000131B000-memory.dmp family_cryptbot behavioral2/memory/3696-251-0x0000000000E10000-0x000000000131B000-memory.dmp family_cryptbot behavioral2/memory/3696-252-0x0000000000E10000-0x000000000131B000-memory.dmp family_cryptbot behavioral2/memory/3696-253-0x0000000000E10000-0x000000000131B000-memory.dmp family_cryptbot behavioral2/memory/3696-256-0x0000000000E10000-0x000000000131B000-memory.dmp family_cryptbot behavioral2/memory/3696-258-0x0000000000E10000-0x000000000131B000-memory.dmp family_cryptbot behavioral2/memory/3696-261-0x0000000000E10000-0x000000000131B000-memory.dmp family_cryptbot behavioral2/memory/3696-264-0x0000000000E10000-0x000000000131B000-memory.dmp family_cryptbot behavioral2/memory/3696-267-0x0000000000E10000-0x000000000131B000-memory.dmp family_cryptbot behavioral2/memory/3696-270-0x0000000000E10000-0x000000000131B000-memory.dmp family_cryptbot behavioral2/memory/3696-272-0x0000000000E10000-0x000000000131B000-memory.dmp family_cryptbot behavioral2/memory/3696-275-0x0000000000E10000-0x000000000131B000-memory.dmp family_cryptbot behavioral2/memory/3696-278-0x0000000000E10000-0x000000000131B000-memory.dmp family_cryptbot behavioral2/memory/3696-283-0x0000000000E10000-0x000000000131B000-memory.dmp family_cryptbot behavioral2/memory/3696-286-0x0000000000E10000-0x000000000131B000-memory.dmp family_cryptbot behavioral2/memory/3696-289-0x0000000000E10000-0x000000000131B000-memory.dmp family_cryptbot behavioral2/memory/3696-293-0x0000000000E10000-0x000000000131B000-memory.dmp family_cryptbot -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
1.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
1.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1.exe -
Executes dropped EXE 1 IoCs
Processes:
1.exepid process 3696 1.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
1.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Software\Wine 1.exe -
Loads dropped DLL 3 IoCs
Processes:
1763bb2adcedfe5bc524624aa73dc140_JaffaCakes118.exepid process 4328 1763bb2adcedfe5bc524624aa73dc140_JaffaCakes118.exe 4328 1763bb2adcedfe5bc524624aa73dc140_JaffaCakes118.exe 4328 1763bb2adcedfe5bc524624aa73dc140_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
1.exepid process 3696 1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
1.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 1.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
1.exepid process 3696 1.exe 3696 1.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
1.exepid process 3696 1.exe 3696 1.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
1763bb2adcedfe5bc524624aa73dc140_JaffaCakes118.exedescription pid process target process PID 4328 wrote to memory of 3696 4328 1763bb2adcedfe5bc524624aa73dc140_JaffaCakes118.exe 1.exe PID 4328 wrote to memory of 3696 4328 1763bb2adcedfe5bc524624aa73dc140_JaffaCakes118.exe 1.exe PID 4328 wrote to memory of 3696 4328 1763bb2adcedfe5bc524624aa73dc140_JaffaCakes118.exe 1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1763bb2adcedfe5bc524624aa73dc140_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1763bb2adcedfe5bc524624aa73dc140_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\sib4548.tmp\0\1.exe"C:\Users\Admin\AppData\Local\Temp\sib4548.tmp\0\1.exe" /s2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Cull2jGw\4rOZ4TqhokZ.zipFilesize
42KB
MD5075bebd4c55707e461a3a3aca36d6fbe
SHA1a52b0d6fe71e4544f762dd585602ad38d7c1ed3e
SHA256bdc8f0fc67b93bbe59921b91f2e8510a4e8b01b96fcff32f78f53e3c4d273b00
SHA512e9f8ed8df66faa939e2826b0cf0842abb31439be3374a6adf06cfee5d791ded5d8c96af08098862c7f7547de2007fbb4dc2ba618f83d5fccdb2e8953daa20ded
-
C:\Users\Admin\AppData\Local\Temp\Cull2jGw\_Files\_Information.txtFilesize
7KB
MD57f0d498a23b8036bd3968812359480db
SHA1dcab3fcbeed7c6103d096e7ac25b52ea40c58508
SHA256aac9c0d6f39925a3f476556cafafc05e3b50505a55343e44fa286853e29fae9c
SHA512353cfba2880cbd28d6b63d241d0986da4c232aae6c50f586511ca0bbf22317efcd12fe90fce06bc083596c57311d7d3cd2476f300f8591ef99e0d3bf78ffdde8
-
C:\Users\Admin\AppData\Local\Temp\Cull2jGw\_Files\_Screen_Desktop.jpegFilesize
48KB
MD55046c4434a73094091bcfebd5524a28b
SHA1f2de843e873e48db769841ac7df25d743984e49b
SHA256ca5a8ab975e95f2a8ee10c59c0d1cdb19228a44c6eaf64831c3d4bd63fc8790f
SHA5122c8a67e31652a6036156534b3a1bb385da01d3313e0835a3be1db7007cff2eadc7dcdc8349e1337bc0bb3567d86d7bceafd0a4b787ba54089e5530c19616ca83
-
C:\Users\Admin\AppData\Local\Temp\Cull2jGw\files_\system_info.txtFilesize
1KB
MD5d1275b13fd0ee33a3332434d208a57a6
SHA1ea8d76da08ff55c2ed526fb869f4a9b830ad2bc4
SHA256be6088d1c66d4284d369c2400186fd2ef7bb208d1fac6436d378129e79dfcdac
SHA51290faaed9a27f5b721082bc4e1646bcac4a53b0ddc258efccab21a02c4dc84e3beef2a82f974897e7546c21b6cffeb7f03b97c37574d8c7723d4a2d4cdfcb8631
-
C:\Users\Admin\AppData\Local\Temp\Cull2jGw\files_\system_info.txtFilesize
7KB
MD5d5b609972d7a1de7ed1c2b821d972edb
SHA1adf891cfa1f0ced4512d38e1e4b5b96917d3db8e
SHA256dad6344e1cfcdd974c87b947bd65206be59140581a2a1e7df336d6eea7b77487
SHA5122c00e4096a137d407defa75200781062da4f3e2d0008fbdddeecdf30c726cbbcce3e2949f0d162c168827cea3fb079361ebdf1c950f70e72391d68bc930f5988
-
C:\Users\Admin\AppData\Local\Temp\Cull2jGw\qWQDi6U0jh3K.zipFilesize
42KB
MD585358d5f084a3c1d132271cb1768ff6a
SHA17a7f601582de3f016463dffcb7823c3ea4861905
SHA2563447311fb7d00aba71b3984d4fb2ed214577d0d551ef4d9d0c7f47c0e47dd9c1
SHA512c220d62f151379690d0f296af0bb4579dadc27bcc719fe2fadebcb47dc878f251c4d6772fb35b80c67187e6da0c195f5a331c15103980e91d16816fa441d5037
-
C:\Users\Admin\AppData\Local\Temp\nso449B.tmp\Sibuia.dllFilesize
524KB
MD56a3c3c97e92a5949f88311e80268bbb5
SHA148c11e3f694b468479bc2c978749d27b5d03faa2
SHA2567938db73242aafbe80915e4ca886d38be9b7e872b93bdae1e8ee6cf4a005b7d9
SHA5126141886a889825ccdfa59a419f7670a34ef240c4f90a83bc17223c415f2fbd983280e98e67485710e449746b5bf3284907537bef6ab698a48954dd4910ddf693
-
C:\Users\Admin\AppData\Local\Temp\sib4548.tmp\0\1.exeFilesize
2.1MB
MD5ac7e35bcbfd470a51f449556aa1fbe9e
SHA17dd5876685e9ca21f8ff5098242ead93b8423d36
SHA256637b36fdc2cb3c6b930fd6ed725211a6f71d4be69f51d78330d6010305b255ac
SHA5124ed25e226970b4fc12f08a605a7066291929499926c920731c34be476947d987f659f61869daa08c0bf9dfdddcc78f449b2477f4f792eef3ea022e32a2732d53
-
C:\Users\Admin\AppData\Local\Temp\sib4548.tmp\SibClr.dllFilesize
51KB
MD55ea6d2ffeb1be3fc0571961d0c4c2b5f
SHA1902dfe9ae735c83fb0cb46b3e110bbf2aa80209e
SHA256508336b6a7c3226738e74f6ce969e828da904ad9f7610b9112f883a316ee9222
SHA512e81657087f451a37f06a07bf84175117fdaf75d5d8b84cbdc49497fcf88f96e259074518ea3037680d27c9eaeebd7a8df496297593fead88d7edea202a572585
-
memory/3696-30-0x0000000000E10000-0x000000000131B000-memory.dmpFilesize
5.0MB
-
memory/3696-252-0x0000000000E10000-0x000000000131B000-memory.dmpFilesize
5.0MB
-
memory/3696-29-0x0000000000E11000-0x0000000000E6C000-memory.dmpFilesize
364KB
-
memory/3696-28-0x0000000005690000-0x0000000005691000-memory.dmpFilesize
4KB
-
memory/3696-27-0x0000000005680000-0x0000000005681000-memory.dmpFilesize
4KB
-
memory/3696-26-0x0000000005670000-0x0000000005671000-memory.dmpFilesize
4KB
-
memory/3696-25-0x0000000005660000-0x0000000005661000-memory.dmpFilesize
4KB
-
memory/3696-31-0x0000000000E10000-0x000000000131B000-memory.dmpFilesize
5.0MB
-
memory/3696-23-0x0000000000E10000-0x000000000131B000-memory.dmpFilesize
5.0MB
-
memory/3696-139-0x0000000000E10000-0x000000000131B000-memory.dmpFilesize
5.0MB
-
memory/3696-293-0x0000000000E10000-0x000000000131B000-memory.dmpFilesize
5.0MB
-
memory/3696-289-0x0000000000E10000-0x000000000131B000-memory.dmpFilesize
5.0MB
-
memory/3696-286-0x0000000000E10000-0x000000000131B000-memory.dmpFilesize
5.0MB
-
memory/3696-246-0x0000000000E10000-0x000000000131B000-memory.dmpFilesize
5.0MB
-
memory/3696-283-0x0000000000E10000-0x000000000131B000-memory.dmpFilesize
5.0MB
-
memory/3696-278-0x0000000000E10000-0x000000000131B000-memory.dmpFilesize
5.0MB
-
memory/3696-251-0x0000000000E10000-0x000000000131B000-memory.dmpFilesize
5.0MB
-
memory/3696-24-0x0000000077834000-0x0000000077836000-memory.dmpFilesize
8KB
-
memory/3696-253-0x0000000000E10000-0x000000000131B000-memory.dmpFilesize
5.0MB
-
memory/3696-275-0x0000000000E10000-0x000000000131B000-memory.dmpFilesize
5.0MB
-
memory/3696-256-0x0000000000E10000-0x000000000131B000-memory.dmpFilesize
5.0MB
-
memory/3696-258-0x0000000000E10000-0x000000000131B000-memory.dmpFilesize
5.0MB
-
memory/3696-261-0x0000000000E10000-0x000000000131B000-memory.dmpFilesize
5.0MB
-
memory/3696-264-0x0000000000E10000-0x000000000131B000-memory.dmpFilesize
5.0MB
-
memory/3696-267-0x0000000000E10000-0x000000000131B000-memory.dmpFilesize
5.0MB
-
memory/3696-270-0x0000000000E10000-0x000000000131B000-memory.dmpFilesize
5.0MB
-
memory/3696-272-0x0000000000E10000-0x000000000131B000-memory.dmpFilesize
5.0MB
-
memory/4328-14-0x000000000EBA0000-0x000000000EBB2000-memory.dmpFilesize
72KB
-
memory/4328-249-0x0000000074010000-0x00000000747C0000-memory.dmpFilesize
7.7MB
-
memory/4328-248-0x000000007401E000-0x000000007401F000-memory.dmpFilesize
4KB
-
memory/4328-15-0x0000000074010000-0x00000000747C0000-memory.dmpFilesize
7.7MB
-
memory/4328-10-0x000000007401E000-0x000000007401F000-memory.dmpFilesize
4KB
-
memory/4328-16-0x0000000010D20000-0x0000000010DDA000-memory.dmpFilesize
744KB
-
memory/4328-22-0x0000000074010000-0x00000000747C0000-memory.dmpFilesize
7.7MB