Overview
overview
10Static
static
328fc393e1c...18.exe
windows7-x64
1028fc393e1c...18.exe
windows10-2004-x64
10$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDIR/UAC.dll
windows7-x64
3$PLUGINSDIR/UAC.dll
windows10-2004-x64
3$PLUGINSDI...fo.dll
windows7-x64
3$PLUGINSDI...fo.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3Setup.exe
windows7-x64
10Setup.exe
windows10-2004-x64
10SetupX.exe
windows7-x64
9SetupX.exe
windows10-2004-x64
9Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09-05-2024 07:45
Static task
static1
Behavioral task
behavioral1
Sample
28fc393e1c89bb2945827aebf566fa31_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
28fc393e1c89bb2945827aebf566fa31_JaffaCakes118.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240419-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/UAC.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/UAC.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240508-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
Setup.exe
Resource
win7-20240220-en
Behavioral task
behavioral12
Sample
Setup.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral13
Sample
SetupX.exe
Resource
win7-20240419-en
Behavioral task
behavioral14
Sample
SetupX.exe
Resource
win10v2004-20240426-en
General
-
Target
28fc393e1c89bb2945827aebf566fa31_JaffaCakes118.exe
-
Size
4.1MB
-
MD5
28fc393e1c89bb2945827aebf566fa31
-
SHA1
851fd5cb4e98a5fc9e978d6d05287715eb74a9e8
-
SHA256
8860956c8e44c46a67a4325034d4c612aae7721c928668f5148e4a1bc5bf8779
-
SHA512
a58f626e831f4f1e906fad432217ac271a7818ae80f08713198b57103ce0fcd1c0a46ac6c961bc2408394ce42271fec10dd4c620dc0c19504068db3a1aa14f2e
-
SSDEEP
98304:ms6TTJArKDxV4bMCkzJLnaeMj86mcyUrKamVAtMfqc:m1J6KEgnzJWhB/ybhN
Malware Config
Extracted
cryptbot
bube01.info
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
Setup.exeSetupX.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Setup.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ SetupX.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Setup.exeSetupX.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion SetupX.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion SetupX.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
SetupX.exeSetup.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation SetupX.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Setup.exe -
Executes dropped EXE 2 IoCs
Processes:
Setup.exeSetupX.exepid process 232 Setup.exe 1404 SetupX.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
SetupX.exeSetup.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine SetupX.exe Key opened \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine Setup.exe -
Loads dropped DLL 1 IoCs
Processes:
28fc393e1c89bb2945827aebf566fa31_JaffaCakes118.exepid process 3228 28fc393e1c89bb2945827aebf566fa31_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
Setup.exeSetupX.exepid process 232 Setup.exe 1404 SetupX.exe -
Drops file in Program Files directory 6 IoCs
Processes:
28fc393e1c89bb2945827aebf566fa31_JaffaCakes118.exedescription ioc process File created C:\Program Files (x86)\Busa\registration_info.php 28fc393e1c89bb2945827aebf566fa31_JaffaCakes118.exe File created C:\Program Files (x86)\Busa\Setup.exe 28fc393e1c89bb2945827aebf566fa31_JaffaCakes118.exe File created C:\Program Files (x86)\Busa\SetupX.exe 28fc393e1c89bb2945827aebf566fa31_JaffaCakes118.exe File created C:\Program Files (x86)\Busa\database_access.php 28fc393e1c89bb2945827aebf566fa31_JaffaCakes118.exe File created C:\Program Files (x86)\Busa\order.php 28fc393e1c89bb2945827aebf566fa31_JaffaCakes118.exe File created C:\Program Files (x86)\Busa\product.php 28fc393e1c89bb2945827aebf566fa31_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Setup.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Setup.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 4300 timeout.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Setup.exeSetupX.exepid process 232 Setup.exe 232 Setup.exe 1404 SetupX.exe 1404 SetupX.exe -
Suspicious use of FindShellTrayWindow 12 IoCs
Processes:
Setup.exepid process 232 Setup.exe 232 Setup.exe 232 Setup.exe 232 Setup.exe 232 Setup.exe 232 Setup.exe 232 Setup.exe 232 Setup.exe 232 Setup.exe 232 Setup.exe 232 Setup.exe 232 Setup.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
28fc393e1c89bb2945827aebf566fa31_JaffaCakes118.exeSetup.execmd.exedescription pid process target process PID 3228 wrote to memory of 232 3228 28fc393e1c89bb2945827aebf566fa31_JaffaCakes118.exe Setup.exe PID 3228 wrote to memory of 232 3228 28fc393e1c89bb2945827aebf566fa31_JaffaCakes118.exe Setup.exe PID 3228 wrote to memory of 232 3228 28fc393e1c89bb2945827aebf566fa31_JaffaCakes118.exe Setup.exe PID 3228 wrote to memory of 1404 3228 28fc393e1c89bb2945827aebf566fa31_JaffaCakes118.exe SetupX.exe PID 3228 wrote to memory of 1404 3228 28fc393e1c89bb2945827aebf566fa31_JaffaCakes118.exe SetupX.exe PID 3228 wrote to memory of 1404 3228 28fc393e1c89bb2945827aebf566fa31_JaffaCakes118.exe SetupX.exe PID 232 wrote to memory of 1280 232 Setup.exe cmd.exe PID 232 wrote to memory of 1280 232 Setup.exe cmd.exe PID 232 wrote to memory of 1280 232 Setup.exe cmd.exe PID 1280 wrote to memory of 4300 1280 cmd.exe timeout.exe PID 1280 wrote to memory of 4300 1280 cmd.exe timeout.exe PID 1280 wrote to memory of 4300 1280 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\28fc393e1c89bb2945827aebf566fa31_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\28fc393e1c89bb2945827aebf566fa31_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Busa\Setup.exe"C:\Program Files (x86)\Busa\Setup.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\C8B2prEbJ0Z4MKVi & timeout 2 & del /f /q "C:\Program Files (x86)\Busa\Setup.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 24⤵
- Delays execution with timeout.exe
-
C:\Program Files (x86)\Busa\SetupX.exe"C:\Program Files (x86)\Busa\SetupX.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Busa\Setup.exeFilesize
2.2MB
MD53e2939633756d5eafd71201a32b971ed
SHA11c9b05c647de8ba96ede7cd9054b13e8b6be7725
SHA256c955bf4ec24e5b286fcc12fb9954d08f6a4bf323b5133ec268b37f68d01b8e6a
SHA51296e06d5972bd6ad8d836a18155c63f2022a4c626b5229c84755bc864ada567bfb5e4e3a4d6f4c63826c5ae3ceec6932f6a9b5f24e7649eb5424dbf8a85a5a954
-
C:\Program Files (x86)\Busa\SetupX.exeFilesize
2.0MB
MD5a4900d9fe88f8ac892c383486088288c
SHA128c089bf25992b270a4e7039bc880ba520186976
SHA25619e5e1df78d2545c13f25dfa94c33011822693461bba6c565d585a55b72343da
SHA5122c3c17183ce2675e2eb729b7e8cd4a879f45c81dea5dbc918ad7a3f14ee81b0fc4872ed9ad23e0700412ed192750a0bc9910a9948d0103b5b592ad644d271711
-
C:\ProgramData\C8B2prEbJ0Z4MKVi\47283761.txtFilesize
156B
MD5b5089e0c5a3d5377e9bd19c0557ef04e
SHA19402e326be3d240e234c06892b15c24e93c93eb8
SHA256d77789b2c49759c882f4fdd6f53e665b0d012f8f0949d0150eaba47fbf2a0eb5
SHA512942349ccb99854f274ef1e20b623660588e15bd0d25bfc817fe9b2d010db656af340652e0e67b41edbf0cf259d55ab880d6b50acb1d7e8ab394f1393f7956c13
-
C:\ProgramData\C8B2prEbJ0Z4MKVi\Files\Files\Desktop\DISCON~1.TXTFilesize
645KB
MD5d16f66acd2303b14049d0f4e1cce28c3
SHA10b475e7882d1f5a5564b92ee220cf1ff1d976e70
SHA256b1bed47f1dcee099d374eb63f9df7cbbdf52a213cc00fe4809ca5b7a96566495
SHA5121e3d31db74a19b42145a2b86640d524bcf1786a3c6e4d0f88eac72d2b48ab52d09ab5c8475c038fea7ab1d5cae114e2e1975ae319d43622d2584ad7391419081
-
C:\ProgramData\C8B2prEbJ0Z4MKVi\Files\_Info.txtFilesize
7KB
MD5ee651efa6bb6f25d787c154f4f2d1d21
SHA104e84a6b718beb6cde9f34db7a02c57b52db230c
SHA2564e645f531e05e679856ff744076eeaf834bc4f2c7a73f609e85f8145bd77c3ac
SHA5124ba39b68237ac12bfd6697d89031c2565477b0b05ba8104b11a25be3f90de3809d46e8426997762ad6d7fd0f6ffec5e4179ceaa0550267db854fb6ea68e2e5a5
-
C:\ProgramData\C8B2prEbJ0Z4MKVi\Files\_Info.txtFilesize
5KB
MD53ef4a2a22897d547aeecc6d39f735d82
SHA14e117dfdf3c1f4880f712a5898579d09208d5ced
SHA2565ecf718b271e42cdbb144b6a4de3c82f0c314213eee417d8e4f6b098c55797f1
SHA51204ffca3cd33f3129bf7939bccb73f082d39dcf5be6459c2b892ee537bff43756e57c921b7f5087ecebeca5ba02c515e90979d8271ca137189f2a90d88738f4bc
-
C:\ProgramData\C8B2prEbJ0Z4MKVi\Files\_Screen.jpgFilesize
55KB
MD5ec869b0d819853d98973e43eda6f96d2
SHA19c7a4c1beb668fbc9d5b25c49b5d77156e1c96d2
SHA25628c2e84fb8665a644b099873f6bc2d9ec5c15b8b34531eae439d95e2b7caed5e
SHA51240c8ae8e06960612dd235211caae2d7fa002894c434c75981c42d95e5e4640abc6fdc70448d3da40e20bc866ace8c1fd2657087e4f30bc441a67751f03ab76d6
-
C:\ProgramData\C8B2prEbJ0Z4MKVi\MOZ_CO~1.DBFilesize
96KB
MD5d367ddfda80fdcf578726bc3b0bc3e3c
SHA123fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA2560b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA51240e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77
-
C:\ProgramData\C8B2prEbJ0Z4MKVi\lOt7XXmwxAJR.zipFilesize
695KB
MD570ff4f7929c5969b4181d02284ba24ef
SHA1246a5aec3666969f90781787b350bf5328509415
SHA256f103b25d5a43c5a3257b3a6222dd8df524b20732ba59434edfbaa28bd6cb6733
SHA5129d9e047f77d9a983dbdcc405338c4ee512c6a28fdee70957d54d52710db411b3865dd2dc66e9b632a9e6700da701a85362012861f9571269d1e60687f33b1c5b
-
C:\Users\Admin\AppData\Local\Temp\nsy4ECD.tmp\UAC.dllFilesize
14KB
MD5adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
-
C:\Users\Admin\AppData\Roaming\rfdertgvfd.exeFilesize
14KB
MD5bb83a1a215ce02e755ae96599f741e90
SHA1b47fddd4a2da8e73465c6f71bdddc801267ffde7
SHA256c3e45e43b1447f38b7f1ef33ae488c73982b8830859dc826b4a647a32dbf9813
SHA5126c7b71a2791fb3203d3d7b994943f49087ff4917ad19ec58db285631791a8dcd1e96f641ed5932799b863f15816d1ed301d5fe66e9ff784e6f592b67b9cb7c78
-
memory/232-21-0x0000000005180000-0x0000000005181000-memory.dmpFilesize
4KB
-
memory/232-186-0x00000000006E0000-0x0000000000C28000-memory.dmpFilesize
5.3MB
-
memory/232-33-0x00000000006E0000-0x0000000000C28000-memory.dmpFilesize
5.3MB
-
memory/232-22-0x00000000051A0000-0x00000000051A1000-memory.dmpFilesize
4KB
-
memory/232-23-0x00000000051B0000-0x00000000051B1000-memory.dmpFilesize
4KB
-
memory/232-38-0x0000000005170000-0x0000000005171000-memory.dmpFilesize
4KB
-
memory/232-43-0x00000000051D0000-0x00000000051D1000-memory.dmpFilesize
4KB
-
memory/232-44-0x00000000051C0000-0x00000000051C1000-memory.dmpFilesize
4KB
-
memory/232-25-0x0000000005150000-0x0000000005151000-memory.dmpFilesize
4KB
-
memory/232-27-0x00000000006E1000-0x0000000000740000-memory.dmpFilesize
380KB
-
memory/232-20-0x0000000077C34000-0x0000000077C36000-memory.dmpFilesize
8KB
-
memory/232-251-0x00000000006E0000-0x0000000000C28000-memory.dmpFilesize
5.3MB
-
memory/232-183-0x00000000006E0000-0x0000000000C28000-memory.dmpFilesize
5.3MB
-
memory/232-181-0x00000000006E0000-0x0000000000C28000-memory.dmpFilesize
5.3MB
-
memory/232-248-0x00000000006E0000-0x0000000000C28000-memory.dmpFilesize
5.3MB
-
memory/232-36-0x00000000006E0000-0x0000000000C28000-memory.dmpFilesize
5.3MB
-
memory/232-14-0x00000000006E0000-0x0000000000C28000-memory.dmpFilesize
5.3MB
-
memory/232-245-0x00000000006E0000-0x0000000000C28000-memory.dmpFilesize
5.3MB
-
memory/232-188-0x00000000006E0000-0x0000000000C28000-memory.dmpFilesize
5.3MB
-
memory/232-242-0x00000000006E0000-0x0000000000C28000-memory.dmpFilesize
5.3MB
-
memory/232-239-0x00000000006E0000-0x0000000000C28000-memory.dmpFilesize
5.3MB
-
memory/232-197-0x00000000006E0000-0x0000000000C28000-memory.dmpFilesize
5.3MB
-
memory/232-236-0x00000000006E0000-0x0000000000C28000-memory.dmpFilesize
5.3MB
-
memory/232-234-0x00000000006E0000-0x0000000000C28000-memory.dmpFilesize
5.3MB
-
memory/232-202-0x00000000006E0000-0x0000000000C28000-memory.dmpFilesize
5.3MB
-
memory/232-231-0x00000000006E0000-0x0000000000C28000-memory.dmpFilesize
5.3MB
-
memory/232-206-0x00000000006E0000-0x0000000000C28000-memory.dmpFilesize
5.3MB
-
memory/232-228-0x00000000006E0000-0x0000000000C28000-memory.dmpFilesize
5.3MB
-
memory/232-211-0x00000000006E0000-0x0000000000C28000-memory.dmpFilesize
5.3MB
-
memory/1404-40-0x0000000009F80000-0x0000000009F81000-memory.dmpFilesize
4KB
-
memory/1404-212-0x0000000000400000-0x0000000000918000-memory.dmpFilesize
5.1MB
-
memory/1404-225-0x0000000000400000-0x0000000000918000-memory.dmpFilesize
5.1MB
-
memory/1404-226-0x0000000009FB0000-0x0000000009FB1000-memory.dmpFilesize
4KB
-
memory/1404-207-0x0000000000400000-0x0000000000918000-memory.dmpFilesize
5.1MB
-
memory/1404-203-0x0000000000400000-0x0000000000918000-memory.dmpFilesize
5.1MB
-
memory/1404-198-0x0000000000400000-0x0000000000918000-memory.dmpFilesize
5.1MB
-
memory/1404-199-0x0000000009E30000-0x0000000009E32000-memory.dmpFilesize
8KB
-
memory/1404-192-0x0000000009E10000-0x0000000009E11000-memory.dmpFilesize
4KB
-
memory/1404-190-0x0000000000400000-0x0000000000918000-memory.dmpFilesize
5.1MB
-
memory/1404-189-0x0000000000400000-0x0000000000918000-memory.dmpFilesize
5.1MB
-
memory/1404-184-0x0000000000400000-0x0000000000918000-memory.dmpFilesize
5.1MB
-
memory/1404-182-0x0000000000400000-0x0000000000918000-memory.dmpFilesize
5.1MB
-
memory/1404-169-0x0000000009FF0000-0x0000000009FF2000-memory.dmpFilesize
8KB
-
memory/1404-39-0x0000000009FA0000-0x0000000009FA1000-memory.dmpFilesize
4KB
-
memory/1404-37-0x0000000000400000-0x0000000000918000-memory.dmpFilesize
5.1MB
-
memory/1404-19-0x0000000000400000-0x0000000000918000-memory.dmpFilesize
5.1MB