Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
-
submitted
12-05-2024 08:11
General
-
Target
391e2d06937e05a9bdeb74bcea764010_JaffaCakes118.exe
-
Size
2.0MB
-
MD5
391e2d06937e05a9bdeb74bcea764010
-
SHA1
bdffd3a4e55f18f731de225d7ed87ae437723e76
-
SHA256
a561427aa3eb2da59e87cb827aebae00a70ffc3abf87cc044e242a9ca056806f
-
SHA512
cf2c6ac5fe59184fdd57c885df5763f284b144c7968fb8598c22a77770d7d194e9e65dd3f1ede204459687f46b857e9a5523fb02ee7f2249f419232c4b282f10
-
SSDEEP
49152:bAAXjW9sc+jGjggLSlnjcnVjfVZAVf133w:HzUV9ghcpNZe3w
Malware Config
Extracted
cryptbot
bibinene01.top
moraass05.top
Signatures
-
CryptBot
A C++ stealer distributed widely in bundle with other software.
-
CryptBot payload 21 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\391e2d06937e05a9bdeb74bcea764010_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\391e2d06937e05a9bdeb74bcea764010_JaffaCakes118.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\kB40cSF\61CO4fvj4iErBb.zipFilesize
607KB
MD5b3c16ccd9269c545ff57404331f427e9
SHA1c21295bc434eebec701132164499ba37a45f0dcd
SHA25679248f65be0c33dd19b7f3733a0bbbe860d255babf34f832b564fb74975e0097
SHA5120343b81f5efa496377e4b024bf941dd27922f40491fec23e5722aed356d98909ec484a1850846a6afc4396c4cb6484c9c2198be0426b76d73cd1b13961f4b88f
-
C:\Users\Admin\AppData\Local\Temp\kB40cSF\_Files\_Files\EditPush.txtFilesize
571KB
MD5e7361b7db20d01ba23108e7221a68afd
SHA125d6f99e878d9a4266bf952239e5ea6804892d3c
SHA2567f7fca70056aa02b4f9e6b1a26ca02751bea988b8a7f0ae238856942e2ef492b
SHA512aa361d48a39d51c5e74b65159445e0a9cb70470a6a4b61b6c7611ecbf648452e3398a42b0021462f1d7aaf51b10c37b0e3ece96babf3deeac41961d9c75fe66c
-
C:\Users\Admin\AppData\Local\Temp\kB40cSF\_Files\_Information.txtFilesize
8KB
MD54dbcb0d65737a52ef4c5541f659db2fc
SHA1cf01d0b01097b116b6d3793225b89a01be4a3ab4
SHA2564edf0fde8d728b944e7314e443e06038c326b22a60a9e17c7bf31fe06d00ca1e
SHA5126231f258c2cc9c29082850b277c420962c92c1a043a6a20478713b6d9710314ce9be9a0baf5c92dc098aada5c73045449bc9815f6bb667e504475ee9b1064317
-
C:\Users\Admin\AppData\Local\Temp\kB40cSF\_Files\_Screen_Desktop.jpegFilesize
43KB
MD5728c53bd508d374e695e52094432a8c7
SHA1ef0b6123d0ba37a91e66872d20756fa6c903b2db
SHA256079fa2ec2dae4cd0418f299d2534882791539578bcf0f8f250a22568844fbbca
SHA5123e31bbb6336ddf179c203b99daacc8e9a42e45dff0923336087f77811622b990723c0be8a34107a44fd792d8a9d0f79767837b96dc740a0c654344893f2ce286
-
C:\Users\Admin\AppData\Local\Temp\kB40cSF\files_\system_info.txtFilesize
834B
MD5502ede0a8480b87b7d4401e5b7082e6b
SHA1f670593e6fb0b3a4c04f39995148cbe5b9f3ec55
SHA256dda64738352146950a506432fdb8bd4842932ac145984ba5a92e753d3dceb1e7
SHA51252d2dcba9b63220f8d73d7896eb34a2c95eae9d256fc55b65d0e86d68ecb53c781f664fe0e0ba4eec79c34c19bc28b550396aea286b8966e42d2785a5286b710
-
C:\Users\Admin\AppData\Local\Temp\kB40cSF\files_\system_info.txtFilesize
1KB
MD507e2fc48959976603e453b9fa1d4f5f0
SHA16fb94005619df3b011d864c54827af78c623baa1
SHA256684e449d30457735ea1129fccc52e12c7158d339a1de41a410c6ef48cc1b0f3e
SHA51276a1438a0d79a8a8aa0c4f913645ddc5103601ca9e902a64aa9e3b0d04f723f7dfb1a6d7fdbf6f764d7271bb894b9429c71dbdad0204e7cfbd9a3d50eedce53a
-
C:\Users\Admin\AppData\Local\Temp\kB40cSF\files_\system_info.txtFilesize
3KB
MD58751b1da835cd3a5084a3fcca9815618
SHA1bd524ff325902821df6509baace091b0cd4b21f6
SHA2562f065b9dbdb6a36ec11b25c8344ac6f15bbf1a71df790911770822e3923ba61c
SHA5126388ffc2a3deb01646c9947e523b4a9cb4b7b0100574263876804f8fc61e4e9ce3add8474b8cb6e367dd488fb0d8e0142d39110353d96d7115be3d47914fea64
-
C:\Users\Admin\AppData\Local\Temp\kB40cSF\files_\system_info.txtFilesize
3KB
MD570f2540c9f1368a9445160da399f3c98
SHA18cce91ab866dec2813de1e33728a0d4368706084
SHA25616b35416c515397bab984f7d325e724c1e67e547025a168ea1ea1b742e4646ed
SHA5121e4bcb87083d372d6c5e1358da0aa70edb36b5a92a3640253563fb505428a2699b0669f8fe8194faae0be27e1e1dadc9675a0d7c369737ecc66905e20a51868b
-
C:\Users\Admin\AppData\Local\Temp\kB40cSF\files_\system_info.txtFilesize
4KB
MD5b2ad55b6b73671783829e31fe2f4191e
SHA14c4ff707cd371f8a372257c050ae2f4f046a23f8
SHA2566d809fa79bdb1a15666e1aea4466107c729554b7a2d390653ef96e57892a0ded
SHA5125a692be927da2044d5b7e8243e3eae027f400f36b479e7f25c6608974201051179e2d64e65c28bdca5ca0b70a675d8656a410323701b53ac6e2207bd97375c53
-
C:\Users\Admin\AppData\Local\Temp\kB40cSF\files_\system_info.txtFilesize
4KB
MD5225c17f6a2b387a0ed6cb3e4960fe23b
SHA1b36c550715a1037d26b6c21a5a51d91e582532aa
SHA256923df0b6f672fa198b192cd0d4296b2ccbf4b4d425bb7e9385980e2a5d23a2f0
SHA5126175852b9dcf62cfdfc4e0c34bc536313ba347faafab5d9bea75f1206e1cfd7ab7cdec435a3d5edf284b15a683789f0c797edea8b8348522a583db357fbb73ab
-
memory/2956-10-0x0000000001380000-0x0000000001875000-memory.dmpFilesize
5.0MB
-
memory/2956-239-0x0000000001380000-0x0000000001875000-memory.dmpFilesize
5.0MB
-
memory/2956-122-0x0000000001380000-0x0000000001875000-memory.dmpFilesize
5.0MB
-
memory/2956-0-0x0000000001380000-0x0000000001875000-memory.dmpFilesize
5.0MB
-
memory/2956-9-0x0000000001380000-0x0000000001875000-memory.dmpFilesize
5.0MB
-
memory/2956-8-0x0000000001381000-0x00000000013DC000-memory.dmpFilesize
364KB
-
memory/2956-2-0x0000000000E90000-0x0000000000E91000-memory.dmpFilesize
4KB
-
memory/2956-3-0x0000000000C80000-0x0000000000C81000-memory.dmpFilesize
4KB
-
memory/2956-4-0x0000000000FF0000-0x0000000000FF1000-memory.dmpFilesize
4KB
-
memory/2956-5-0x0000000001160000-0x0000000001161000-memory.dmpFilesize
4KB
-
memory/2956-6-0x0000000000F40000-0x0000000000F41000-memory.dmpFilesize
4KB
-
memory/2956-7-0x0000000000AD0000-0x0000000000AD1000-memory.dmpFilesize
4KB
-
memory/2956-235-0x0000000001380000-0x0000000001875000-memory.dmpFilesize
5.0MB
-
memory/2956-236-0x0000000001380000-0x0000000001875000-memory.dmpFilesize
5.0MB
-
memory/2956-237-0x0000000001380000-0x0000000001875000-memory.dmpFilesize
5.0MB
-
memory/2956-121-0x0000000001380000-0x0000000001875000-memory.dmpFilesize
5.0MB
-
memory/2956-240-0x0000000001380000-0x0000000001875000-memory.dmpFilesize
5.0MB
-
memory/2956-1-0x0000000077790000-0x0000000077792000-memory.dmpFilesize
8KB
-
memory/2956-242-0x0000000001380000-0x0000000001875000-memory.dmpFilesize
5.0MB
-
memory/2956-244-0x0000000001380000-0x0000000001875000-memory.dmpFilesize
5.0MB
-
memory/2956-246-0x0000000001380000-0x0000000001875000-memory.dmpFilesize
5.0MB
-
memory/2956-249-0x0000000001380000-0x0000000001875000-memory.dmpFilesize
5.0MB
-
memory/2956-251-0x0000000001380000-0x0000000001875000-memory.dmpFilesize
5.0MB
-
memory/2956-254-0x0000000001380000-0x0000000001875000-memory.dmpFilesize
5.0MB
-
memory/2956-256-0x0000000001380000-0x0000000001875000-memory.dmpFilesize
5.0MB
-
memory/2956-258-0x0000000001380000-0x0000000001875000-memory.dmpFilesize
5.0MB
-
memory/2956-260-0x0000000001380000-0x0000000001875000-memory.dmpFilesize
5.0MB
-
memory/2956-263-0x0000000001380000-0x0000000001875000-memory.dmpFilesize
5.0MB
-
memory/2956-265-0x0000000001380000-0x0000000001875000-memory.dmpFilesize
5.0MB
-
memory/2956-267-0x0000000001380000-0x0000000001875000-memory.dmpFilesize
5.0MB
