Overview

overview

10

Static

static

3

391e2d0693...18.exe

windows7-x64

10

391e2d0693...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    158s
  • max time network
    166s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-05-2024 08:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    391e2d06937e05a9bdeb74bcea764010_JaffaCakes118.exe

  • Size

    2.0MB

  • MD5

    391e2d06937e05a9bdeb74bcea764010

  • SHA1

    bdffd3a4e55f18f731de225d7ed87ae437723e76

  • SHA256

    a561427aa3eb2da59e87cb827aebae00a70ffc3abf87cc044e242a9ca056806f

  • SHA512

    cf2c6ac5fe59184fdd57c885df5763f284b144c7968fb8598c22a77770d7d194e9e65dd3f1ede204459687f46b857e9a5523fb02ee7f2249f419232c4b282f10

  • SSDEEP

    49152:bAAXjW9sc+jGjggLSlnjcnVjfVZAVf133w:HzUV9ghcpNZe3w

Score
10/10
cryptbotdiscoveryevasionspywarestealer

Malware Config

Extracted

Family

cryptbot

C2

bibinene01.top

moraass05.top

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • CryptBot payload 20 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\391e2d06937e05a9bdeb74bcea764010_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\391e2d06937e05a9bdeb74bcea764010_JaffaCakes118.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    PID:4972
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4140 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:1972

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Virtualization/Sandbox Evasion

    2
    T1497

    Credential Access

    Unsecured Credentials

    2
    T1552

    Credentials In Files

    2
    T1552.001

    Discovery

    Query Registry

    5
    T1012

    Virtualization/Sandbox Evasion

    2
    T1497

    System Information Discovery

    3
    T1082

    Lateral Movement

    Collection

    Data from Local System

    2
    T1005

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\uOyRDtyc\4XXdRwJqjQpfuQ.zip
      Filesize

      38KB

      MD5

      9674fa8bb90afcdd42d233d237c75470

      SHA1

      ae2ad81d0102d45d60ba90135004f6eb4ef5a218

      SHA256

      1ec6bc0b123fac0b387377bf1990cff8acdde8cfc0fc0a0f02477440be526978

      SHA512

      16bf685ea0d80a5e75653ca138569d3e1357de969a1e7611e2cd8b49cf43f7f8f7e9b87a98c1c3b4d137a0f2dda4679aa076c5815f8912664677a27df952e326

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\uOyRDtyc\ZkBNPLcp43y.zip
      Filesize

      38KB

      MD5

      5b27cad62273717d63588bc620748086

      SHA1

      e89c29ed4abaa552818ba359f9d5f88da206e951

      SHA256

      afaf2cba5d9b7c45bab2a7f3c5c538ac2ccdacf42225caa5e2784313f2bb422c

      SHA512

      899cae625cded7541fcfd258a286c88effa9bf0548e63d4c22ccf48896baa58beadda9cb6252bd64ff3587183a7009a19498c3f81c4b5cbfa37a841510eccf53

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\uOyRDtyc\_Files\_Information.txt
      Filesize

      7KB

      MD5

      b8ec9965e7655d566b0f96564973b190

      SHA1

      f090d0e41888fd33b1777bdcc1168822fa6d8d07

      SHA256

      380161bfb240fd6891e7630342d9b69b7b6d3950e2105e53cfe638d234b5f231

      SHA512

      ca4d50579a718eaf0136ccd32eb99b7a24cc22c713f43973d121c4bca95db9c43602f582f3ec0c5e4585d41e17807b05060c121237a8313652bc31c51d1cf201

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\uOyRDtyc\_Files\_Screen_Desktop.jpeg
      Filesize

      44KB

      MD5

      a849349fecb46fb8bfd312b92854e6ae

      SHA1

      c0b550cdbaa9c318b87c5f867f9c980517c1d964

      SHA256

      cd77ba63c83a6b0399ac6a6d0eec3234801f85a9f1c0fc330bc1e60360e28e25

      SHA512

      72cafd4e12434c80651732229212daff6a0bcd6523818d6b6e8384bbc8931d79f125745018b6f6a186c82a9dcf5214d13a68e6bd5604d2027e9db28febad409d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\uOyRDtyc\files_\system_info.txt
      Filesize

      746B

      MD5

      c674ea3136fc553f7d5886564c6190d0

      SHA1

      19487e599d1a0523f2a0aa11d0d7bc77a22c694d

      SHA256

      8cc2e2399f850bc7a441af201453145e7b7af4b11df25a3e3c59730bcce23f67

      SHA512

      8d2eab8430c2488c7098b884606e0b29824eee35323a0b5dd9e4508952d4085c22286bbfbdf5f0c4a52964027d625e931ae3a8b778b6b4d8ac6e81cdadfe0f6f

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\uOyRDtyc\files_\system_info.txt
      Filesize

      7KB

      MD5

      c11dffc1072582f3e10c00d436fcf10b

      SHA1

      f3ff2a6960e6f899bd89840423ac15f22e8d9487

      SHA256

      56fe1350831f1a7b3333866a169e8990ebebf4b42227b4a1b1d1bc04ce85ac8f

      SHA512

      5c10ebaa916b05249206b469211de86dedd30d42eb4c0113e0ad49e13db5314324559d32b88a89a5cce1a0fcafae4fe0ec69d117dc980122ae5b2672a66ce975

      Download Submit
    • memory/4972-8-0x0000000000370000-0x0000000000865000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/4972-7-0x0000000000371000-0x00000000003CC000-memory.dmp
      Filesize

      364KB

      Download
    • memory/4972-0-0x0000000000370000-0x0000000000865000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/4972-9-0x0000000000370000-0x0000000000865000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/4972-15-0x0000000000370000-0x0000000000865000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/4972-18-0x0000000000370000-0x0000000000865000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/4972-4-0x0000000004D50000-0x0000000004D51000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4972-99-0x0000000000370000-0x0000000000865000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/4972-5-0x0000000004D60000-0x0000000004D61000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4972-6-0x0000000004D70000-0x0000000004D71000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4972-2-0x0000000000370000-0x0000000000865000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/4972-219-0x0000000000370000-0x0000000000865000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/4972-221-0x0000000000370000-0x0000000000865000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/4972-3-0x0000000004D40000-0x0000000004D41000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4972-223-0x0000000000370000-0x0000000000865000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/4972-225-0x0000000000370000-0x0000000000865000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/4972-227-0x0000000000370000-0x0000000000865000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/4972-230-0x0000000000370000-0x0000000000865000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/4972-232-0x0000000000370000-0x0000000000865000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/4972-235-0x0000000000370000-0x0000000000865000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/4972-239-0x0000000000370000-0x0000000000865000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/4972-241-0x0000000000370000-0x0000000000865000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/4972-244-0x0000000000370000-0x0000000000865000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/4972-247-0x0000000000370000-0x0000000000865000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/4972-252-0x0000000000370000-0x0000000000865000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/4972-255-0x0000000000370000-0x0000000000865000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/4972-1-0x00000000779E4000-0x00000000779E6000-memory.dmp
      Filesize

      8KB

      Download