Overview
overview
10Static
static
33f6f1b87fc...18.exe
windows7-x64
103f6f1b87fc...18.exe
windows10-2004-x64
10$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDIR/UAC.dll
windows7-x64
3$PLUGINSDIR/UAC.dll
windows10-2004-x64
3$PLUGINSDI...fo.dll
windows7-x64
3$PLUGINSDI...fo.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
31.exe
windows7-x64
101.exe
windows10-2004-x64
10Setup1.exe
windows7-x64
9Setup1.exe
windows10-2004-x64
9Setup1.vbs
windows7-x64
8Setup1.vbs
windows10-2004-x64
8Analysis
-
max time kernel
157s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
13-05-2024 12:11
Static task
static1
Behavioral task
behavioral1
Sample
3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/UAC.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/UAC.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win7-20240508-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240508-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240220-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
1.exe
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
1.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
Setup1.exe
Resource
win7-20231129-en
Behavioral task
behavioral16
Sample
Setup1.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral17
Sample
Setup1.vbs
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
Setup1.vbs
Resource
win10v2004-20240426-en
General
-
Target
3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe
-
Size
4.0MB
-
MD5
3f6f1b87fc7750df9421200e9e0aa070
-
SHA1
11cf49ecbb3b8ba5d76444cefd041435c95bfc47
-
SHA256
3d0c53b85d752355b9185c5d43a96dc028f2a56e73fb3358dc6a7f0882329e4e
-
SHA512
9a4e11817771ab6cbb17d2a21857f1f210eafb122df5fd55ae963595aae2263fcd8b6cbfa855f05e26b0e1a2a6f8ca751452cdc9bcdcee0fb44eed6f9763dbc5
-
SSDEEP
98304:XoUyCR9OdQA9BKQ+SQQUH80pvgsRGVdgTsPC:Xo1H+A9BLM80dwrb6
Malware Config
Extracted
cryptbot
tuytee16.top
moriiikk08.top
Signatures
-
CryptBot payload 14 IoCs
Processes:
resource yara_rule behavioral2/memory/1204-35-0x0000000000B30000-0x0000000001060000-memory.dmp family_cryptbot behavioral2/memory/1204-37-0x0000000000B30000-0x0000000001060000-memory.dmp family_cryptbot behavioral2/memory/1204-41-0x0000000000B30000-0x0000000001060000-memory.dmp family_cryptbot behavioral2/memory/1204-48-0x0000000000B30000-0x0000000001060000-memory.dmp family_cryptbot behavioral2/memory/1204-249-0x0000000000B30000-0x0000000001060000-memory.dmp family_cryptbot behavioral2/memory/1204-251-0x0000000000B30000-0x0000000001060000-memory.dmp family_cryptbot behavioral2/memory/1204-255-0x0000000000B30000-0x0000000001060000-memory.dmp family_cryptbot behavioral2/memory/1204-258-0x0000000000B30000-0x0000000001060000-memory.dmp family_cryptbot behavioral2/memory/1204-261-0x0000000000B30000-0x0000000001060000-memory.dmp family_cryptbot behavioral2/memory/1204-263-0x0000000000B30000-0x0000000001060000-memory.dmp family_cryptbot behavioral2/memory/1204-266-0x0000000000B30000-0x0000000001060000-memory.dmp family_cryptbot behavioral2/memory/1204-269-0x0000000000B30000-0x0000000001060000-memory.dmp family_cryptbot behavioral2/memory/1204-271-0x0000000000B30000-0x0000000001060000-memory.dmp family_cryptbot behavioral2/memory/1204-274-0x0000000000B30000-0x0000000001060000-memory.dmp family_cryptbot -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
1.exeSetup1.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Setup1.exe -
Blocklisted process makes network request 3 IoCs
Processes:
CScript.exeflow pid process 8 3908 CScript.exe 10 3908 CScript.exe 12 3908 CScript.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Setup1.exe1.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Setup1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Setup1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Setup1.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation Setup1.exe -
Executes dropped EXE 2 IoCs
Processes:
1.exeSetup1.exepid process 1204 1.exe 5036 Setup1.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
1.exeSetup1.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine 1.exe Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine Setup1.exe -
Loads dropped DLL 2 IoCs
Processes:
3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exepid process 372 3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe 372 3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
Setup1.exe1.exepid process 5036 Setup1.exe 1204 1.exe -
Drops file in Program Files directory 3 IoCs
Processes:
3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exedescription ioc process File created C:\Program Files (x86)\Mader\lase\1.exe 3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe File created C:\Program Files (x86)\Mader\lase\Setup1.exe 3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe File created C:\Program Files (x86)\Mader\lase\Setup1.vbs 3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
1.exeSetup1.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 1.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Setup1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Setup1.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 1.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Setup1.exe1.exepid process 5036 Setup1.exe 5036 Setup1.exe 1204 1.exe 1204 1.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
1.exepid process 1204 1.exe 1204 1.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exeSetup1.exedescription pid process target process PID 372 wrote to memory of 3908 372 3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe CScript.exe PID 372 wrote to memory of 3908 372 3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe CScript.exe PID 372 wrote to memory of 3908 372 3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe CScript.exe PID 372 wrote to memory of 1204 372 3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe 1.exe PID 372 wrote to memory of 1204 372 3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe 1.exe PID 372 wrote to memory of 1204 372 3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe 1.exe PID 372 wrote to memory of 5036 372 3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe Setup1.exe PID 372 wrote to memory of 5036 372 3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe Setup1.exe PID 372 wrote to memory of 5036 372 3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe Setup1.exe PID 5036 wrote to memory of 3128 5036 Setup1.exe cmd.exe PID 5036 wrote to memory of 3128 5036 Setup1.exe cmd.exe PID 5036 wrote to memory of 3128 5036 Setup1.exe cmd.exe PID 5036 wrote to memory of 4512 5036 Setup1.exe cmd.exe PID 5036 wrote to memory of 4512 5036 Setup1.exe cmd.exe PID 5036 wrote to memory of 4512 5036 Setup1.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3f6f1b87fc7750df9421200e9e0aa070_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\CScript.exe"C:\Windows\system32\CScript.exe" "C:\Program Files (x86)\Mader\lase\Setup1.vbs" //e:vbscript //B //NOLOGO2⤵
- Blocklisted process makes network request
-
C:\Program Files (x86)\Mader\lase\1.exe"C:\Program Files (x86)\Mader\lase\1.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Mader\lase\Setup1.exe"C:\Program Files (x86)\Mader\lase\Setup1.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\tcwpmiiq.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\qtuushaaou.exe"3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1424 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Mader\lase\1.exeFilesize
2.2MB
MD54ae318b79250c2969d663dee668f3a27
SHA157e5cd1eef257683efc4f82c369739621d8299ce
SHA256753af3a9e8f98e03f71c700d6913933962a3510ffefb97cd57ccbc20991a98a4
SHA512a925d50a05e423533a0aec8f552af0e6f55dd3c116bfbbd6ac49ae6c3dd6acd0641ca3dca70499f22a54860c2374f26c2a807f380475290220f74e53c9bf8aab
-
C:\Program Files (x86)\Mader\lase\Setup1.exeFilesize
1.9MB
MD5e79cf3b82c9bc3fd37c54b29d5986c15
SHA1a96834689e3454ec7c3bee9872da85ddc900bc0d
SHA2568972be1f2eb134a22c4d46fad916db5b13c5871dc15a7799246542b6de42170f
SHA5121a4786d5b258e7bf450b66bedd6c63e8cd162570965449c87224f21a4c114cc0ac880b907787cce184e9374caef819685ae7dea7d7a43a200866f73e1d11edc7
-
C:\Program Files (x86)\Mader\lase\Setup1.vbsFilesize
126B
MD53ffc26d751f79fb801ecbb715885e852
SHA1f54da1552aabfbf68ef07fa98234a8a1ff789a16
SHA2568816d2a6adff6e256c6f478c46b283991feeb28dedc384914fe35f14f673d5d6
SHA51208e00923d92f9141ec09ed420738126883772e359e6fc2e703a293020d0bb42b915d2a9961ba03676ab2ad43d8f4563b46778e119f22007073b1d9f1124c0d24
-
C:\Users\Admin\AppData\Local\Temp\AtqO14Rrw1S\_Files\_Information.txtFilesize
4KB
MD52827d5beada99668f18923feeeed624c
SHA1ad597e7f3081e6b21d28c228a1cddfeaabfff207
SHA256462f578086257167da447f5117c2d81f4175ad51773b4119b8c95dc804f98726
SHA512cf17c12ea79ea4fa222fa0a58bf9ae026cddfc30c0439989aed3bc9037efec7f75406abc362118f316b39d2f90c41351f3dfab6c1f43f3ec389b050a0dc00100
-
C:\Users\Admin\AppData\Local\Temp\AtqO14Rrw1S\_Files\_Screen_Desktop.jpegFilesize
54KB
MD5f1b711b4654a6f93b9362695e55072f3
SHA1910d921bdb6d26666c60272759f731a3c6562969
SHA256f10baa88d1547374617a8243a5960ba30710a4252e09589015a0d4125757355d
SHA512d8b557341959b30cb820bda8858bef87f656b76c709c7735aec60f45bedaa65ebc892ad405fba4833831a33bb2efe188d793c4937a978013972eba2d4fb6531a
-
C:\Users\Admin\AppData\Local\Temp\AtqO14Rrw1S\files_\system_info.txtFilesize
1KB
MD54dda149b47a8def1d97c0840ff3f02a5
SHA1a45fc2bf5f0b9c564a78e19206692c62fdbb5716
SHA2560e5b2781cfee9cfa4414bdb497680eefc019cacc47165fa31c4446493caee226
SHA5125dc14b3943d5e578524273b9fce7c17cb3bd061b9d118813d4a20afc333c014a58c227e98c7ce0169e2fd9d0386b3f0421f00ebfd4924599e3dbdd8e1b8d2b80
-
C:\Users\Admin\AppData\Local\Temp\AtqO14Rrw1S\files_\system_info.txtFilesize
3KB
MD5e43b9a70578a86bfb6f4f3d9978adb03
SHA19ab558645798866aae759c75332149bfb8b5e8a7
SHA25650e08e2ae541cff4b692ef7ed547af8be37819711ab7f66ad2fdf89edae78c75
SHA51234b11b31329c93becbc1a297983b769d72108b175abcf249990e5254272f810236ebeb6ce0ca601a1552973069defd2c8ef0bce6d0f88aeb87c3b0e3c3da81fd
-
C:\Users\Admin\AppData\Local\Temp\AtqO14Rrw1S\files_\system_info.txtFilesize
4KB
MD54cdc876c0af0bbd85ebe6dc3a89e0efb
SHA1dca5692bf2ddc85b5c00dfe3d716bae944e8b4db
SHA256652b63b2c437ff3fdbb44e5ceb24efef250acee15eedca4312e90a7d0da95dc0
SHA512aaf995e41ab8d75d2ea5bc37049cf1cb99e3ae2e7bd4a1ef353b824dedcbe0e28019998ab1eff3f5063e7277eed94bb9f6f212083caaffb43a56deb19b4d5b6a
-
C:\Users\Admin\AppData\Local\Temp\AtqO14Rrw1S\r4ioahbuKei.zipFilesize
48KB
MD5747896db3a7d2e97788a7be59184f95b
SHA150216a59c9b39bbbdf919000e34f3b1ba9199b37
SHA25601d92e72db07ea9e99866f74bed29046213d44bc2a852a88469433a013feeadc
SHA512e1ae07f2b19a442c291a9ee23b4add54fed800471f0e54148fdc895b66f187c4f531bf0fd4f35d046867ca6cd1219e315d7975d0bc8065bc639609c0de3549d8
-
C:\Users\Admin\AppData\Local\Temp\nsn588C.tmp\UAC.dllFilesize
14KB
MD5adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
-
C:\Users\Admin\AppData\Local\Temp\nsn588C.tmp\nsExec.dllFilesize
6KB
MD5132e6153717a7f9710dcea4536f364cd
SHA1e39bc82c7602e6dd0797115c2bd12e872a5fb2ab
SHA256d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2
SHA5129aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1
-
memory/1204-251-0x0000000000B30000-0x0000000001060000-memory.dmpFilesize
5.2MB
-
memory/1204-258-0x0000000000B30000-0x0000000001060000-memory.dmpFilesize
5.2MB
-
memory/1204-274-0x0000000000B30000-0x0000000001060000-memory.dmpFilesize
5.2MB
-
memory/1204-271-0x0000000000B30000-0x0000000001060000-memory.dmpFilesize
5.2MB
-
memory/1204-269-0x0000000000B30000-0x0000000001060000-memory.dmpFilesize
5.2MB
-
memory/1204-41-0x0000000000B30000-0x0000000001060000-memory.dmpFilesize
5.2MB
-
memory/1204-48-0x0000000000B30000-0x0000000001060000-memory.dmpFilesize
5.2MB
-
memory/1204-266-0x0000000000B30000-0x0000000001060000-memory.dmpFilesize
5.2MB
-
memory/1204-35-0x0000000000B30000-0x0000000001060000-memory.dmpFilesize
5.2MB
-
memory/1204-263-0x0000000000B30000-0x0000000001060000-memory.dmpFilesize
5.2MB
-
memory/1204-261-0x0000000000B30000-0x0000000001060000-memory.dmpFilesize
5.2MB
-
memory/1204-37-0x0000000000B30000-0x0000000001060000-memory.dmpFilesize
5.2MB
-
memory/1204-249-0x0000000000B30000-0x0000000001060000-memory.dmpFilesize
5.2MB
-
memory/1204-255-0x0000000000B30000-0x0000000001060000-memory.dmpFilesize
5.2MB
-
memory/1204-24-0x0000000000B30000-0x0000000001060000-memory.dmpFilesize
5.2MB
-
memory/5036-31-0x0000000000810000-0x0000000000C9E000-memory.dmpFilesize
4.6MB
-
memory/5036-32-0x0000000077CF4000-0x0000000077CF6000-memory.dmpFilesize
8KB
-
memory/5036-33-0x0000000000811000-0x0000000000830000-memory.dmpFilesize
124KB
-
memory/5036-34-0x0000000000810000-0x0000000000C9E000-memory.dmpFilesize
4.6MB
-
memory/5036-36-0x0000000000810000-0x0000000000C9E000-memory.dmpFilesize
4.6MB
-
memory/5036-40-0x0000000000811000-0x0000000000830000-memory.dmpFilesize
124KB
-
memory/5036-39-0x0000000000810000-0x0000000000C9E000-memory.dmpFilesize
4.6MB
-
memory/5036-38-0x0000000000810000-0x0000000000C9E000-memory.dmpFilesize
4.6MB