Overview
overview
10Static
static
3641665ec1e...18.exe
windows7-x64
10641665ec1e...18.exe
windows10-2004-x64
10$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDIR/UAC.dll
windows7-x64
3$PLUGINSDIR/UAC.dll
windows10-2004-x64
3$PLUGINSDI...fo.dll
windows7-x64
3$PLUGINSDI...fo.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
31_1.exe
windows7-x64
101_1.exe
windows10-2004-x64
10file.exe
windows7-x64
9file.exe
windows10-2004-x64
9file.vbs
windows7-x64
8file.vbs
windows10-2004-x64
8Analysis
-
max time kernel
144s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
21-05-2024 17:09
Static task
static1
Behavioral task
behavioral1
Sample
641665ec1ee0c3c0d2bdfe490d94326c_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
641665ec1ee0c3c0d2bdfe490d94326c_JaffaCakes118.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/UAC.dll
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/UAC.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win7-20240220-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240220-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240215-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
1_1.exe
Resource
win7-20231129-en
Behavioral task
behavioral14
Sample
1_1.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral15
Sample
file.exe
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
file.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
file.vbs
Resource
win7-20240508-en
Behavioral task
behavioral18
Sample
file.vbs
Resource
win10v2004-20240426-en
General
-
Target
641665ec1ee0c3c0d2bdfe490d94326c_JaffaCakes118.exe
-
Size
4.4MB
-
MD5
641665ec1ee0c3c0d2bdfe490d94326c
-
SHA1
13c5ab89fdb2e57beff2614659c368b4b67f2ebe
-
SHA256
3cc03de0ddea408c9411f50251d308c51e21f1df7a39d8fba70620696c87eb5b
-
SHA512
b2dab0155d39b918574901a74a00b8e76e2ebac12cf41c762e1792841377489a358881828ed853b85dcbfaf244152efafecaccea8b5dcfdc7b7c5db9fc33e725
-
SSDEEP
98304:5OuIv2eLDrhxayvHhhvC2/IlbehfLCaW47c+UpzXo78UaaWwPfs:5Oum2pyvHHvvIlydLVNoLpzYI0WwM
Malware Config
Extracted
cryptbot
otteppp05.top
doorres02.top
Signatures
-
CryptBot payload 15 IoCs
Processes:
resource yara_rule behavioral1/memory/1544-242-0x0000000001350000-0x000000000184E000-memory.dmp family_cryptbot behavioral1/memory/1544-243-0x0000000001350000-0x000000000184E000-memory.dmp family_cryptbot behavioral1/memory/1544-248-0x0000000001350000-0x000000000184E000-memory.dmp family_cryptbot behavioral1/memory/1544-251-0x0000000001350000-0x000000000184E000-memory.dmp family_cryptbot behavioral1/memory/1544-253-0x0000000001350000-0x000000000184E000-memory.dmp family_cryptbot behavioral1/memory/1544-255-0x0000000001350000-0x000000000184E000-memory.dmp family_cryptbot behavioral1/memory/1544-257-0x0000000001350000-0x000000000184E000-memory.dmp family_cryptbot behavioral1/memory/1544-259-0x0000000001350000-0x000000000184E000-memory.dmp family_cryptbot behavioral1/memory/1544-262-0x0000000001350000-0x000000000184E000-memory.dmp family_cryptbot behavioral1/memory/1544-264-0x0000000001350000-0x000000000184E000-memory.dmp family_cryptbot behavioral1/memory/1544-266-0x0000000001350000-0x000000000184E000-memory.dmp family_cryptbot behavioral1/memory/1544-269-0x0000000001350000-0x000000000184E000-memory.dmp family_cryptbot behavioral1/memory/1544-271-0x0000000001350000-0x000000000184E000-memory.dmp family_cryptbot behavioral1/memory/1544-273-0x0000000001350000-0x000000000184E000-memory.dmp family_cryptbot behavioral1/memory/1544-275-0x0000000001350000-0x000000000184E000-memory.dmp family_cryptbot -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
1_1.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1_1.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
1_1.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1_1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1_1.exe -
Executes dropped EXE 1 IoCs
Processes:
1_1.exepid process 1544 1_1.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
1_1.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Wine 1_1.exe -
Loads dropped DLL 6 IoCs
Processes:
641665ec1ee0c3c0d2bdfe490d94326c_JaffaCakes118.exe1_1.exepid process 3000 641665ec1ee0c3c0d2bdfe490d94326c_JaffaCakes118.exe 3000 641665ec1ee0c3c0d2bdfe490d94326c_JaffaCakes118.exe 3000 641665ec1ee0c3c0d2bdfe490d94326c_JaffaCakes118.exe 1544 1_1.exe 1544 1_1.exe 1544 1_1.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
1_1.exepid process 1544 1_1.exe -
Drops file in Program Files directory 3 IoCs
Processes:
641665ec1ee0c3c0d2bdfe490d94326c_JaffaCakes118.exedescription ioc process File created C:\Program Files (x86)\Salamanda\bedf\1_1.exe 641665ec1ee0c3c0d2bdfe490d94326c_JaffaCakes118.exe File created C:\Program Files (x86)\Salamanda\bedf\file.exe 641665ec1ee0c3c0d2bdfe490d94326c_JaffaCakes118.exe File created C:\Program Files (x86)\Salamanda\bedf\file.vbs 641665ec1ee0c3c0d2bdfe490d94326c_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
1_1.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 1_1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 1_1.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
1_1.exepid process 1544 1_1.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
1_1.exepid process 1544 1_1.exe 1544 1_1.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
641665ec1ee0c3c0d2bdfe490d94326c_JaffaCakes118.exedescription pid process target process PID 3000 wrote to memory of 1544 3000 641665ec1ee0c3c0d2bdfe490d94326c_JaffaCakes118.exe 1_1.exe PID 3000 wrote to memory of 1544 3000 641665ec1ee0c3c0d2bdfe490d94326c_JaffaCakes118.exe 1_1.exe PID 3000 wrote to memory of 1544 3000 641665ec1ee0c3c0d2bdfe490d94326c_JaffaCakes118.exe 1_1.exe PID 3000 wrote to memory of 1544 3000 641665ec1ee0c3c0d2bdfe490d94326c_JaffaCakes118.exe 1_1.exe PID 3000 wrote to memory of 1544 3000 641665ec1ee0c3c0d2bdfe490d94326c_JaffaCakes118.exe 1_1.exe PID 3000 wrote to memory of 1544 3000 641665ec1ee0c3c0d2bdfe490d94326c_JaffaCakes118.exe 1_1.exe PID 3000 wrote to memory of 1544 3000 641665ec1ee0c3c0d2bdfe490d94326c_JaffaCakes118.exe 1_1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\641665ec1ee0c3c0d2bdfe490d94326c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\641665ec1ee0c3c0d2bdfe490d94326c_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Salamanda\bedf\1_1.exe"C:\Program Files (x86)\Salamanda\bedf\1_1.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\xbymhrQYGlon\I0kSu835nXDi.zipFilesize
33KB
MD586c1d24e1c8bd405bd3d51e06648774e
SHA1faba32621d5e8a5218d8dacc1355853fdee24ceb
SHA2568390d4fa95523fee387ec5a797539c0693595bf3c1407f4f4a15875ecd6ca625
SHA5129752d1022f08ddd86e88485f489ad1694ed81c92cf4705d2d9dc031ee1ab02e12e24ad8a8e4b9825ec90f98cc94da5e28cb54f60be7f9869ddbeee50b45339ae
-
C:\Users\Admin\AppData\Local\Temp\xbymhrQYGlon\_Files\_Information.txtFilesize
1KB
MD5dd6d3f73f60409e3c36d7fe0209d7bbc
SHA1c8ab3abc958611883e6708ce8b19bc5fda2468dc
SHA25662143d958a0fd3d42c2c3c2babcd8a5ff965205d5092c2ee0c3162da15845497
SHA5123557bca5493f869f9ce77e9bfaa0b8e38773179762a83d12220acbd0c928030dae140cc91d2d43380df8a9d7f3cbde38a77c8d5a8d3a511203cd067b0f3c4f5c
-
C:\Users\Admin\AppData\Local\Temp\xbymhrQYGlon\_Files\_Information.txtFilesize
3KB
MD5acd53a65d2ade248c8adc3ab532e0142
SHA19b9b15d1d4100c340daa4e726d6710871ff94ca9
SHA25625261c5a4e4fedfdd34661220ffd1770ea80f6396635bbf511dbbd83405c4afd
SHA512e2565cfcd64bc0af0a315cf6d36c8f4c1b24262df8b2363e2d82a6912efb88488c91a58acc0d256f836f433f38ebad7269527eddc8297089810d1d2370574ff6
-
C:\Users\Admin\AppData\Local\Temp\xbymhrQYGlon\_Files\_Information.txtFilesize
3KB
MD50ed5248cb167b099feef74f74acc83d0
SHA1cadd8164590add9e4d5f4a53476a40288f5f4bfa
SHA256718e5dc7eb1c28f2dedcc0002afd835ca0b43e2b5a5874398686ffe8bbfb1004
SHA5129b9db2a755573937bac26caea298e39e5d2b79901441fbaff828faed19f4e25b4ad7ca42c67c7556278cd479b95c3b245564fa029bee3c483154a758b593e52e
-
C:\Users\Admin\AppData\Local\Temp\xbymhrQYGlon\_Files\_Information.txtFilesize
3KB
MD5e10e323cb07dcb07d011438ac2787179
SHA1587475109583bae51035d0f4d82fa401b9d42ccd
SHA256aa498c23c34d3ccd8f1baf0a393078527749f5f49107461e60c885c13a84431e
SHA512c64d679150dea0e970e05cabd00cfc17091e546b624a4200f31e66aca0858135db0ea42e3f751d9cc12a4c9250275997d2883b72f5f45c671c5d098bbdfaff85
-
C:\Users\Admin\AppData\Local\Temp\xbymhrQYGlon\_Files\_Information.txtFilesize
4KB
MD54da486b0c78be53afebf783d30b6bcd6
SHA1406c4571b990435fe87087242994b9fe5633c10b
SHA256846b32c2fca0a141c3b2dab872384b45296e69d4510411ac530e2afd8af5a839
SHA512094f8ced62299c840e6f9b4db0a79020630170da402b7a0ccdd8870398788e2c039ab24b84753823b0656bc5ac63e85c88254975d8ba588cd975c3de13213ada
-
C:\Users\Admin\AppData\Local\Temp\xbymhrQYGlon\_Files\_Screen_Desktop.jpegFilesize
40KB
MD534ae6bb69354f8191c63fae108f5a378
SHA1e7d21b24cd5fcdedb3fa9b0ba911c4177f9b2a51
SHA25675458e1f980541d4236abe09fa847cf51f8d3cae2bd80e00bfc784911e916d48
SHA5124f3a2e55b608b1073a74af5b8e5b7bd604871e57836c47f07546ac8dcbc20d016ec1cb5db9347ed68e17463d83f4851601c74b3f32b2063d21271056a3b18fc2
-
C:\Users\Admin\AppData\Local\Temp\xbymhrQYGlon\files_\system_info.txtFilesize
1KB
MD5b5f8ae7f4c4851a05c842e8c49dc4ad7
SHA1ec6f6e91de46782515cf010aba596ade3bb332e8
SHA256ad74e0effa2fbd9b04ea0617da8efbb52deaf115c73cebc6c6d7356092fbd633
SHA5124c2ab2fc05847966bf2c6f3ad231042938070bb3dd6d23604c15cac81ce10016e8823c933990675a6cc9cfa508485e3b013bc1865621f31fddefb916cc087813
-
C:\Users\Admin\AppData\Local\Temp\xbymhrQYGlon\files_\system_info.txtFilesize
3KB
MD5a18dffa9c1c5dd8cfd7bf082c6a9e638
SHA1e4d898a1d156bb337ffa7a45402eb12a36722167
SHA2569a08310a18868fc0e7fb57fac7dd8dad81a74de44eb7d26b604a733bdc52b977
SHA512f14895457db2493b9bceb3502cf607d113459a61d91253c539e8aee6602f8c6f301b2689b773acb57f16573a703b4d80df54c3faf4f92874ee9da894acdf98d3
-
C:\Users\Admin\AppData\Local\Temp\xbymhrQYGlon\files_\system_info.txtFilesize
5KB
MD5fd48f3870627d5c34d2cef357e033418
SHA1e6d9a4a6bbc3db987b9131482f0be5c433729e14
SHA256f50c640f6a7bd1edc2c33b1a35e9fe3ed05d933b20c633719e86fd3ff97bf483
SHA512811c3f26ffa41bc02c870ae0a5ea542fd43426cbae09f722a00b0b46511d206b790ac9c65dde6b20dc5a993dd77da0112c04efcc632e367a91717ce5891f8499
-
\Program Files (x86)\Salamanda\bedf\1_1.exeFilesize
2.1MB
MD55a2a75f58899cde4c6f0db01e76ec957
SHA1687a13b27fc71c0f5b13bbec024a7355d68e9366
SHA2565f542d4b44d1cfad8c47508393fe2695a6165faa0010db45c6a83345e06981d6
SHA5121beed060bf19b93ee6928141e53d8957bb7a06054a38f18f4a03cdd04d8bcff20f6b388c128c04b8ddb337f05730b877b8f44b9b7a1ed4473df6c4e35e229abd
-
\Users\Admin\AppData\Local\Temp\nst22BE.tmp\UAC.dllFilesize
14KB
MD5adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
-
memory/1544-243-0x0000000001350000-0x000000000184E000-memory.dmpFilesize
5.0MB
-
memory/1544-275-0x0000000001350000-0x000000000184E000-memory.dmpFilesize
5.0MB
-
memory/1544-23-0x00000000774B0000-0x00000000774B2000-memory.dmpFilesize
8KB
-
memory/1544-22-0x0000000000BF0000-0x00000000010EE000-memory.dmpFilesize
5.0MB
-
memory/1544-17-0x0000000001350000-0x000000000184E000-memory.dmpFilesize
5.0MB
-
memory/1544-242-0x0000000001350000-0x000000000184E000-memory.dmpFilesize
5.0MB
-
memory/1544-24-0x0000000001351000-0x00000000013AC000-memory.dmpFilesize
364KB
-
memory/1544-245-0x0000000000BF0000-0x00000000010EE000-memory.dmpFilesize
5.0MB
-
memory/1544-246-0x0000000000BF0000-0x00000000010EE000-memory.dmpFilesize
5.0MB
-
memory/1544-247-0x0000000000BF0000-0x00000000010EE000-memory.dmpFilesize
5.0MB
-
memory/1544-248-0x0000000001350000-0x000000000184E000-memory.dmpFilesize
5.0MB
-
memory/1544-273-0x0000000001350000-0x000000000184E000-memory.dmpFilesize
5.0MB
-
memory/1544-251-0x0000000001350000-0x000000000184E000-memory.dmpFilesize
5.0MB
-
memory/1544-253-0x0000000001350000-0x000000000184E000-memory.dmpFilesize
5.0MB
-
memory/1544-255-0x0000000001350000-0x000000000184E000-memory.dmpFilesize
5.0MB
-
memory/1544-257-0x0000000001350000-0x000000000184E000-memory.dmpFilesize
5.0MB
-
memory/1544-259-0x0000000001350000-0x000000000184E000-memory.dmpFilesize
5.0MB
-
memory/1544-262-0x0000000001350000-0x000000000184E000-memory.dmpFilesize
5.0MB
-
memory/1544-264-0x0000000001350000-0x000000000184E000-memory.dmpFilesize
5.0MB
-
memory/1544-266-0x0000000001350000-0x000000000184E000-memory.dmpFilesize
5.0MB
-
memory/1544-269-0x0000000001350000-0x000000000184E000-memory.dmpFilesize
5.0MB
-
memory/1544-271-0x0000000001350000-0x000000000184E000-memory.dmpFilesize
5.0MB
-
memory/3000-15-0x0000000002F60000-0x000000000345E000-memory.dmpFilesize
5.0MB
-
memory/3000-14-0x0000000002F60000-0x000000000345E000-memory.dmpFilesize
5.0MB