Overview

overview

10

Static

static

3

641665ec1e...18.exe

windows7-x64

10

641665ec1e...18.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDIR/UAC.dll

windows7-x64

3

$PLUGINSDIR/UAC.dll

windows10-2004-x64

3

$PLUGINSDI...fo.dll

windows7-x64

3

$PLUGINSDI...fo.dll

windows10-2004-x64

3

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

1_1.exe

windows7-x64

10

1_1.exe

windows10-2004-x64

10

file.exe

windows7-x64

9

file.exe

windows10-2004-x64

9

file.vbs

windows7-x64

8

file.vbs

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    21-05-2024 17:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    641665ec1ee0c3c0d2bdfe490d94326c_JaffaCakes118.exe

  • Size

    4.4MB

  • MD5

    641665ec1ee0c3c0d2bdfe490d94326c

  • SHA1

    13c5ab89fdb2e57beff2614659c368b4b67f2ebe

  • SHA256

    3cc03de0ddea408c9411f50251d308c51e21f1df7a39d8fba70620696c87eb5b

  • SHA512

    b2dab0155d39b918574901a74a00b8e76e2ebac12cf41c762e1792841377489a358881828ed853b85dcbfaf244152efafecaccea8b5dcfdc7b7c5db9fc33e725

  • SSDEEP

    98304:5OuIv2eLDrhxayvHhhvC2/IlbehfLCaW47c+UpzXo78UaaWwPfs:5Oum2pyvHHvvIlydLVNoLpzYI0WwM

Score
10/10
cryptbotdiscoveryevasionspywarestealer

Malware Config

Extracted

Family

cryptbot

C2

otteppp05.top

doorres02.top

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • CryptBot payload 15 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\641665ec1ee0c3c0d2bdfe490d94326c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\641665ec1ee0c3c0d2bdfe490d94326c_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:3000
    • C:\Program Files (x86)\Salamanda\bedf\1_1.exe
      "C:\Program Files (x86)\Salamanda\bedf\1_1.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Loads dropped DLL
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      PID:1544

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

5
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\xbymhrQYGlon\I0kSu835nXDi.zip
    Filesize

    33KB

    MD5

    86c1d24e1c8bd405bd3d51e06648774e

    SHA1

    faba32621d5e8a5218d8dacc1355853fdee24ceb

    SHA256

    8390d4fa95523fee387ec5a797539c0693595bf3c1407f4f4a15875ecd6ca625

    SHA512

    9752d1022f08ddd86e88485f489ad1694ed81c92cf4705d2d9dc031ee1ab02e12e24ad8a8e4b9825ec90f98cc94da5e28cb54f60be7f9869ddbeee50b45339ae

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\xbymhrQYGlon\_Files\_Information.txt
    Filesize

    1KB

    MD5

    dd6d3f73f60409e3c36d7fe0209d7bbc

    SHA1

    c8ab3abc958611883e6708ce8b19bc5fda2468dc

    SHA256

    62143d958a0fd3d42c2c3c2babcd8a5ff965205d5092c2ee0c3162da15845497

    SHA512

    3557bca5493f869f9ce77e9bfaa0b8e38773179762a83d12220acbd0c928030dae140cc91d2d43380df8a9d7f3cbde38a77c8d5a8d3a511203cd067b0f3c4f5c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\xbymhrQYGlon\_Files\_Information.txt
    Filesize

    3KB

    MD5

    acd53a65d2ade248c8adc3ab532e0142

    SHA1

    9b9b15d1d4100c340daa4e726d6710871ff94ca9

    SHA256

    25261c5a4e4fedfdd34661220ffd1770ea80f6396635bbf511dbbd83405c4afd

    SHA512

    e2565cfcd64bc0af0a315cf6d36c8f4c1b24262df8b2363e2d82a6912efb88488c91a58acc0d256f836f433f38ebad7269527eddc8297089810d1d2370574ff6

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\xbymhrQYGlon\_Files\_Information.txt
    Filesize

    3KB

    MD5

    0ed5248cb167b099feef74f74acc83d0

    SHA1

    cadd8164590add9e4d5f4a53476a40288f5f4bfa

    SHA256

    718e5dc7eb1c28f2dedcc0002afd835ca0b43e2b5a5874398686ffe8bbfb1004

    SHA512

    9b9db2a755573937bac26caea298e39e5d2b79901441fbaff828faed19f4e25b4ad7ca42c67c7556278cd479b95c3b245564fa029bee3c483154a758b593e52e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\xbymhrQYGlon\_Files\_Information.txt
    Filesize

    3KB

    MD5

    e10e323cb07dcb07d011438ac2787179

    SHA1

    587475109583bae51035d0f4d82fa401b9d42ccd

    SHA256

    aa498c23c34d3ccd8f1baf0a393078527749f5f49107461e60c885c13a84431e

    SHA512

    c64d679150dea0e970e05cabd00cfc17091e546b624a4200f31e66aca0858135db0ea42e3f751d9cc12a4c9250275997d2883b72f5f45c671c5d098bbdfaff85

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\xbymhrQYGlon\_Files\_Information.txt
    Filesize

    4KB

    MD5

    4da486b0c78be53afebf783d30b6bcd6

    SHA1

    406c4571b990435fe87087242994b9fe5633c10b

    SHA256

    846b32c2fca0a141c3b2dab872384b45296e69d4510411ac530e2afd8af5a839

    SHA512

    094f8ced62299c840e6f9b4db0a79020630170da402b7a0ccdd8870398788e2c039ab24b84753823b0656bc5ac63e85c88254975d8ba588cd975c3de13213ada

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\xbymhrQYGlon\_Files\_Screen_Desktop.jpeg
    Filesize

    40KB

    MD5

    34ae6bb69354f8191c63fae108f5a378

    SHA1

    e7d21b24cd5fcdedb3fa9b0ba911c4177f9b2a51

    SHA256

    75458e1f980541d4236abe09fa847cf51f8d3cae2bd80e00bfc784911e916d48

    SHA512

    4f3a2e55b608b1073a74af5b8e5b7bd604871e57836c47f07546ac8dcbc20d016ec1cb5db9347ed68e17463d83f4851601c74b3f32b2063d21271056a3b18fc2

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\xbymhrQYGlon\files_\system_info.txt
    Filesize

    1KB

    MD5

    b5f8ae7f4c4851a05c842e8c49dc4ad7

    SHA1

    ec6f6e91de46782515cf010aba596ade3bb332e8

    SHA256

    ad74e0effa2fbd9b04ea0617da8efbb52deaf115c73cebc6c6d7356092fbd633

    SHA512

    4c2ab2fc05847966bf2c6f3ad231042938070bb3dd6d23604c15cac81ce10016e8823c933990675a6cc9cfa508485e3b013bc1865621f31fddefb916cc087813

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\xbymhrQYGlon\files_\system_info.txt
    Filesize

    3KB

    MD5

    a18dffa9c1c5dd8cfd7bf082c6a9e638

    SHA1

    e4d898a1d156bb337ffa7a45402eb12a36722167

    SHA256

    9a08310a18868fc0e7fb57fac7dd8dad81a74de44eb7d26b604a733bdc52b977

    SHA512

    f14895457db2493b9bceb3502cf607d113459a61d91253c539e8aee6602f8c6f301b2689b773acb57f16573a703b4d80df54c3faf4f92874ee9da894acdf98d3

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\xbymhrQYGlon\files_\system_info.txt
    Filesize

    5KB

    MD5

    fd48f3870627d5c34d2cef357e033418

    SHA1

    e6d9a4a6bbc3db987b9131482f0be5c433729e14

    SHA256

    f50c640f6a7bd1edc2c33b1a35e9fe3ed05d933b20c633719e86fd3ff97bf483

    SHA512

    811c3f26ffa41bc02c870ae0a5ea542fd43426cbae09f722a00b0b46511d206b790ac9c65dde6b20dc5a993dd77da0112c04efcc632e367a91717ce5891f8499

    Download Submit
  • \Program Files (x86)\Salamanda\bedf\1_1.exe
    Filesize

    2.1MB

    MD5

    5a2a75f58899cde4c6f0db01e76ec957

    SHA1

    687a13b27fc71c0f5b13bbec024a7355d68e9366

    SHA256

    5f542d4b44d1cfad8c47508393fe2695a6165faa0010db45c6a83345e06981d6

    SHA512

    1beed060bf19b93ee6928141e53d8957bb7a06054a38f18f4a03cdd04d8bcff20f6b388c128c04b8ddb337f05730b877b8f44b9b7a1ed4473df6c4e35e229abd

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nst22BE.tmp\UAC.dll
    Filesize

    14KB

    MD5

    adb29e6b186daa765dc750128649b63d

    SHA1

    160cbdc4cb0ac2c142d361df138c537aa7e708c9

    SHA256

    2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

    SHA512

    b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

    Download Submit
  • memory/1544-243-0x0000000001350000-0x000000000184E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/1544-275-0x0000000001350000-0x000000000184E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/1544-23-0x00000000774B0000-0x00000000774B2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1544-22-0x0000000000BF0000-0x00000000010EE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/1544-17-0x0000000001350000-0x000000000184E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/1544-242-0x0000000001350000-0x000000000184E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/1544-24-0x0000000001351000-0x00000000013AC000-memory.dmp
    Filesize

    364KB

    Download
  • memory/1544-245-0x0000000000BF0000-0x00000000010EE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/1544-246-0x0000000000BF0000-0x00000000010EE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/1544-247-0x0000000000BF0000-0x00000000010EE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/1544-248-0x0000000001350000-0x000000000184E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/1544-273-0x0000000001350000-0x000000000184E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/1544-251-0x0000000001350000-0x000000000184E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/1544-253-0x0000000001350000-0x000000000184E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/1544-255-0x0000000001350000-0x000000000184E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/1544-257-0x0000000001350000-0x000000000184E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/1544-259-0x0000000001350000-0x000000000184E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/1544-262-0x0000000001350000-0x000000000184E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/1544-264-0x0000000001350000-0x000000000184E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/1544-266-0x0000000001350000-0x000000000184E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/1544-269-0x0000000001350000-0x000000000184E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/1544-271-0x0000000001350000-0x000000000184E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3000-15-0x0000000002F60000-0x000000000345E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3000-14-0x0000000002F60000-0x000000000345E000-memory.dmp
    Filesize

    5.0MB

    Download