Overview
overview
10Static
static
3641665ec1e...18.exe
windows7-x64
10641665ec1e...18.exe
windows10-2004-x64
10$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDIR/UAC.dll
windows7-x64
3$PLUGINSDIR/UAC.dll
windows10-2004-x64
3$PLUGINSDI...fo.dll
windows7-x64
3$PLUGINSDI...fo.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
31_1.exe
windows7-x64
101_1.exe
windows10-2004-x64
10file.exe
windows7-x64
9file.exe
windows10-2004-x64
9file.vbs
windows7-x64
8file.vbs
windows10-2004-x64
8Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
21-05-2024 17:09
Static task
static1
Behavioral task
behavioral1
Sample
641665ec1ee0c3c0d2bdfe490d94326c_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
641665ec1ee0c3c0d2bdfe490d94326c_JaffaCakes118.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/UAC.dll
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/UAC.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win7-20240220-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240220-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240215-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
1_1.exe
Resource
win7-20231129-en
Behavioral task
behavioral14
Sample
1_1.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral15
Sample
file.exe
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
file.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
file.vbs
Resource
win7-20240508-en
Behavioral task
behavioral18
Sample
file.vbs
Resource
win10v2004-20240426-en
General
-
Target
1_1.exe
-
Size
2.1MB
-
MD5
5a2a75f58899cde4c6f0db01e76ec957
-
SHA1
687a13b27fc71c0f5b13bbec024a7355d68e9366
-
SHA256
5f542d4b44d1cfad8c47508393fe2695a6165faa0010db45c6a83345e06981d6
-
SHA512
1beed060bf19b93ee6928141e53d8957bb7a06054a38f18f4a03cdd04d8bcff20f6b388c128c04b8ddb337f05730b877b8f44b9b7a1ed4473df6c4e35e229abd
-
SSDEEP
49152:1RQHZCG6lEfw7FclTsIvv1+91BrweH6m71CL5eHYRW:1v7lYw5Ivv89vT71CdeHYE
Malware Config
Extracted
cryptbot
otteppp05.top
doorres02.top
Signatures
-
CryptBot payload 20 IoCs
Processes:
resource yara_rule behavioral13/memory/2012-8-0x00000000012F0000-0x00000000017EE000-memory.dmp family_cryptbot behavioral13/memory/2012-9-0x00000000012F0000-0x00000000017EE000-memory.dmp family_cryptbot behavioral13/memory/2012-122-0x00000000012F0000-0x00000000017EE000-memory.dmp family_cryptbot behavioral13/memory/2012-233-0x00000000012F0000-0x00000000017EE000-memory.dmp family_cryptbot behavioral13/memory/2012-235-0x00000000012F0000-0x00000000017EE000-memory.dmp family_cryptbot behavioral13/memory/2012-236-0x00000000012F0000-0x00000000017EE000-memory.dmp family_cryptbot behavioral13/memory/2012-237-0x00000000012F0000-0x00000000017EE000-memory.dmp family_cryptbot behavioral13/memory/2012-239-0x00000000012F0000-0x00000000017EE000-memory.dmp family_cryptbot behavioral13/memory/2012-240-0x00000000012F0000-0x00000000017EE000-memory.dmp family_cryptbot behavioral13/memory/2012-243-0x00000000012F0000-0x00000000017EE000-memory.dmp family_cryptbot behavioral13/memory/2012-245-0x00000000012F0000-0x00000000017EE000-memory.dmp family_cryptbot behavioral13/memory/2012-247-0x00000000012F0000-0x00000000017EE000-memory.dmp family_cryptbot behavioral13/memory/2012-250-0x00000000012F0000-0x00000000017EE000-memory.dmp family_cryptbot behavioral13/memory/2012-252-0x00000000012F0000-0x00000000017EE000-memory.dmp family_cryptbot behavioral13/memory/2012-254-0x00000000012F0000-0x00000000017EE000-memory.dmp family_cryptbot behavioral13/memory/2012-256-0x00000000012F0000-0x00000000017EE000-memory.dmp family_cryptbot behavioral13/memory/2012-259-0x00000000012F0000-0x00000000017EE000-memory.dmp family_cryptbot behavioral13/memory/2012-261-0x00000000012F0000-0x00000000017EE000-memory.dmp family_cryptbot behavioral13/memory/2012-263-0x00000000012F0000-0x00000000017EE000-memory.dmp family_cryptbot behavioral13/memory/2012-266-0x00000000012F0000-0x00000000017EE000-memory.dmp family_cryptbot -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
1_1.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1_1.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
1_1.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1_1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1_1.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
1_1.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Wine 1_1.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
1_1.exepid process 2012 1_1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
1_1.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 1_1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 1_1.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
1_1.exepid process 2012 1_1.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
1_1.exepid process 2012 1_1.exe 2012 1_1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1_1.exe"C:\Users\Admin\AppData\Local\Temp\1_1.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\xbymhrQYGlon\I0kSu835nXDi.zipFilesize
469KB
MD543b81f6c585e06f614e887333c30ed77
SHA14eed8a96d51546499d72eee13a7b2af3b54d106d
SHA25664693c1d687a2d6ce3a2cfe4477f803ab0d62e47482df2f484ad8aa3840d4c54
SHA512bb4af7b39ca0d09952aaaff0100426d58c638922b47f47347caed8fbea956a955987515c5389e3bf1fc935a7e7ff54df2cc92b1bfc332b64fc433f7aae2d472e
-
C:\Users\Admin\AppData\Local\Temp\xbymhrQYGlon\_Files\_Files\UnblockGrant.txtFilesize
436KB
MD56232cef8fa9abf01256de35b54d780b4
SHA10771379b715b9963a1b104ab2e531149025e8f34
SHA256f4dda69bb00512727f53a42ba0812ad9ed61e5465ae207d7922dec21fb389394
SHA51249ebec8deb5ce93218079e0ff5f8ef336d107f420aa2cf0e26a8b3f72396d4be19198bcab3852d739eefad6db068b401348c8383ab0118d64b63878ae857b535
-
C:\Users\Admin\AppData\Local\Temp\xbymhrQYGlon\_Files\_Information.txtFilesize
8KB
MD5462e9860eee3c95b6ba29ebbd2b48af4
SHA1a68280aaffdfed90fea9b451bc79079fdc888c03
SHA256a564ba38a28c7e39aa4f062f75817fb827b0740bec79c89f1d0e65b946eb83a9
SHA5121330a37ddd5f63ff6b15a8b82dd00a614aa3c434a3dacef50432d56e20f3b0006fb8370e05a2860573f027674a6ec55e7e9f40446237731c084e1af7b283fd0b
-
C:\Users\Admin\AppData\Local\Temp\xbymhrQYGlon\_Files\_Screen_Desktop.jpegFilesize
40KB
MD5e5d3e82f897cba7dad66cb730233f24b
SHA119e4e0a4a74e072cf6f9da3013d5cea6385f025f
SHA256060e641c847b185d9550d7e2d77c080720124330081d697230ff31c0cf4bb739
SHA5122f3216d22ae68140e4862ac801b101323bab47c10aaa1a1e4318dc4e9562685e3d149cdbe9f35a880a5747c323ec4f1ce5f1cd7e982ed55a3c7cf448e6cf6bd6
-
C:\Users\Admin\AppData\Local\Temp\xbymhrQYGlon\files_\system_info.txtFilesize
8KB
MD5d9bf1a34212ab5bdd28bd5b7c6f82454
SHA18da7c4f524eb9527106af84bf9241d2faee542ea
SHA2565b9a9b63cfea9a2d649d939bd19c0976454b5c8679503e5057393c2c6757040f
SHA512f0d08fb5f704896c0ef614617f064cf8ac22ee42351eb7b1d9762b738eef6f0a7580853660d9405a0694d0b5ce2718e66052c28a7dd2f8d538e6bf0dfacd0c16
-
memory/2012-235-0x00000000012F0000-0x00000000017EE000-memory.dmpFilesize
5.0MB
-
memory/2012-237-0x00000000012F0000-0x00000000017EE000-memory.dmpFilesize
5.0MB
-
memory/2012-7-0x00000000012F1000-0x000000000134C000-memory.dmpFilesize
364KB
-
memory/2012-8-0x00000000012F0000-0x00000000017EE000-memory.dmpFilesize
5.0MB
-
memory/2012-9-0x00000000012F0000-0x00000000017EE000-memory.dmpFilesize
5.0MB
-
memory/2012-5-0x0000000000CB0000-0x0000000000CB1000-memory.dmpFilesize
4KB
-
memory/2012-122-0x00000000012F0000-0x00000000017EE000-memory.dmpFilesize
5.0MB
-
memory/2012-4-0x00000000010E0000-0x00000000010E1000-memory.dmpFilesize
4KB
-
memory/2012-3-0x0000000000DF0000-0x0000000000DF1000-memory.dmpFilesize
4KB
-
memory/2012-2-0x0000000000A80000-0x0000000000A82000-memory.dmpFilesize
8KB
-
memory/2012-233-0x00000000012F0000-0x00000000017EE000-memory.dmpFilesize
5.0MB
-
memory/2012-0-0x00000000012F0000-0x00000000017EE000-memory.dmpFilesize
5.0MB
-
memory/2012-236-0x00000000012F0000-0x00000000017EE000-memory.dmpFilesize
5.0MB
-
memory/2012-6-0x0000000000A10000-0x0000000000A11000-memory.dmpFilesize
4KB
-
memory/2012-1-0x00000000770B0000-0x00000000770B2000-memory.dmpFilesize
8KB
-
memory/2012-239-0x00000000012F0000-0x00000000017EE000-memory.dmpFilesize
5.0MB
-
memory/2012-240-0x00000000012F0000-0x00000000017EE000-memory.dmpFilesize
5.0MB
-
memory/2012-243-0x00000000012F0000-0x00000000017EE000-memory.dmpFilesize
5.0MB
-
memory/2012-245-0x00000000012F0000-0x00000000017EE000-memory.dmpFilesize
5.0MB
-
memory/2012-247-0x00000000012F0000-0x00000000017EE000-memory.dmpFilesize
5.0MB
-
memory/2012-250-0x00000000012F0000-0x00000000017EE000-memory.dmpFilesize
5.0MB
-
memory/2012-252-0x00000000012F0000-0x00000000017EE000-memory.dmpFilesize
5.0MB
-
memory/2012-254-0x00000000012F0000-0x00000000017EE000-memory.dmpFilesize
5.0MB
-
memory/2012-256-0x00000000012F0000-0x00000000017EE000-memory.dmpFilesize
5.0MB
-
memory/2012-259-0x00000000012F0000-0x00000000017EE000-memory.dmpFilesize
5.0MB
-
memory/2012-261-0x00000000012F0000-0x00000000017EE000-memory.dmpFilesize
5.0MB
-
memory/2012-263-0x00000000012F0000-0x00000000017EE000-memory.dmpFilesize
5.0MB
-
memory/2012-266-0x00000000012F0000-0x00000000017EE000-memory.dmpFilesize
5.0MB