Overview
overview
10Static
static
3641665ec1e...18.exe
windows7-x64
10641665ec1e...18.exe
windows10-2004-x64
10$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDIR/UAC.dll
windows7-x64
3$PLUGINSDIR/UAC.dll
windows10-2004-x64
3$PLUGINSDI...fo.dll
windows7-x64
3$PLUGINSDI...fo.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
31_1.exe
windows7-x64
101_1.exe
windows10-2004-x64
10file.exe
windows7-x64
9file.exe
windows10-2004-x64
9file.vbs
windows7-x64
8file.vbs
windows10-2004-x64
8Analysis
-
max time kernel
145s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
21-05-2024 17:09
Static task
static1
Behavioral task
behavioral1
Sample
641665ec1ee0c3c0d2bdfe490d94326c_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
641665ec1ee0c3c0d2bdfe490d94326c_JaffaCakes118.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/UAC.dll
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/UAC.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win7-20240220-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240220-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240215-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
1_1.exe
Resource
win7-20231129-en
Behavioral task
behavioral14
Sample
1_1.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral15
Sample
file.exe
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
file.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
file.vbs
Resource
win7-20240508-en
Behavioral task
behavioral18
Sample
file.vbs
Resource
win10v2004-20240426-en
General
-
Target
1_1.exe
-
Size
2.1MB
-
MD5
5a2a75f58899cde4c6f0db01e76ec957
-
SHA1
687a13b27fc71c0f5b13bbec024a7355d68e9366
-
SHA256
5f542d4b44d1cfad8c47508393fe2695a6165faa0010db45c6a83345e06981d6
-
SHA512
1beed060bf19b93ee6928141e53d8957bb7a06054a38f18f4a03cdd04d8bcff20f6b388c128c04b8ddb337f05730b877b8f44b9b7a1ed4473df6c4e35e229abd
-
SSDEEP
49152:1RQHZCG6lEfw7FclTsIvv1+91BrweH6m71CL5eHYRW:1v7lYw5Ivv89vT71CdeHYE
Malware Config
Extracted
cryptbot
otteppp05.top
doorres02.top
Signatures
-
CryptBot payload 21 IoCs
Processes:
resource yara_rule behavioral14/memory/3968-6-0x00000000003D0000-0x00000000008CE000-memory.dmp family_cryptbot behavioral14/memory/3968-7-0x00000000003D0000-0x00000000008CE000-memory.dmp family_cryptbot behavioral14/memory/3968-76-0x00000000003D0000-0x00000000008CE000-memory.dmp family_cryptbot behavioral14/memory/3968-228-0x00000000003D0000-0x00000000008CE000-memory.dmp family_cryptbot behavioral14/memory/3968-229-0x00000000003D0000-0x00000000008CE000-memory.dmp family_cryptbot behavioral14/memory/3968-231-0x00000000003D0000-0x00000000008CE000-memory.dmp family_cryptbot behavioral14/memory/3968-233-0x00000000003D0000-0x00000000008CE000-memory.dmp family_cryptbot behavioral14/memory/3968-234-0x00000000003D0000-0x00000000008CE000-memory.dmp family_cryptbot behavioral14/memory/3968-236-0x00000000003D0000-0x00000000008CE000-memory.dmp family_cryptbot behavioral14/memory/3968-238-0x00000000003D0000-0x00000000008CE000-memory.dmp family_cryptbot behavioral14/memory/3968-241-0x00000000003D0000-0x00000000008CE000-memory.dmp family_cryptbot behavioral14/memory/3968-243-0x00000000003D0000-0x00000000008CE000-memory.dmp family_cryptbot behavioral14/memory/3968-248-0x00000000003D0000-0x00000000008CE000-memory.dmp family_cryptbot behavioral14/memory/3968-251-0x00000000003D0000-0x00000000008CE000-memory.dmp family_cryptbot behavioral14/memory/3968-254-0x00000000003D0000-0x00000000008CE000-memory.dmp family_cryptbot behavioral14/memory/3968-257-0x00000000003D0000-0x00000000008CE000-memory.dmp family_cryptbot behavioral14/memory/3968-263-0x00000000003D0000-0x00000000008CE000-memory.dmp family_cryptbot behavioral14/memory/3968-266-0x00000000003D0000-0x00000000008CE000-memory.dmp family_cryptbot behavioral14/memory/3968-269-0x00000000003D0000-0x00000000008CE000-memory.dmp family_cryptbot behavioral14/memory/3968-272-0x00000000003D0000-0x00000000008CE000-memory.dmp family_cryptbot behavioral14/memory/3968-275-0x00000000003D0000-0x00000000008CE000-memory.dmp family_cryptbot -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
1_1.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1_1.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
1_1.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1_1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1_1.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
1_1.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Wine 1_1.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
1_1.exepid process 3968 1_1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
1_1.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 1_1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 1_1.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
1_1.exepid process 3968 1_1.exe 3968 1_1.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
1_1.exepid process 3968 1_1.exe 3968 1_1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1_1.exe"C:\Users\Admin\AppData\Local\Temp\1_1.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\xbymhrQYGlon\I0kSu835nXDi.zipFilesize
325KB
MD5283fbd067e3a026c46402c4f3924fbe4
SHA11eedc40b4ba46a4c17fb67abe434ba9ebdf8b313
SHA2560df4bc3c3004761d3568c9328e89d819f037b535abe6f36a59258c6bfaf30afb
SHA5121697f11f41fb6a554204db649e72e620daa08421cc2be71d1961fa4021091bc2bafe921a24b4c1f15f2dfbaf5ebb9353c8e3a9f1e0e5134b72384639d96cc54a
-
C:\Users\Admin\AppData\Local\Temp\xbymhrQYGlon\_Files\_Files\UndoRemove.txtFilesize
283KB
MD5e6d0058aa7e5f1d051e4f2ec72bead39
SHA1ad3fae0834649dd4d71b10d201936f7e608b96e7
SHA2569732affbb95fb110631e0e28b75edd1b464dca98b7c34f46593a5a294581db03
SHA5122736b242a7fd006a6de316061486a5163f47552d765693ff59b9286f472e36095844f0a0828f81b75dc49486d4f01fd2b84703ec851d85816cb05d5973f2b599
-
C:\Users\Admin\AppData\Local\Temp\xbymhrQYGlon\_Files\_Information.txtFilesize
4KB
MD5c1a9280789538c57e7ded844e051ec95
SHA13d15fa02ef0db6192af925e5696a608d63edadc3
SHA256d22dfc7c3763059886e4233c23abf56f8d9959c79b4d6794ea34f0d543b5a8c2
SHA5122155a895c732a556077ab323db1ba1aa842bd5d31998042de0afdd34d903274bc0ee6ee7d4875c5d4b1bd87e47c4faf538ee1f5461d664185ff85c77eb770b2b
-
C:\Users\Admin\AppData\Local\Temp\xbymhrQYGlon\_Files\_Screen_Desktop.jpegFilesize
48KB
MD59809e054486fec3f80031fb91c1b41ca
SHA14fd85c16fe7f31f69e4dea4a70f6093b2ae8c3de
SHA256b67dfeb365d5f9494474765bca94641d7796be873c079cc9049265eed212899f
SHA5123291a8d5f91202ab8a0b229d5bb3eccfbc89729e185a76bd588566fa745b6c0068c1afdff531386a26104f079481f8beabea53911fbe3109de57c0236a0b4253
-
C:\Users\Admin\AppData\Local\Temp\xbymhrQYGlon\bFogcARCIrQ.zipFilesize
325KB
MD5994da235310c1fe244839c7abee8d4db
SHA1df57fa4e7c61eaca518f6b3c4e51f7c116c53d41
SHA256e9642b70979b1d5d201307e8849d18d9ca0222e401d35037776ff732dff050be
SHA512607076f34d107e7f18ff901d0ad52c5062ecb8077ef35d24acccf43eeed9e01a0a4c1783770d8a185855062e3b7258a96558411672001a9c32d4ff56c5807dd5
-
C:\Users\Admin\AppData\Local\Temp\xbymhrQYGlon\files_\system_info.txtFilesize
660B
MD535e134ef802e9fa49465eb0919055d90
SHA1a03a8f3d18ac750b03fa6f38d7fae8676cb5ad11
SHA256ae436609fc888b4a73be4bbeee8c4b18e6bcbe47334e1475102cdbf55d58b39a
SHA512412337d710dbed25d5d416609b716063ba917328f5d6c1aa1b8e7639afbed956343c9997e401ee3f856fc532ced8f597786a431b92b0a08027790e15b1866312
-
C:\Users\Admin\AppData\Local\Temp\xbymhrQYGlon\files_\system_info.txtFilesize
7KB
MD530f906b86ac61c590a069f03e99cd56f
SHA1a9b9868906c6011777450bc96109fe7c963924fc
SHA256aa912f0f7683c43aeb13087a9b3d0e7ed7b589a9e2e1928c91b513883e15ccbe
SHA51218f0658c3b8b1dca52003736e1821650011384644a5cd47b50586a6dd1f10ec83f22a2942eb0693430006aad25208c39aed1cc3c84417cac179d526ae5513916
-
memory/3968-231-0x00000000003D0000-0x00000000008CE000-memory.dmpFilesize
5.0MB
-
memory/3968-236-0x00000000003D0000-0x00000000008CE000-memory.dmpFilesize
5.0MB
-
memory/3968-76-0x00000000003D0000-0x00000000008CE000-memory.dmpFilesize
5.0MB
-
memory/3968-6-0x00000000003D0000-0x00000000008CE000-memory.dmpFilesize
5.0MB
-
memory/3968-2-0x0000000005400000-0x0000000005401000-memory.dmpFilesize
4KB
-
memory/3968-3-0x0000000005420000-0x0000000005421000-memory.dmpFilesize
4KB
-
memory/3968-4-0x0000000005410000-0x0000000005411000-memory.dmpFilesize
4KB
-
memory/3968-228-0x00000000003D0000-0x00000000008CE000-memory.dmpFilesize
5.0MB
-
memory/3968-229-0x00000000003D0000-0x00000000008CE000-memory.dmpFilesize
5.0MB
-
memory/3968-0-0x00000000003D0000-0x00000000008CE000-memory.dmpFilesize
5.0MB
-
memory/3968-5-0x00000000003D1000-0x000000000042C000-memory.dmpFilesize
364KB
-
memory/3968-233-0x00000000003D0000-0x00000000008CE000-memory.dmpFilesize
5.0MB
-
memory/3968-234-0x00000000003D0000-0x00000000008CE000-memory.dmpFilesize
5.0MB
-
memory/3968-7-0x00000000003D0000-0x00000000008CE000-memory.dmpFilesize
5.0MB
-
memory/3968-238-0x00000000003D0000-0x00000000008CE000-memory.dmpFilesize
5.0MB
-
memory/3968-241-0x00000000003D0000-0x00000000008CE000-memory.dmpFilesize
5.0MB
-
memory/3968-243-0x00000000003D0000-0x00000000008CE000-memory.dmpFilesize
5.0MB
-
memory/3968-248-0x00000000003D0000-0x00000000008CE000-memory.dmpFilesize
5.0MB
-
memory/3968-251-0x00000000003D0000-0x00000000008CE000-memory.dmpFilesize
5.0MB
-
memory/3968-254-0x00000000003D0000-0x00000000008CE000-memory.dmpFilesize
5.0MB
-
memory/3968-257-0x00000000003D0000-0x00000000008CE000-memory.dmpFilesize
5.0MB
-
memory/3968-263-0x00000000003D0000-0x00000000008CE000-memory.dmpFilesize
5.0MB
-
memory/3968-266-0x00000000003D0000-0x00000000008CE000-memory.dmpFilesize
5.0MB
-
memory/3968-1-0x00000000778B4000-0x00000000778B6000-memory.dmpFilesize
8KB
-
memory/3968-269-0x00000000003D0000-0x00000000008CE000-memory.dmpFilesize
5.0MB
-
memory/3968-272-0x00000000003D0000-0x00000000008CE000-memory.dmpFilesize
5.0MB
-
memory/3968-275-0x00000000003D0000-0x00000000008CE000-memory.dmpFilesize
5.0MB