Analysis
-
max time kernel
143s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 13:28
Static task
static1
Behavioral task
behavioral1
Sample
6b16a229b3af43c100a1c8baae0b0d4f_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
6b16a229b3af43c100a1c8baae0b0d4f_JaffaCakes118.exe
-
Size
4.2MB
-
MD5
6b16a229b3af43c100a1c8baae0b0d4f
-
SHA1
bc8b107ca7db60e94a36fd01908a853292025a9c
-
SHA256
1dd611fc80b9bbd697113ef3afe747edf5fe51e23b3c7407a29c65f753f1260d
-
SHA512
6aa3aa03ed24d75ea2fbbd2c9e6ad785032d3d23ca450ff467b61e793ca46cd71594027f1b990471ddaa867e4822fd52d059eeb9d0d6f655baf7c7e2ff9f747e
-
SSDEEP
98304:G0YVc8p/kHGJq2fMZggNR97ORwF5mBvoN0VH9zZDHnvVoZ0ljqNRYx:G078pPq64RURwbvN8HV1HnvVoZ4CRYx
Malware Config
Extracted
cryptbot
nkoopw03.top
moraass06.top
Signatures
-
CryptBot payload 15 IoCs
Processes:
resource yara_rule behavioral1/memory/2568-252-0x0000000001330000-0x0000000001848000-memory.dmp family_cryptbot behavioral1/memory/2568-257-0x0000000001330000-0x0000000001848000-memory.dmp family_cryptbot behavioral1/memory/2568-260-0x0000000001330000-0x0000000001848000-memory.dmp family_cryptbot behavioral1/memory/2568-262-0x0000000001330000-0x0000000001848000-memory.dmp family_cryptbot behavioral1/memory/2568-265-0x0000000001330000-0x0000000001848000-memory.dmp family_cryptbot behavioral1/memory/2568-267-0x0000000001330000-0x0000000001848000-memory.dmp family_cryptbot behavioral1/memory/2568-270-0x0000000001330000-0x0000000001848000-memory.dmp family_cryptbot behavioral1/memory/2568-272-0x0000000001330000-0x0000000001848000-memory.dmp family_cryptbot behavioral1/memory/2568-274-0x0000000001330000-0x0000000001848000-memory.dmp family_cryptbot behavioral1/memory/2568-276-0x0000000001330000-0x0000000001848000-memory.dmp family_cryptbot behavioral1/memory/2568-279-0x0000000001330000-0x0000000001848000-memory.dmp family_cryptbot behavioral1/memory/2568-281-0x0000000001330000-0x0000000001848000-memory.dmp family_cryptbot behavioral1/memory/2568-284-0x0000000001330000-0x0000000001848000-memory.dmp family_cryptbot behavioral1/memory/2568-286-0x0000000001330000-0x0000000001848000-memory.dmp family_cryptbot behavioral1/memory/2568-288-0x0000000001330000-0x0000000001848000-memory.dmp family_cryptbot -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
1.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
1.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1.exe -
Executes dropped EXE 1 IoCs
Processes:
1.exepid process 2568 1.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
1.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Wine 1.exe -
Loads dropped DLL 7 IoCs
Processes:
6b16a229b3af43c100a1c8baae0b0d4f_JaffaCakes118.exe1.exepid process 2924 6b16a229b3af43c100a1c8baae0b0d4f_JaffaCakes118.exe 2924 6b16a229b3af43c100a1c8baae0b0d4f_JaffaCakes118.exe 2924 6b16a229b3af43c100a1c8baae0b0d4f_JaffaCakes118.exe 2924 6b16a229b3af43c100a1c8baae0b0d4f_JaffaCakes118.exe 2568 1.exe 2568 1.exe 2568 1.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
1.exepid process 2568 1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
1.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 1.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
1.exepid process 2568 1.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
1.exepid process 2568 1.exe 2568 1.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
6b16a229b3af43c100a1c8baae0b0d4f_JaffaCakes118.exedescription pid process target process PID 2924 wrote to memory of 2568 2924 6b16a229b3af43c100a1c8baae0b0d4f_JaffaCakes118.exe 1.exe PID 2924 wrote to memory of 2568 2924 6b16a229b3af43c100a1c8baae0b0d4f_JaffaCakes118.exe 1.exe PID 2924 wrote to memory of 2568 2924 6b16a229b3af43c100a1c8baae0b0d4f_JaffaCakes118.exe 1.exe PID 2924 wrote to memory of 2568 2924 6b16a229b3af43c100a1c8baae0b0d4f_JaffaCakes118.exe 1.exe PID 2924 wrote to memory of 2568 2924 6b16a229b3af43c100a1c8baae0b0d4f_JaffaCakes118.exe 1.exe PID 2924 wrote to memory of 2568 2924 6b16a229b3af43c100a1c8baae0b0d4f_JaffaCakes118.exe 1.exe PID 2924 wrote to memory of 2568 2924 6b16a229b3af43c100a1c8baae0b0d4f_JaffaCakes118.exe 1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6b16a229b3af43c100a1c8baae0b0d4f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6b16a229b3af43c100a1c8baae0b0d4f_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\sibF00.tmp\0\1.exe"C:\Users\Admin\AppData\Local\Temp\sibF00.tmp\0\1.exe" /s2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\86le6zo\VrUlpGpmLAtz.zipFilesize
37KB
MD5c5b6bdf1f2bb13322aa89a93ca7364e0
SHA1b2b943079eb98ef8a43765ba6747a3d56c131030
SHA256f2c47c771b3469b1becd4cfe078073e539a4fbca2def2ed2727454b1ab847070
SHA51266b47afa4a337c066e94511ee3db1b5ecb5b1fade418075184ab366f4391237ec5e6bb0dfb40a8982c5de04e8b630645e4a36b2ec82d15f07d7b80763e5007c3
-
C:\Users\Admin\AppData\Local\Temp\86le6zo\_Files\_Information.txtFilesize
4KB
MD50d2609ab06e9d7c35564ee41858e99fb
SHA124fffef81ec7c92c6a34364236a1dfd2e9fdf617
SHA256081c56773d52c0a6a063e4affa32c5acfacfa97a2515257184337747f110fb68
SHA5125a97ac231e464b78dca53882ffb2985533ad1ee7fd03f106d1b8218efd1898bdd7640cc80f7d12c53fac239d6c1791c310e3ef89775a22e43d632f77776d5ef2
-
C:\Users\Admin\AppData\Local\Temp\86le6zo\_Files\_Screen_Desktop.jpegFilesize
44KB
MD5f05f755c7109b95593711a5479264f00
SHA1e91036752600619f16f78147c862b9ebed5cfc63
SHA256a3a1d18dade50eee35c3aed2fe37cc94e3db7fae944b2a7f6473bfee353801fc
SHA512eceae0f3be63c5a83e79e533b1391de6f820cb2a9a37843d7764498940c966f35d4efe176a8e3d1b5b7beaebc25ec7329d17f6188cb04893709610dfbfdefde6
-
C:\Users\Admin\AppData\Local\Temp\86le6zo\files_\system_info.txtFilesize
8KB
MD5d7703ad791220c156ea5ac8e03a308f1
SHA128810b4d2dd93c7fed0cc7b9c8b750b2e465d2ee
SHA256834397c1b2ecab0b7f5839c33a4e94fb2a7572929d234894f4d34ae09cd2ac51
SHA5122c98741ab4070bad1b861649e5c903dd541b6e1742900b091db261d5f61f09952ae59d0aa33dcd97b73a3a59c2c4cba92d3341ad68c4a7e6cde1cb01d40ad92d
-
\Users\Admin\AppData\Local\Temp\nstE63.tmp\Sibuia.dllFilesize
524KB
MD56a3c3c97e92a5949f88311e80268bbb5
SHA148c11e3f694b468479bc2c978749d27b5d03faa2
SHA2567938db73242aafbe80915e4ca886d38be9b7e872b93bdae1e8ee6cf4a005b7d9
SHA5126141886a889825ccdfa59a419f7670a34ef240c4f90a83bc17223c415f2fbd983280e98e67485710e449746b5bf3284907537bef6ab698a48954dd4910ddf693
-
\Users\Admin\AppData\Local\Temp\sibF00.tmp\0\1.exeFilesize
2.2MB
MD5c14c9a4a5c513503819a11cd45990ffb
SHA18870d5367a74a28c3bb9cbf87f997dca97b011df
SHA256d8422a39eda16826cbf159e7589605124c2f4b695354ccb9040f641aa0cd5e0f
SHA51276019b6906b5f2fdbc25a514c7de099ddac3f88b8939e59fcc700ed880d9de522746ff4b09cfa18cb68a6257c2e8b390650037a7efd80dd5d6751a7b819e6e97
-
\Users\Admin\AppData\Local\Temp\sibF00.tmp\SibClr.dllFilesize
51KB
MD55ea6d2ffeb1be3fc0571961d0c4c2b5f
SHA1902dfe9ae735c83fb0cb46b3e110bbf2aa80209e
SHA256508336b6a7c3226738e74f6ce969e828da904ad9f7610b9112f883a316ee9222
SHA512e81657087f451a37f06a07bf84175117fdaf75d5d8b84cbdc49497fcf88f96e259074518ea3037680d27c9eaeebd7a8df496297593fead88d7edea202a572585
-
memory/2568-30-0x0000000000BA0000-0x00000000010B8000-memory.dmpFilesize
5.1MB
-
memory/2568-257-0x0000000001330000-0x0000000001848000-memory.dmpFilesize
5.1MB
-
memory/2568-288-0x0000000001330000-0x0000000001848000-memory.dmpFilesize
5.1MB
-
memory/2568-29-0x0000000001330000-0x0000000001848000-memory.dmpFilesize
5.1MB
-
memory/2568-32-0x0000000000BA0000-0x00000000010B8000-memory.dmpFilesize
5.1MB
-
memory/2568-31-0x0000000000BA0000-0x00000000010B8000-memory.dmpFilesize
5.1MB
-
memory/2568-33-0x00000000779D0000-0x00000000779D2000-memory.dmpFilesize
8KB
-
memory/2568-35-0x0000000001331000-0x000000000138C000-memory.dmpFilesize
364KB
-
memory/2568-34-0x0000000000F10000-0x0000000000F12000-memory.dmpFilesize
8KB
-
memory/2568-286-0x0000000001330000-0x0000000001848000-memory.dmpFilesize
5.1MB
-
memory/2568-284-0x0000000001330000-0x0000000001848000-memory.dmpFilesize
5.1MB
-
memory/2568-281-0x0000000001330000-0x0000000001848000-memory.dmpFilesize
5.1MB
-
memory/2568-252-0x0000000001330000-0x0000000001848000-memory.dmpFilesize
5.1MB
-
memory/2568-279-0x0000000001330000-0x0000000001848000-memory.dmpFilesize
5.1MB
-
memory/2568-276-0x0000000001330000-0x0000000001848000-memory.dmpFilesize
5.1MB
-
memory/2568-274-0x0000000001330000-0x0000000001848000-memory.dmpFilesize
5.1MB
-
memory/2568-258-0x0000000000BA0000-0x00000000010B8000-memory.dmpFilesize
5.1MB
-
memory/2568-272-0x0000000001330000-0x0000000001848000-memory.dmpFilesize
5.1MB
-
memory/2568-260-0x0000000001330000-0x0000000001848000-memory.dmpFilesize
5.1MB
-
memory/2568-270-0x0000000001330000-0x0000000001848000-memory.dmpFilesize
5.1MB
-
memory/2568-262-0x0000000001330000-0x0000000001848000-memory.dmpFilesize
5.1MB
-
memory/2568-265-0x0000000001330000-0x0000000001848000-memory.dmpFilesize
5.1MB
-
memory/2568-267-0x0000000001330000-0x0000000001848000-memory.dmpFilesize
5.1MB
-
memory/2924-10-0x000000007431E000-0x000000007431F000-memory.dmpFilesize
4KB
-
memory/2924-256-0x000000001D150000-0x000000001D668000-memory.dmpFilesize
5.1MB
-
memory/2924-28-0x000000001D150000-0x000000001D668000-memory.dmpFilesize
5.1MB
-
memory/2924-255-0x0000000074310000-0x00000000749FE000-memory.dmpFilesize
6.9MB
-
memory/2924-254-0x000000007431E000-0x000000007431F000-memory.dmpFilesize
4KB
-
memory/2924-14-0x00000000029A0000-0x00000000029B2000-memory.dmpFilesize
72KB
-
memory/2924-15-0x0000000011070000-0x000000001112A000-memory.dmpFilesize
744KB
-
memory/2924-18-0x0000000074310000-0x00000000749FE000-memory.dmpFilesize
6.9MB
-
memory/2924-24-0x0000000074310000-0x00000000749FE000-memory.dmpFilesize
6.9MB