Overview
overview
10Static
static
379d775433b...18.exe
windows7-x64
1079d775433b...18.exe
windows10-2004-x64
10$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDIR/UAC.dll
windows7-x64
3$PLUGINSDIR/UAC.dll
windows10-2004-x64
3$PLUGINSDI...fo.dll
windows7-x64
3$PLUGINSDI...fo.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3$PROGRAMFI...ap.bat
windows7-x64
1$PROGRAMFI...ap.bat
windows10-2004-x64
1$PROGRAMFI...ll.bat
windows7-x64
1$PROGRAMFI...ll.bat
windows10-2004-x64
1$PROGRAMFI...on.exe
windows7-x64
1$PROGRAMFI...on.exe
windows10-2004-x64
1$PROGRAMFI...ll.exe
windows7-x64
1$PROGRAMFI...ll.exe
windows10-2004-x64
1$PROGRAMFI...01.sys
windows7-x64
1$PROGRAMFI...01.sys
windows10-2004-x64
1Setup.exe
windows7-x64
10Setup.exe
windows10-2004-x64
10Setupres.exe
windows7-x64
9Setupres.exe
windows10-2004-x64
9ipras.vbs
windows7-x64
8ipras.vbs
windows10-2004-x64
8ssleay32.dll
windows7-x64
1ssleay32.dll
windows10-2004-x64
1General
-
Target
79d775433be505a57ae175f5e6f427af_JaffaCakes118
-
Size
4.5MB
-
Sample
240527-vky2lsba31
-
MD5
79d775433be505a57ae175f5e6f427af
-
SHA1
32b9ac8255c3076841e658eabe581586ecdd8c8b
-
SHA256
b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91
-
SHA512
2c74529531c163ba9f768bf9aae97464aa5ddf2935c4085eb80d372a4e15d853bdfa46fc616b7b9b2e30730f4a484dfe3ba8b64188a3921faca589ffd379e7f7
-
SSDEEP
98304:GAUlwbKKobLmzt3iOah1NBR595arTOLQZsxpzYazTd9e:GjCzViOSNL590r6Lys/zYuO
Static task
static1
Behavioral task
behavioral1
Sample
79d775433be505a57ae175f5e6f427af_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
79d775433be505a57ae175f5e6f427af_JaffaCakes118.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240419-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/UAC.dll
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/UAC.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win7-20240215-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20231129-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240508-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
$PROGRAMFILES/Ferr/SEDA/TAP-Windows/bin/addtap.bat
Resource
win7-20240215-en
Behavioral task
behavioral14
Sample
$PROGRAMFILES/Ferr/SEDA/TAP-Windows/bin/addtap.bat
Resource
win10v2004-20240426-en
Behavioral task
behavioral15
Sample
$PROGRAMFILES/Ferr/SEDA/TAP-Windows/bin/deltapall.bat
Resource
win7-20240419-en
Behavioral task
behavioral16
Sample
$PROGRAMFILES/Ferr/SEDA/TAP-Windows/bin/deltapall.bat
Resource
win10v2004-20240426-en
Behavioral task
behavioral17
Sample
$PROGRAMFILES/Ferr/SEDA/TAP-Windows/bin/devcon.exe
Resource
win7-20240508-en
Behavioral task
behavioral18
Sample
$PROGRAMFILES/Ferr/SEDA/TAP-Windows/bin/devcon.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
$PROGRAMFILES/Ferr/SEDA/TAP-Windows/bin/tapinstall.exe
Resource
win7-20240221-en
Behavioral task
behavioral20
Sample
$PROGRAMFILES/Ferr/SEDA/TAP-Windows/bin/tapinstall.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral21
Sample
$PROGRAMFILES/Ferr/SEDA/TAP-Windows/driver/tap0901.sys
Resource
win7-20240221-en
Behavioral task
behavioral22
Sample
$PROGRAMFILES/Ferr/SEDA/TAP-Windows/driver/tap0901.sys
Resource
win10v2004-20240426-en
Behavioral task
behavioral23
Sample
Setup.exe
Resource
win7-20240508-en
Behavioral task
behavioral24
Sample
Setup.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral25
Sample
Setupres.exe
Resource
win7-20240221-en
Behavioral task
behavioral26
Sample
Setupres.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral27
Sample
ipras.vbs
Resource
win7-20231129-en
Behavioral task
behavioral28
Sample
ipras.vbs
Resource
win10v2004-20240508-en
Behavioral task
behavioral29
Sample
ssleay32.dll
Resource
win7-20240215-en
Behavioral task
behavioral30
Sample
ssleay32.dll
Resource
win10v2004-20240508-en
Malware Config
Extracted
cryptbot
biss01.info
Targets
-
-
Target
79d775433be505a57ae175f5e6f427af_JaffaCakes118
-
Size
4.5MB
-
MD5
79d775433be505a57ae175f5e6f427af
-
SHA1
32b9ac8255c3076841e658eabe581586ecdd8c8b
-
SHA256
b7683441e42f706642877d1a92c5307d223b1e6195d463f1ad9332e7e6ac5a91
-
SHA512
2c74529531c163ba9f768bf9aae97464aa5ddf2935c4085eb80d372a4e15d853bdfa46fc616b7b9b2e30730f4a484dfe3ba8b64188a3921faca589ffd379e7f7
-
SSDEEP
98304:GAUlwbKKobLmzt3iOah1NBR595arTOLQZsxpzYazTd9e:GjCzViOSNL590r6Lys/zYuO
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocklisted process makes network request
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
$PLUGINSDIR/System.dll
-
Size
11KB
-
MD5
bf712f32249029466fa86756f5546950
-
SHA1
75ac4dc4808ac148ddd78f6b89a51afbd4091c2e
-
SHA256
7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af
-
SHA512
13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4
-
SSDEEP
192:0N2gQuUwXzioj4KALV2upWzVd7q1QDXEbBZ8KxHdGzyS/Kx:rJoiO8V2upW7vQjS/
Score3/10 -
-
-
Target
$PLUGINSDIR/UAC.dll
-
Size
14KB
-
MD5
adb29e6b186daa765dc750128649b63d
-
SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9
-
SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
-
SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
-
SSDEEP
192:DiF6v2imI36Op/tGZGfWxdyWHD0I53vLl7WVl8e04IpDlPjs:DGVY6ClGoWxXH75T1WVl83lLs
Score3/10 -
-
-
Target
$PLUGINSDIR/UserInfo.dll
-
Size
4KB
-
MD5
c7ce0e47c83525983fd2c4c9566b4aad
-
SHA1
38b7ad7bb32ffae35540fce373b8a671878dc54e
-
SHA256
6293408a5fa6d0f55f0a4d01528eb5b807ee9447a75a28b5986267475ebcd3ae
-
SHA512
ee9f23ea5210f418d4c559628bbfb3a0f892440bcd5dc4c1901cb8e510078e4481ea8353b262795076a19055e70b88e08fee5fb7e8f35a6f49022096408df20e
Score3/10 -
-
-
Target
$PLUGINSDIR/nsDialogs.dll
-
Size
9KB
-
MD5
4ccc4a742d4423f2f0ed744fd9c81f63
-
SHA1
704f00a1acc327fd879cf75fc90d0b8f927c36bc
-
SHA256
416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6
-
SHA512
790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb
-
SSDEEP
192:SbEunjqjIcESwFlioU3M0LLF/t8t9pKSfOi:SbESjFCw6oWPFl8jfOi
Score3/10 -
-
-
Target
$PLUGINSDIR/nsExec.dll
-
Size
6KB
-
MD5
132e6153717a7f9710dcea4536f364cd
-
SHA1
e39bc82c7602e6dd0797115c2bd12e872a5fb2ab
-
SHA256
d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2
-
SHA512
9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1
-
SSDEEP
96:M/SspqrIYxLPEQhThvov3TE4/2Sa5P9QFFYzOx4uF3sbSEI5LP39sQvM:M/QUG7lhvov36S5FcUjliSEI5LuQ
Score3/10 -
-
-
Target
$PROGRAMFILES/Ferr/SEDA/TAP-Windows/bin/addtap.bat
-
Size
114B
-
MD5
ebb2c28da7de8436995509782ac63c4c
-
SHA1
7d693538baa80ce6938f0400bdc16f9b035baee9
-
SHA256
effe5c5c2cf6547a54f987fef6f052a234770b4fcfae277cf6089daa896bcd5f
-
SHA512
021098b1d9f4b987b85be073bc1a6a7ee3336c88d54770d64fc77b74ca74ec459f89fbd65a6fba3efa4f6da7cc852784e9ea391189831f565d64e65a437fc7f5
Score1/10 -
-
-
Target
$PROGRAMFILES/Ferr/SEDA/TAP-Windows/bin/deltapall.bat
-
Size
177B
-
MD5
70850be8dc81d8f8c36da0e754df0a46
-
SHA1
fe7766e67239e26f6cee866cb9a93341e33f0e4d
-
SHA256
1be66390df9e302b38553432731a244e65f745d31e6424c88091326fb3ea92d7
-
SHA512
f15a3ce91ceb663a0369054e06647471591ba54ed40e0f6dd549069a0c4e30aefd590c9a18a90d80d35af4fcd45e49d89a259606cf7ee23fa976c61f88a0066b
Score1/10 -
-
-
Target
$PROGRAMFILES/Ferr/SEDA/TAP-Windows/bin/devcon.exe
-
Size
80KB
-
MD5
3904d0698962e09da946046020cbcb17
-
SHA1
edae098e7e8452ca6c125cf6362dda3f4d78f0ae
-
SHA256
a51e25acc489948b31b1384e1dc29518d19b421d6bc0ced90587128899275289
-
SHA512
c24ab680981d8d6db042b52b7b5c5e92078df83650cad798874fc09ce8c8a25462e1b69340083f4bcad20d67068668abcfa8097e549cfa5ad4f1ee6a235d6eea
-
SSDEEP
1536:MP2K0pa0WfEYp9Y/XQhpgnbP212YCJpDhiF4O7W:MePOYe4bu1epDh8RW
Score1/10 -
-
-
Target
$PROGRAMFILES/Ferr/SEDA/TAP-Windows/bin/tapinstall.exe
-
Size
85KB
-
MD5
bc2eb9be84d65e600bb4baebfc0d6c74
-
SHA1
dffa04b9399b8742e1536c5942b43df58a42980a
-
SHA256
5c6aae8c345e5eda7185cabafcf9270ef3d73f198290842654d8916f8321b150
-
SHA512
ae382b3aac40e17f5daa4d952d85656d29791f857a97de91197c85049e31cef924723875c6616f598696445bea967788c89cfdb7cd35ed772bce3d6a1fd71e7b
-
SSDEEP
768:AeFpBuMKzLkfKI4hHZv4zS5bhkt4JlX82BSOe9oKSJ2SLD0BEZWk3zoMrrKgp:TBuMN4VFESvkt4nXF4O7WcBvT
Score1/10 -
-
-
Target
$PROGRAMFILES/Ferr/SEDA/TAP-Windows/driver/tap0901.sys
-
Size
22KB
-
MD5
f49967c396969b71c3a72537db03a68b
-
SHA1
f59d3a5d2afd85fbb9fb36f1411c767be2bf96cf
-
SHA256
3b1ff5252012d6e8a7dd6e4621ec43812510dca1a25a9a2e07288800f445dd41
-
SHA512
cda4269b5a13e573469b3e3a75432117079c65279e06322519af704a80862e43bceb4cc9d6352dd19db00bb10d10f64b02eee6c5dc29f56fa5f99c89823a62e3
-
SSDEEP
384:NumNz7O8/AvUAvm/wMWJ4pdsfH1aJhjJvjiissrisprwEYBu:QmNxAYB9zKal75pwZBu
Score1/10 -
-
-
Target
Setup.exe
-
Size
2.2MB
-
MD5
b5861c96767caed4fce1473ac338d1bf
-
SHA1
c9575e657706a01a28aa63943f39018377a5dfe1
-
SHA256
883ecab1d18c6e8153b56541df2df4980a27f5faa93ba2b42ff1dd14a8f4c161
-
SHA512
388bb192a27442c80f0ece67ef5e43ec6e148e24aa4634a524d3e7ec3cbd78b11bd4a200d76610168efd52711af8e3d6b2773088f09630843d9cfd6a02ab2240
-
SSDEEP
49152:IYgNe1kDmRGkWDDWaBZmnr+KHhhg9EKDYhKk:IHahRGh7ZmxHhNKDYhKk
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
Setupres.exe
-
Size
2.1MB
-
MD5
c9638374b6732d9756d9a6ae50061747
-
SHA1
7952f8225a6cf692ce226bfaf8112260e4ac2b71
-
SHA256
34d2e90229c1c3c41b931bb65ea015f023744543d915dcfeffe2328e32c27e8e
-
SHA512
428d4977300ba3f95905f655a93aaad89145e8c09a96491ad8142be18a6802294e735f9b3fe04845c5c80a3997275203d3a5861fc7e4cc185fb8eae19b2a0ffa
-
SSDEEP
49152:aVoRLzxlaVuzaroTCjia+Hii9UNbqL2JTVWAcuoli:aWR/aczaroeE9785WZzg
Score9/10-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
ipras.vbs
-
Size
126B
-
MD5
b802ff9244875f69db2fae0f78e92b10
-
SHA1
49385a89cd575894a29fbda969b99cc1f5cf8076
-
SHA256
a1b0cb16fb2ecd66fccf156024404801ad694056e8a596326c1b27b57d8eabe8
-
SHA512
609856415a7ae2b3e260f945f1c8a8d2a28884c202d37181bea948708918f24b42ae03f17dba1520fddc91b2f7a182b0b8f885f33ea6f81bb3ee4c72e4e9350e
Score8/10-
Blocklisted process makes network request
-
Legitimate hosting services abused for malware hosting/C2
-
-
-
Target
ssleay32.dll
-
Size
370KB
-
MD5
50a26f0247c1321fd19c0981337fbde8
-
SHA1
9cdd51843bd7694da571e0a6cd7350aa494f9ac3
-
SHA256
24235653e41540567bca708e0d5ef02034f88940eeedcd480167a00dd1250656
-
SHA512
440cf92524e21e9dc1d92f45a8fbd566f0eeec597e0f52a235847879bdd4806ac219b592aaec9976620082b2d8d5690d432e1a45b0df035b18404453530855d9
-
SSDEEP
6144:AlvshwnbLc7xRpLIOmvsD4gZAEMM06I5sF51L103WiV8JV+OPG/JVNr5qNRyZtrA:Al0LuEMM06IGF5UmiqJpPOp/cVmXEfcc
Score1/10 -