Analysis
-
max time kernel
145s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
29-05-2024 07:21
Static task
static1
Behavioral task
behavioral1
Sample
7feaba431a42a40cb1e8587456b904db_JaffaCakes118.exe
Resource
win7-20240215-en
General
-
Target
7feaba431a42a40cb1e8587456b904db_JaffaCakes118.exe
-
Size
2.1MB
-
MD5
7feaba431a42a40cb1e8587456b904db
-
SHA1
d8b91ad566fd2779895d188c8b9b8f2d48e898f1
-
SHA256
687b6bd075c80985f5e38c24da153e1aeaf53afa2643eb5d0d00c936f6591c85
-
SHA512
abff85eeb883c6cd5a038294c019fa3961751d55090cc59f076bfc6946f73713842da5f62bc951f199a6275cf9ed9a3a0eff564b60db47f91a56693bf32d9279
-
SSDEEP
49152:qIOygdzOYVih2MT3YeWRSFzN6Yr0yCSZL:qI2zTMoPeN3Cq
Malware Config
Extracted
cryptbot
bibinene03.top
moraass05.top
Signatures
-
CryptBot payload 22 IoCs
Processes:
resource yara_rule behavioral1/memory/1728-8-0x0000000000060000-0x0000000000575000-memory.dmp family_cryptbot behavioral1/memory/1728-9-0x0000000000060000-0x0000000000575000-memory.dmp family_cryptbot behavioral1/memory/1728-118-0x0000000000060000-0x0000000000575000-memory.dmp family_cryptbot behavioral1/memory/1728-227-0x0000000000060000-0x0000000000575000-memory.dmp family_cryptbot behavioral1/memory/1728-229-0x0000000000060000-0x0000000000575000-memory.dmp family_cryptbot behavioral1/memory/1728-230-0x0000000000060000-0x0000000000575000-memory.dmp family_cryptbot behavioral1/memory/1728-232-0x0000000000060000-0x0000000000575000-memory.dmp family_cryptbot behavioral1/memory/1728-233-0x0000000000060000-0x0000000000575000-memory.dmp family_cryptbot behavioral1/memory/1728-234-0x0000000000060000-0x0000000000575000-memory.dmp family_cryptbot behavioral1/memory/1728-235-0x0000000000060000-0x0000000000575000-memory.dmp family_cryptbot behavioral1/memory/1728-237-0x0000000000060000-0x0000000000575000-memory.dmp family_cryptbot behavioral1/memory/1728-240-0x0000000000060000-0x0000000000575000-memory.dmp family_cryptbot behavioral1/memory/1728-242-0x0000000000060000-0x0000000000575000-memory.dmp family_cryptbot behavioral1/memory/1728-245-0x0000000000060000-0x0000000000575000-memory.dmp family_cryptbot behavioral1/memory/1728-247-0x0000000000060000-0x0000000000575000-memory.dmp family_cryptbot behavioral1/memory/1728-249-0x0000000000060000-0x0000000000575000-memory.dmp family_cryptbot behavioral1/memory/1728-251-0x0000000000060000-0x0000000000575000-memory.dmp family_cryptbot behavioral1/memory/1728-254-0x0000000000060000-0x0000000000575000-memory.dmp family_cryptbot behavioral1/memory/1728-256-0x0000000000060000-0x0000000000575000-memory.dmp family_cryptbot behavioral1/memory/1728-259-0x0000000000060000-0x0000000000575000-memory.dmp family_cryptbot behavioral1/memory/1728-261-0x0000000000060000-0x0000000000575000-memory.dmp family_cryptbot behavioral1/memory/1728-263-0x0000000000060000-0x0000000000575000-memory.dmp family_cryptbot -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
7feaba431a42a40cb1e8587456b904db_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 7feaba431a42a40cb1e8587456b904db_JaffaCakes118.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
7feaba431a42a40cb1e8587456b904db_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 7feaba431a42a40cb1e8587456b904db_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 7feaba431a42a40cb1e8587456b904db_JaffaCakes118.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
7feaba431a42a40cb1e8587456b904db_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Wine 7feaba431a42a40cb1e8587456b904db_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
7feaba431a42a40cb1e8587456b904db_JaffaCakes118.exepid process 1728 7feaba431a42a40cb1e8587456b904db_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
7feaba431a42a40cb1e8587456b904db_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 7feaba431a42a40cb1e8587456b904db_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 7feaba431a42a40cb1e8587456b904db_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
7feaba431a42a40cb1e8587456b904db_JaffaCakes118.exepid process 1728 7feaba431a42a40cb1e8587456b904db_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
7feaba431a42a40cb1e8587456b904db_JaffaCakes118.exepid process 1728 7feaba431a42a40cb1e8587456b904db_JaffaCakes118.exe 1728 7feaba431a42a40cb1e8587456b904db_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7feaba431a42a40cb1e8587456b904db_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7feaba431a42a40cb1e8587456b904db_JaffaCakes118.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nuCoKigpK\4QOr2lyDXuV.zipFilesize
35KB
MD5857a66c39243ea44c71e472369dace94
SHA1fae60b70bc89e5300471659deb5f9224e7b90a8f
SHA256094ab2df24a7fb3b5d63993eb9a6183c4beaa9cd8999cc14be1b22064a355150
SHA5123cbd2dbc574ec2b44d922ebcf176d87d3d58c896349191c3088a2474b6f5599bb6fce0707f2d21cd7657a82ce91fc0a746213f4fb6b247756ac7e7af83e7c81b
-
C:\Users\Admin\AppData\Local\Temp\nuCoKigpK\_Files\_Information.txtFilesize
8KB
MD52e77c68c1db41a54a23f5d8ec8b5c62e
SHA1aca1f0bd86b84cd4b01b1034b6bedb1def19a707
SHA2567e8675784bcd40d9691991639a1bd70d30d7c1f144397e0fde262d009fddcf39
SHA5122d5b2c64d301be47a11e7d8ef69167e4c57653e85078eadbbd61977c630731d81ec292bca151db06a464c6c0a72686d377867cf1bee5942749d96911fb4abf4d
-
C:\Users\Admin\AppData\Local\Temp\nuCoKigpK\_Files\_Screen_Desktop.jpegFilesize
42KB
MD50fb15b9f007ed88c4bcf4590f3a5ddd0
SHA1d14d83e04e45690a4b13c9c307860b26aca8fc58
SHA256c85700cd9cb57c575d03bb9d2d4d0ccf226c8b1431b3b50726b78a5b85a74765
SHA512efff4c9df6781e94e61058a9292cc6612a8ca35771319a4378c6deb21436594d61d749e75afa414048f081140f51dfa55d22a9204b77ad73fa6e3ece6583e7c1
-
C:\Users\Admin\AppData\Local\Temp\nuCoKigpK\files_\system_info.txtFilesize
1KB
MD5b37dd4879f43616fe2be730eda0b5d42
SHA1f3245fedcbe2689d7d3b276cd406600000f53262
SHA2565469f40d31fd2f4557976479c58c501e598e4c28f9d334dd68f817606f5cf6e3
SHA5127d4acf339b00f35ccb644baea17eda8fca5ec8a82465b70a4b46cd8c86442a8d704d129f4f43a3d59c9dd239937247dc9e0edebfae218ed0c0f20bc10bb73181
-
C:\Users\Admin\AppData\Local\Temp\nuCoKigpK\files_\system_info.txtFilesize
2KB
MD57d92220950b781f057620f3248b60b9c
SHA10de05b4ed412b0ce054f07b234f0fd9e31fef0d8
SHA256cc011cf3c6b0842158d8018f5c8e15c69534e8b6726b742976c1234462a663a4
SHA512223207b9114e07a1252e9f24cc49fde898d8ce37b314f86d763c4ef3001f99760cae20fb7c0940e8de2de656674a43546180167d731a2515e747717da40fea2e
-
C:\Users\Admin\AppData\Local\Temp\nuCoKigpK\files_\system_info.txtFilesize
3KB
MD5a6d48598cc52a33bafbba488db4009a1
SHA10065e90692ec6489d12a868a4705507fbeca99a3
SHA256dc377c137c0fbf2af91817de8dd2ded131d0205ab3045c252de9ce127d00f7f1
SHA5129550b23d8bbd37ea66ae7891ef5df53862930aa5c287e5d22986a4216b9b72cfd55ee78bd76dc57887ce98487fe8423a5ef7faaceafec18c479b6341bbe57b31
-
C:\Users\Admin\AppData\Local\Temp\nuCoKigpK\files_\system_info.txtFilesize
3KB
MD5fa8719e6cd18befbd4d1edfda398e1fb
SHA10ba7d69b8557064e4f94a2038fbf9d66db90bba6
SHA25660eaf6924fce45ca8ef2b1058354e7e56e80e5ab3b9e146c62c48db2b9dec5f4
SHA5120d696e08f441dc998a6c124f90cae8b91eabac2a4c01260d214bb8987b4e3722cbafa77ae01467f3ae302af3f0768ada4ae1d37b6e9e2a5264aa631d2981c383
-
C:\Users\Admin\AppData\Local\Temp\nuCoKigpK\files_\system_info.txtFilesize
4KB
MD5fb2519fccb151138eebbb92bb68c2511
SHA1ceb9d263ec0f25575df20e66e892112326d14726
SHA25637d74797706709df762375a08fb036a3f73b143c42b9cb20631ef314071edf2f
SHA512a75bbe7e77b2a0afedad97e304a7b708402865ef05c22e596211228ac91a811aa5092e13c426e1de6dd9df2a78c7e3d9f03e5991b8653d1928f16dc53fd87f6c
-
memory/1728-227-0x0000000000060000-0x0000000000575000-memory.dmpFilesize
5.1MB
-
memory/1728-234-0x0000000000060000-0x0000000000575000-memory.dmpFilesize
5.1MB
-
memory/1728-8-0x0000000000060000-0x0000000000575000-memory.dmpFilesize
5.1MB
-
memory/1728-118-0x0000000000060000-0x0000000000575000-memory.dmpFilesize
5.1MB
-
memory/1728-2-0x0000000000B80000-0x0000000000B81000-memory.dmpFilesize
4KB
-
memory/1728-3-0x0000000000B90000-0x0000000000B91000-memory.dmpFilesize
4KB
-
memory/1728-4-0x00000000027A0000-0x00000000027A1000-memory.dmpFilesize
4KB
-
memory/1728-5-0x00000000028D0000-0x00000000028D1000-memory.dmpFilesize
4KB
-
memory/1728-6-0x0000000002520000-0x0000000002521000-memory.dmpFilesize
4KB
-
memory/1728-7-0x0000000000061000-0x00000000000BC000-memory.dmpFilesize
364KB
-
memory/1728-0-0x0000000000060000-0x0000000000575000-memory.dmpFilesize
5.1MB
-
memory/1728-229-0x0000000000060000-0x0000000000575000-memory.dmpFilesize
5.1MB
-
memory/1728-230-0x0000000000060000-0x0000000000575000-memory.dmpFilesize
5.1MB
-
memory/1728-232-0x0000000000060000-0x0000000000575000-memory.dmpFilesize
5.1MB
-
memory/1728-233-0x0000000000060000-0x0000000000575000-memory.dmpFilesize
5.1MB
-
memory/1728-9-0x0000000000060000-0x0000000000575000-memory.dmpFilesize
5.1MB
-
memory/1728-235-0x0000000000060000-0x0000000000575000-memory.dmpFilesize
5.1MB
-
memory/1728-1-0x0000000077820000-0x0000000077822000-memory.dmpFilesize
8KB
-
memory/1728-237-0x0000000000060000-0x0000000000575000-memory.dmpFilesize
5.1MB
-
memory/1728-240-0x0000000000060000-0x0000000000575000-memory.dmpFilesize
5.1MB
-
memory/1728-242-0x0000000000060000-0x0000000000575000-memory.dmpFilesize
5.1MB
-
memory/1728-245-0x0000000000060000-0x0000000000575000-memory.dmpFilesize
5.1MB
-
memory/1728-247-0x0000000000060000-0x0000000000575000-memory.dmpFilesize
5.1MB
-
memory/1728-249-0x0000000000060000-0x0000000000575000-memory.dmpFilesize
5.1MB
-
memory/1728-251-0x0000000000060000-0x0000000000575000-memory.dmpFilesize
5.1MB
-
memory/1728-254-0x0000000000060000-0x0000000000575000-memory.dmpFilesize
5.1MB
-
memory/1728-256-0x0000000000060000-0x0000000000575000-memory.dmpFilesize
5.1MB
-
memory/1728-259-0x0000000000060000-0x0000000000575000-memory.dmpFilesize
5.1MB
-
memory/1728-261-0x0000000000060000-0x0000000000575000-memory.dmpFilesize
5.1MB
-
memory/1728-263-0x0000000000060000-0x0000000000575000-memory.dmpFilesize
5.1MB