Overview

overview

10

Static

static

3

7feaba431a...18.exe

windows7-x64

10

7feaba431a...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-05-2024 07:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7feaba431a42a40cb1e8587456b904db_JaffaCakes118.exe

  • Size

    2.1MB

  • MD5

    7feaba431a42a40cb1e8587456b904db

  • SHA1

    d8b91ad566fd2779895d188c8b9b8f2d48e898f1

  • SHA256

    687b6bd075c80985f5e38c24da153e1aeaf53afa2643eb5d0d00c936f6591c85

  • SHA512

    abff85eeb883c6cd5a038294c019fa3961751d55090cc59f076bfc6946f73713842da5f62bc951f199a6275cf9ed9a3a0eff564b60db47f91a56693bf32d9279

  • SSDEEP

    49152:qIOygdzOYVih2MT3YeWRSFzN6Yr0yCSZL:qI2zTMoPeN3Cq

Score
10/10
cryptbotdiscoveryevasionspywarestealer

Malware Config

Extracted

Family

cryptbot

C2

bibinene03.top

moraass05.top

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • CryptBot payload 20 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7feaba431a42a40cb1e8587456b904db_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\7feaba431a42a40cb1e8587456b904db_JaffaCakes118.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    PID:3476

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

5
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\AxIDSrrh\AVabaS8GMXuK.zip
    Filesize

    43KB

    MD5

    60a2f3ef4aa0a610018edfc1d3690fed

    SHA1

    e0ca9fe8e48a4cf131ec5ef1c8fb2637d9c4dca7

    SHA256

    0a8e45f7e0522ca289b03652f27e46132f4e1531e8f9fcec2347a237af4bb818

    SHA512

    26e9eab350e28219b66d99378803c2f84508b902e1398526012fdd2b604a0c3a34ada1d10c3e6c9e42d2b7afc44cf0365fd97bbe4cf24d84724f089c37dc07b5

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\AxIDSrrh\_Files\_Information.txt
    Filesize

    7KB

    MD5

    682865b33b7cb17c11af448c83e80618

    SHA1

    dd17e1f147b523d795088e044eadd1182f44d422

    SHA256

    738f715b6e3252d29ca8bae3af639379cac6b91d216eab137cd8c69071c0b6e6

    SHA512

    676205e3dffff553f4cf86fd770d6b3d20d3b25e7ce8d9a1370b11a8ddc8192912de4288cffc743f9f77c792fcaa6c16fb5defde7c39676b2c320933d90e8ab2

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\AxIDSrrh\_Files\_Screen_Desktop.jpeg
    Filesize

    49KB

    MD5

    d3734f7a7265431684610a48c1d53e0d

    SHA1

    88b39deab6eabfe9500fa2e73681c0b1b25e4420

    SHA256

    9cd8de46d0bb17841fdbec6ae754feba75367e614b0616e3bb9f70f5b55346cd

    SHA512

    6d7da7f2663a271fedd91fd934125cfa5520f79aa66f9450d7e639af68138c8caccef496a0c542449ca7d194aa6e4c2bdaa10fab48809ae374760afb76fed964

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\AxIDSrrh\dYgLi5nq6E.zip
    Filesize

    43KB

    MD5

    b3f89734da6b2c7ce6672b2598548b0f

    SHA1

    afee3340def46b31b887b0709509b14d4d6d2169

    SHA256

    a36f2db2813324497efa1d6352fed1243f2ab9c1db065be4bbf34ea46e101e98

    SHA512

    cee14d6f72ea1dfa6dc033301dde80643cc2581cb12f7e62fb7ffcbfe73d4fa7f1e4de442dc93447a97eaf92b65e121540e806f18188614db5a024380eba7b75

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\AxIDSrrh\files_\system_info.txt
    Filesize

    1KB

    MD5

    c4db2c1fb64b75c2eb2b41b8dc9f995f

    SHA1

    f5c20c08166f2e624b358e83be4c2c77d5d1e4a7

    SHA256

    48e7cc0052ec20c38fd6707b1b90db235ff0b9d0f8e89a1e54739d0cab9338ab

    SHA512

    4000373bd676bf68e67e91c8859fd64b53554ff93fa750fe3de265311ef223d039d21fd9d11174352820f9e9fc9287248b04cca7130e596b207d4d40c46b804c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\AxIDSrrh\files_\system_info.txt
    Filesize

    7KB

    MD5

    2958407f92968583409b1dd1a1e4f2a8

    SHA1

    95b3c6d36211daedb082479732b39a4854461ada

    SHA256

    1e278d96e9befc7231a56c9430f1749c6dc0396a4fccf71f634baac7950a0a38

    SHA512

    4a6ec7a48c8c30cd1d09b3516481f9f75761536b042cf3d51043407f25e8b42a78d0ba8238ca292690f2e56075f1c06ae9c67945bfed1aa2229dbacbcfbf7b35

    Download Submit
  • memory/3476-8-0x0000000000A40000-0x0000000000F55000-memory.dmp
    Filesize

    5.1MB

    Download
  • memory/3476-231-0x0000000000A40000-0x0000000000F55000-memory.dmp
    Filesize

    5.1MB

    Download
  • memory/3476-0-0x0000000000A40000-0x0000000000F55000-memory.dmp
    Filesize

    5.1MB

    Download
  • memory/3476-6-0x0000000000A41000-0x0000000000A9C000-memory.dmp
    Filesize

    364KB

    Download
  • memory/3476-4-0x0000000004C50000-0x0000000004C51000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3476-116-0x0000000000A40000-0x0000000000F55000-memory.dmp
    Filesize

    5.1MB

    Download
  • memory/3476-5-0x0000000004C40000-0x0000000004C41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3476-2-0x0000000004C20000-0x0000000004C21000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3476-224-0x0000000000A40000-0x0000000000F55000-memory.dmp
    Filesize

    5.1MB

    Download
  • memory/3476-226-0x0000000000A40000-0x0000000000F55000-memory.dmp
    Filesize

    5.1MB

    Download
  • memory/3476-3-0x0000000004C30000-0x0000000004C31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3476-228-0x0000000000A40000-0x0000000000F55000-memory.dmp
    Filesize

    5.1MB

    Download
  • memory/3476-229-0x0000000000A40000-0x0000000000F55000-memory.dmp
    Filesize

    5.1MB

    Download
  • memory/3476-7-0x0000000000A40000-0x0000000000F55000-memory.dmp
    Filesize

    5.1MB

    Download
  • memory/3476-233-0x0000000000A40000-0x0000000000F55000-memory.dmp
    Filesize

    5.1MB

    Download
  • memory/3476-236-0x0000000000A40000-0x0000000000F55000-memory.dmp
    Filesize

    5.1MB

    Download
  • memory/3476-238-0x0000000000A40000-0x0000000000F55000-memory.dmp
    Filesize

    5.1MB

    Download
  • memory/3476-241-0x0000000000A40000-0x0000000000F55000-memory.dmp
    Filesize

    5.1MB

    Download
  • memory/3476-244-0x0000000000A40000-0x0000000000F55000-memory.dmp
    Filesize

    5.1MB

    Download
  • memory/3476-247-0x0000000000A40000-0x0000000000F55000-memory.dmp
    Filesize

    5.1MB

    Download
  • memory/3476-249-0x0000000000A40000-0x0000000000F55000-memory.dmp
    Filesize

    5.1MB

    Download
  • memory/3476-252-0x0000000000A40000-0x0000000000F55000-memory.dmp
    Filesize

    5.1MB

    Download
  • memory/3476-254-0x0000000000A40000-0x0000000000F55000-memory.dmp
    Filesize

    5.1MB

    Download
  • memory/3476-260-0x0000000000A40000-0x0000000000F55000-memory.dmp
    Filesize

    5.1MB

    Download
  • memory/3476-262-0x0000000000A40000-0x0000000000F55000-memory.dmp
    Filesize

    5.1MB

    Download
  • memory/3476-1-0x0000000077594000-0x0000000077596000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3476-265-0x0000000000A40000-0x0000000000F55000-memory.dmp
    Filesize

    5.1MB

    Download