Overview

overview

10

Static

static

3

83da1e18fa...18.exe

windows7-x64

10

83da1e18fa...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    30-05-2024 10:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    83da1e18faa3d201af90f86d653384f6_JaffaCakes118.exe

  • Size

    2.0MB

  • MD5

    83da1e18faa3d201af90f86d653384f6

  • SHA1

    13e1440e5d1a51723c656a5abdea46af60d928c3

  • SHA256

    ede8a67aa2657dbb5e392a9c6567c8612175fee13e3f49074a2f9dc02b7b88d8

  • SHA512

    9f3b3091979632f2cc83b53681d1d0cf0916844fe270a5249ec2c2bf4e338959927748874f160d00af3e42a0d30a84b89273f67226112bd04e8961fa7f8d22ca

  • SSDEEP

    49152:lyWygqzOCztEtmRvW4OqBm/VFocdsLHKmb50s+vPhA:lozOSE8Rw48FOTKxby

Score
10/10
cryptbotdiscoveryevasionspywarestealer

Malware Config

Extracted

Family

cryptbot

C2

bibinene03.top

moraass05.top

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • CryptBot payload 20 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\83da1e18faa3d201af90f86d653384f6_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\83da1e18faa3d201af90f86d653384f6_JaffaCakes118.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    PID:3068

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

5
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Vykk0ZkWsXi\T2XbBikTaHbhG.zip
    Filesize

    37KB

    MD5

    fa4434a2347ab2b9bdf3f0897ff42423

    SHA1

    f3717fa845ae98e7a0b735c2a3e8da944002c094

    SHA256

    908edee0c88ea74ce1fd962a57453ef3c190775dcd144a6b4e34e432ce076f99

    SHA512

    cb9abe3d126d84e15057f2492245894fde4c672f836bf8214bb50928a2a131ebd03553fcc19e6cef059dce300f2b2d0c77606579a6d9afe9e4375aea41945527

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Vykk0ZkWsXi\_Files\_Information.txt
    Filesize

    8KB

    MD5

    facec15ea69f6c823522d64cd73e1002

    SHA1

    401b3a92686da40070304d143da9d95d8203c751

    SHA256

    c64fe36059ace4f51244b675b912e5350c7120a3e63e7a55bb132910c3650386

    SHA512

    c7e249d4bbfc0e8d6604050d5bf270b387b9d66c4a14bbc4a1e5fc76236f4762cd8229a543265acadc6084fa8f7fa27b6a29f13eefd62e414e3f09eb686d70ac

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Vykk0ZkWsXi\_Files\_Screen_Desktop.jpeg
    Filesize

    44KB

    MD5

    d2647ecfa5208e5cddb9c9cb93fb4953

    SHA1

    d8bb33ceeb7c59ce4380cc7d0ed155e19dae6a01

    SHA256

    5eab4d58227da85d6699ccbe707b27a71e4b62a9629b4fbf594228ab15e803a5

    SHA512

    4ff477be9e86cae011728a7a9517bfc57dbdf35695c959ca8f6797aea1b982e6a6a88dc8817afa5411fab52a25e2729125e2a81b2f04e079ab4f6c3b9fb1db4d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Vykk0ZkWsXi\files_\system_info.txt
    Filesize

    1KB

    MD5

    536b258ccbcf891b2e75336c66f1224d

    SHA1

    2eeb53a9891c53a59f14d03f2aa45c860e3e7c3f

    SHA256

    67ca8410ca90b788f3c63a51063c24993646f5280b02cac32102adb95014b9ad

    SHA512

    4b08dc43dd53578b9067b6298832af4356fe10aa3340fc76f8af7f3f5832b6348da977673bf543b9615cc535292e15a767d892b3e4b293cc5b68d4c9fa0bb026

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Vykk0ZkWsXi\files_\system_info.txt
    Filesize

    3KB

    MD5

    337f7b60ea104f5a573e28d5c1d7e375

    SHA1

    56d90c4a085283e7f818f0eac5636645944bcf25

    SHA256

    6a1727e643be26717b6469ecf948611dfc2f888e71a368493e3756b64b5bb596

    SHA512

    be4ccfd4f1cecc7081527d723599adbbf215ebc4beba0f13bd7be1dba093c41b63a6bc0fbcf7671b6a0fd65bedf82b67554a01c6d4244ff1e891bfaf0a1af30d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Vykk0ZkWsXi\files_\system_info.txt
    Filesize

    3KB

    MD5

    6d9e796e2267edc234600bc31d12fd8d

    SHA1

    b5f29b3ecfd31e6a7bb701cd84d6c29123c5e807

    SHA256

    eb5e793fdf2a77133683ed0802228aadfd1da85abf20e18c99a16af41e96e48a

    SHA512

    0e9dc6a7e65920ad23e5b4759f9921f0b15c077987dfede760c8e6e57c8cc6c3db875cd8f90a0688b006146aa5b650db2f29e9eb2cf3d8b830d4fa12d72a6819

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Vykk0ZkWsXi\files_\system_info.txt
    Filesize

    4KB

    MD5

    2db626ec37d9aa691082c59fc6ddc96a

    SHA1

    3e3938d6e9c2ee5cf4ef30b156d337c7022384fd

    SHA256

    a60fb48c05d95ace2501aa72622972fdc1b8378a9633e48aafbbce056c81fda5

    SHA512

    ef81621be175520baa3f757b823813f09bff61100e6ab4e0952344d20ee3a5211f8fd34a7fce71a0553536dd395d312ec4613a2100549f28a0d735f25a46de75

    Download Submit
  • memory/3068-8-0x0000000000C30000-0x0000000001130000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3068-231-0x0000000000C30000-0x0000000001130000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3068-9-0x0000000000C30000-0x0000000001130000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3068-2-0x0000000000BC0000-0x0000000000BC2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3068-118-0x0000000000C30000-0x0000000001130000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3068-3-0x00000000027B0000-0x00000000027B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3068-4-0x00000000028E0000-0x00000000028E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3068-5-0x0000000002570000-0x0000000002571000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3068-7-0x0000000000C31000-0x0000000000C8C000-memory.dmp
    Filesize

    364KB

    Download
  • memory/3068-6-0x0000000000A10000-0x0000000000A11000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3068-227-0x0000000000C30000-0x0000000001130000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3068-229-0x0000000000C30000-0x0000000001130000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3068-230-0x0000000000C30000-0x0000000001130000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3068-0-0x0000000000C30000-0x0000000001130000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3068-233-0x0000000000C30000-0x0000000001130000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3068-1-0x0000000077550000-0x0000000077552000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3068-235-0x0000000000C30000-0x0000000001130000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3068-237-0x0000000000C30000-0x0000000001130000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3068-239-0x0000000000C30000-0x0000000001130000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3068-241-0x0000000000C30000-0x0000000001130000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3068-243-0x0000000000C30000-0x0000000001130000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3068-246-0x0000000000C30000-0x0000000001130000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3068-248-0x0000000000C30000-0x0000000001130000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3068-250-0x0000000000C30000-0x0000000001130000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3068-253-0x0000000000C30000-0x0000000001130000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3068-255-0x0000000000C30000-0x0000000001130000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3068-257-0x0000000000C30000-0x0000000001130000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3068-259-0x0000000000C30000-0x0000000001130000-memory.dmp
    Filesize

    5.0MB

    Download