Analysis
-
max time kernel
149s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
30-05-2024 17:36
Static task
static1
Behavioral task
behavioral1
Sample
84ed617163c46602cbac577800ca9af0_JaffaCakes118.exe
Resource
win7-20240419-en
General
-
Target
84ed617163c46602cbac577800ca9af0_JaffaCakes118.exe
-
Size
2.1MB
-
MD5
84ed617163c46602cbac577800ca9af0
-
SHA1
44ece41b2f92117655b0aed8180890ab3a2e79a9
-
SHA256
7cedfec517d2cb0967ed42266802acbbdb12dfbac5f32d677f7b5a8d43544cf9
-
SHA512
455a990ee280a9445d1c3884e2ba2841e964f37d429a2742a91076e1bd819c0f8f692923700929d0fad88144c7916f2393d049b964bf9cba5cb99b42c1822233
-
SSDEEP
49152:T2pgPMMANpMshiMAZPMQQMCzTEBliSd/FTJEQbatj:T2pgPrssZLdBltd9TJ
Malware Config
Extracted
cryptbot
bibinene03.top
moraass05.top
Signatures
-
CryptBot payload 18 IoCs
Processes:
resource yara_rule behavioral2/memory/4760-6-0x00000000005C0000-0x0000000000AC4000-memory.dmp family_cryptbot behavioral2/memory/4760-7-0x00000000005C0000-0x0000000000AC4000-memory.dmp family_cryptbot behavioral2/memory/4760-222-0x00000000005C0000-0x0000000000AC4000-memory.dmp family_cryptbot behavioral2/memory/4760-224-0x00000000005C0000-0x0000000000AC4000-memory.dmp family_cryptbot behavioral2/memory/4760-226-0x00000000005C0000-0x0000000000AC4000-memory.dmp family_cryptbot behavioral2/memory/4760-228-0x00000000005C0000-0x0000000000AC4000-memory.dmp family_cryptbot behavioral2/memory/4760-230-0x00000000005C0000-0x0000000000AC4000-memory.dmp family_cryptbot behavioral2/memory/4760-233-0x00000000005C0000-0x0000000000AC4000-memory.dmp family_cryptbot behavioral2/memory/4760-236-0x00000000005C0000-0x0000000000AC4000-memory.dmp family_cryptbot behavioral2/memory/4760-239-0x00000000005C0000-0x0000000000AC4000-memory.dmp family_cryptbot behavioral2/memory/4760-242-0x00000000005C0000-0x0000000000AC4000-memory.dmp family_cryptbot behavioral2/memory/4760-245-0x00000000005C0000-0x0000000000AC4000-memory.dmp family_cryptbot behavioral2/memory/4760-248-0x00000000005C0000-0x0000000000AC4000-memory.dmp family_cryptbot behavioral2/memory/4760-250-0x00000000005C0000-0x0000000000AC4000-memory.dmp family_cryptbot behavioral2/memory/4760-256-0x00000000005C0000-0x0000000000AC4000-memory.dmp family_cryptbot behavioral2/memory/4760-259-0x00000000005C0000-0x0000000000AC4000-memory.dmp family_cryptbot behavioral2/memory/4760-261-0x00000000005C0000-0x0000000000AC4000-memory.dmp family_cryptbot behavioral2/memory/4760-265-0x00000000005C0000-0x0000000000AC4000-memory.dmp family_cryptbot -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
84ed617163c46602cbac577800ca9af0_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 84ed617163c46602cbac577800ca9af0_JaffaCakes118.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
84ed617163c46602cbac577800ca9af0_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 84ed617163c46602cbac577800ca9af0_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 84ed617163c46602cbac577800ca9af0_JaffaCakes118.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
84ed617163c46602cbac577800ca9af0_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Wine 84ed617163c46602cbac577800ca9af0_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
84ed617163c46602cbac577800ca9af0_JaffaCakes118.exepid process 4760 84ed617163c46602cbac577800ca9af0_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
84ed617163c46602cbac577800ca9af0_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 84ed617163c46602cbac577800ca9af0_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 84ed617163c46602cbac577800ca9af0_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
84ed617163c46602cbac577800ca9af0_JaffaCakes118.exepid process 4760 84ed617163c46602cbac577800ca9af0_JaffaCakes118.exe 4760 84ed617163c46602cbac577800ca9af0_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
84ed617163c46602cbac577800ca9af0_JaffaCakes118.exepid process 4760 84ed617163c46602cbac577800ca9af0_JaffaCakes118.exe 4760 84ed617163c46602cbac577800ca9af0_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\84ed617163c46602cbac577800ca9af0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\84ed617163c46602cbac577800ca9af0_JaffaCakes118.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Gz3Dea1l\CXDWkorAXzEG2S.zipFilesize
44KB
MD5d552e2f6df52c0d7c372d3ca0b51dc88
SHA154b59588d56f49d1c75b3fae967aa795d0e8df68
SHA2566685427ba73e754a6c38f1171dfedd17fc4a877a348d5d910a133884c6467fcb
SHA5121f539206891088a62c4c25288553b3e6e8fe3882293fae21a1b6fc7d24356f7bc2e634e830d0ea1b12fc9d724409b238ebae95112405e2fc4cad26c630edfe48
-
C:\Users\Admin\AppData\Local\Temp\Gz3Dea1l\_Files\_Information.txtFilesize
1KB
MD5bc0f6e81f81aa9245de89c2b9ec6384f
SHA1bd5daa4fd4896547b786a9fd33f8edd3988f4a29
SHA2564c08c4732e7be2a4b1bcb52f7bb8e2d819b651ee42cc499bec9597dcf71aaf3a
SHA512eda5fe3d04c02c195b105dfccbf76d21cce81d841806ae599fd8b5f3bea5fc2c25b0c46ae3e02ed7200f0f96f333d72a6a8137c450ac1f45ed9d2ae1e6898dc5
-
C:\Users\Admin\AppData\Local\Temp\Gz3Dea1l\_Files\_Information.txtFilesize
5KB
MD5dc5e6ff4483fb6e27cf3326d3caf48f3
SHA14152048a9f2eb82f79b6154275c050aba8ee044d
SHA256aa1d4cd8be21edef13db8528c9ca3729f67ddfed9962effd4791940aac51856f
SHA512728a73f14772cb0e4e8e75fac1489c99a10cb48aac5bd773612633060505059b1ad0c8f745fb049eb50fffe3f520c84e0987407a591b7683a80866d9f5024125
-
C:\Users\Admin\AppData\Local\Temp\Gz3Dea1l\_Files\_Screen_Desktop.jpegFilesize
50KB
MD5dbed2d95046b873a35156c58d0a68188
SHA1d2f3abb2cdf6a46d30a1d16445bd8fbbb05d16d9
SHA2565305075bfc4b91f86992aa20fe5548033033855064ac038e9887705f4dab0791
SHA512ce768ed547dcfcbe02f266bd6031eabf9e94886c362e5d83fdf8b402f77d49a3bc389db06587aa8a54dde9a51449b9252f74834a6f3d5b8ed712b704d7ab8126
-
C:\Users\Admin\AppData\Local\Temp\Gz3Dea1l\files_\system_info.txtFilesize
7KB
MD56f60eb9a257e4f2131ab1d9e7aa216af
SHA133aab7c31db154410a52393186b30bc801df04a3
SHA256baf9bd1e897c4906d5d1b4f973768d9b088ab01fd00844181e2d732b3180240c
SHA5124a1f417d403bbf094aac65809bd68f4c44ab4997376ab5533dbc534692fe5588a3f3e757911e1b23f1e600cf85135843f528ea48cfff72d8471458cf88556ea7
-
C:\Users\Admin\AppData\Local\Temp\Gz3Dea1l\nEhi5gWsHhUu.zipFilesize
44KB
MD5dcb3f887195f12d66faf2e5fe02a4bbe
SHA11f549634823e96af3c9c5ed93b97b2367455168c
SHA2566a5a764d7b37e61da53cc6f7188dba415b665edf5df38525156f34196e82f804
SHA51287e13c9d8885acbd9c8aa7e2ff024f0f984342df622f82e3756240029c61032fc3194585dbf10784b2b9fd3eec1f48ae55ffc4b1696c5431a2d7e5982bd37b79
-
memory/4760-7-0x00000000005C0000-0x0000000000AC4000-memory.dmpFilesize
5.0MB
-
memory/4760-230-0x00000000005C0000-0x0000000000AC4000-memory.dmpFilesize
5.0MB
-
memory/4760-6-0x00000000005C0000-0x0000000000AC4000-memory.dmpFilesize
5.0MB
-
memory/4760-2-0x0000000004FA0000-0x0000000004FA1000-memory.dmpFilesize
4KB
-
memory/4760-5-0x00000000005C1000-0x000000000061C000-memory.dmpFilesize
364KB
-
memory/4760-3-0x0000000004FC0000-0x0000000004FC1000-memory.dmpFilesize
4KB
-
memory/4760-222-0x00000000005C0000-0x0000000000AC4000-memory.dmpFilesize
5.0MB
-
memory/4760-224-0x00000000005C0000-0x0000000000AC4000-memory.dmpFilesize
5.0MB
-
memory/4760-4-0x0000000004FB0000-0x0000000004FB1000-memory.dmpFilesize
4KB
-
memory/4760-226-0x00000000005C0000-0x0000000000AC4000-memory.dmpFilesize
5.0MB
-
memory/4760-228-0x00000000005C0000-0x0000000000AC4000-memory.dmpFilesize
5.0MB
-
memory/4760-0-0x00000000005C0000-0x0000000000AC4000-memory.dmpFilesize
5.0MB
-
memory/4760-233-0x00000000005C0000-0x0000000000AC4000-memory.dmpFilesize
5.0MB
-
memory/4760-236-0x00000000005C0000-0x0000000000AC4000-memory.dmpFilesize
5.0MB
-
memory/4760-239-0x00000000005C0000-0x0000000000AC4000-memory.dmpFilesize
5.0MB
-
memory/4760-242-0x00000000005C0000-0x0000000000AC4000-memory.dmpFilesize
5.0MB
-
memory/4760-245-0x00000000005C0000-0x0000000000AC4000-memory.dmpFilesize
5.0MB
-
memory/4760-248-0x00000000005C0000-0x0000000000AC4000-memory.dmpFilesize
5.0MB
-
memory/4760-250-0x00000000005C0000-0x0000000000AC4000-memory.dmpFilesize
5.0MB
-
memory/4760-256-0x00000000005C0000-0x0000000000AC4000-memory.dmpFilesize
5.0MB
-
memory/4760-1-0x0000000076FA4000-0x0000000076FA6000-memory.dmpFilesize
8KB
-
memory/4760-259-0x00000000005C0000-0x0000000000AC4000-memory.dmpFilesize
5.0MB
-
memory/4760-261-0x00000000005C0000-0x0000000000AC4000-memory.dmpFilesize
5.0MB
-
memory/4760-265-0x00000000005C0000-0x0000000000AC4000-memory.dmpFilesize
5.0MB