Overview
overview
10Static
static
388f8f695e6...18.exe
windows7-x64
1088f8f695e6...18.exe
windows10-2004-x64
10$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDIR/UAC.dll
windows7-x64
3$PLUGINSDIR/UAC.dll
windows10-2004-x64
3$PLUGINSDI...fo.dll
windows7-x64
3$PLUGINSDI...fo.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3DowloadX.exe
windows7-x64
9DowloadX.exe
windows10-2004-x64
9Download.exe
windows7-x64
10Download.exe
windows10-2004-x64
10ipras.vbs
windows7-x64
8ipras.vbs
windows10-2004-x64
8Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2024 01:25
Static task
static1
Behavioral task
behavioral1
Sample
88f8f695e6af7d58da5f5b7ef60d0bde_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
88f8f695e6af7d58da5f5b7ef60d0bde_JaffaCakes118.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/UAC.dll
Resource
win7-20240419-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/UAC.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240220-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240508-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral13
Sample
DowloadX.exe
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
DowloadX.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
Download.exe
Resource
win7-20240508-en
Behavioral task
behavioral16
Sample
Download.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral17
Sample
ipras.vbs
Resource
win7-20240419-en
Behavioral task
behavioral18
Sample
ipras.vbs
Resource
win10v2004-20240508-en
General
-
Target
Download.exe
-
Size
2.1MB
-
MD5
b8312084a400862a2c19797691c6f0a6
-
SHA1
d675f4ed00508ff0208f75fd6851d14348c9bed4
-
SHA256
9f23b60e0b3c3360a2b67cc40d977577a74d1b16306522aa306b0feb29dad07b
-
SHA512
beae195ed8dd2572e7299cdbe137d80f152cefa89c8bca25bafcf9527b34157833972cc3142d803e8cef33d5fe72217278253f423cc203585097a7ec1a0496ce
-
SSDEEP
49152:fP3lms2TDH5VBPPRmZ6riTIWQhL1iNVcKs3UqVobLeuufeoyKk0lIeDe/:X4s25VBPPRbGYL16qltSbLNm/yKk0lIP
Malware Config
Extracted
cryptbot
cede01.info
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
Download.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Download.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Download.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Download.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Download.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Download.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation Download.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
Download.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Wine Download.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
Download.exepid process 4168 Download.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Download.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Download.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Download.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2204 timeout.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Download.exepid process 4168 Download.exe 4168 Download.exe -
Suspicious use of FindShellTrayWindow 12 IoCs
Processes:
Download.exepid process 4168 Download.exe 4168 Download.exe 4168 Download.exe 4168 Download.exe 4168 Download.exe 4168 Download.exe 4168 Download.exe 4168 Download.exe 4168 Download.exe 4168 Download.exe 4168 Download.exe 4168 Download.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
Download.execmd.exedescription pid process target process PID 4168 wrote to memory of 3628 4168 Download.exe cmd.exe PID 4168 wrote to memory of 3628 4168 Download.exe cmd.exe PID 4168 wrote to memory of 3628 4168 Download.exe cmd.exe PID 3628 wrote to memory of 2204 3628 cmd.exe timeout.exe PID 3628 wrote to memory of 2204 3628 cmd.exe timeout.exe PID 3628 wrote to memory of 2204 3628 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Download.exe"C:\Users\Admin\AppData\Local\Temp\Download.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\ZZzoj5r5rbrtm & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Download.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 23⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\ZZzoj5r5rbrtm\47283761.txtFilesize
156B
MD5b5089e0c5a3d5377e9bd19c0557ef04e
SHA19402e326be3d240e234c06892b15c24e93c93eb8
SHA256d77789b2c49759c882f4fdd6f53e665b0d012f8f0949d0150eaba47fbf2a0eb5
SHA512942349ccb99854f274ef1e20b623660588e15bd0d25bfc817fe9b2d010db656af340652e0e67b41edbf0cf259d55ab880d6b50acb1d7e8ab394f1393f7956c13
-
C:\ProgramData\ZZzoj5r5rbrtm\DlPCLv1UNzcnAE.zipFilesize
48KB
MD51c79a904a11653e823cdccae8efa4ad2
SHA1baa005b6dce05b7cbd22e107fff9488de54b0690
SHA25668d051a070540f7771eb92006754698612ac146dcfb4a536efba4408f7a83325
SHA5120f0f19fab2f90fc79ea407918f2cf610481a2c73875ba628dc824bf511556f6b8ef0bc899e071941e8ecf1667402c8fa862b544ab62342d57ea854b657b8369a
-
C:\ProgramData\ZZzoj5r5rbrtm\Files\_Info.txtFilesize
8KB
MD5cf51a25babfe7232984e3d5d46a6d24e
SHA1da4946073c81f3b8ca9e6ca1e53649c06f8af72d
SHA256b6feb8688266e859fb1e1e4461e5dbd21747d0190a05aeb2b8becb9bb6cf6b6b
SHA512bdc102e86881cd22ac6f66cd98687648e2fd5ef17d46e1bbbe8150adfad2134f33fc93741dc0c1f401dd83b3a957de7051d0d8ee1403547c211a797350394062
-
C:\ProgramData\ZZzoj5r5rbrtm\Files\_Info.txtFilesize
2KB
MD55f5c9bc5b65880b427b35c476e88da07
SHA14fb9d869cb4bfea0542946274f6cf571278fb722
SHA25693af33600f06efa33d955524b2575a21541c6e19c63f729fe60f6ec26403c00d
SHA512e112180e2538972938efe860acfc94900300743969836c6103e1292d7cf0b00c64e38185df3ebe6398517b5d650ffd46ff799e6bfa2d49f03e1085c9e2a985da
-
C:\ProgramData\ZZzoj5r5rbrtm\Files\_Info.txtFilesize
3KB
MD5b6ca71892239475dd6ff9d924f72a13b
SHA19a29774ed501d4a0f89575946af857674da29fbe
SHA256bf15fd1f9930045fe6737dc6c412f63025ac91277ef1324bf00eed0149a8d17e
SHA51223f6e1c0fae70d91f2ab80a2584257009ffa0a9e69908a9485beab1618ff7e26a9af420936a8fa3dd2a20d1cd30ade2b545d2dd27773fea56d7bbb12f5cd172a
-
C:\ProgramData\ZZzoj5r5rbrtm\Files\_Info.txtFilesize
4KB
MD508abdec5ead91638d3080b967a4dd1cc
SHA13aeb93e3a76df28fdff303cac8047ffc2ab8ea5a
SHA2564574fd59eb454bfe609ea0fa2b82bcd10bddd1f6f70155fa026a91330a10ff46
SHA51222fd8f6d628680a66a3aa65250cd5fe6fcc8b32aaee644fe97c061981457a419e9e722f101f9af47a1b977dab3a273f800c9845684b5484935ed34c7cc88a77e
-
C:\ProgramData\ZZzoj5r5rbrtm\Files\_Screen.jpgFilesize
53KB
MD52c740811d20829980a58abef865a33fb
SHA1396167d87ae99b7ac3a528ee7c2050a81f559f62
SHA2564da81fc0f2e34ef6215df2e71cdc852b93b80123a56d8213ccce07094bd9bedd
SHA5124c192a255d525350a1a6045306c0a67c450c290b04d0e097dde4785f7ffd6304af94491a2ee80cc4f89e00568676c60713867ed583e1aaf0009a6f792b49e214
-
C:\ProgramData\ZZzoj5r5rbrtm\MOZ_CO~1.DBFilesize
96KB
MD5d367ddfda80fdcf578726bc3b0bc3e3c
SHA123fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA2560b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA51240e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77
-
memory/4168-156-0x0000000000830000-0x0000000000D5C000-memory.dmpFilesize
5.2MB
-
memory/4168-163-0x0000000000830000-0x0000000000D5C000-memory.dmpFilesize
5.2MB
-
memory/4168-21-0x0000000000830000-0x0000000000D5C000-memory.dmpFilesize
5.2MB
-
memory/4168-4-0x00000000052B0000-0x00000000052B1000-memory.dmpFilesize
4KB
-
memory/4168-17-0x0000000000830000-0x0000000000D5C000-memory.dmpFilesize
5.2MB
-
memory/4168-14-0x0000000000830000-0x0000000000D5C000-memory.dmpFilesize
5.2MB
-
memory/4168-5-0x00000000052D0000-0x00000000052D1000-memory.dmpFilesize
4KB
-
memory/4168-152-0x0000000000830000-0x0000000000D5C000-memory.dmpFilesize
5.2MB
-
memory/4168-154-0x0000000000830000-0x0000000000D5C000-memory.dmpFilesize
5.2MB
-
memory/4168-6-0x00000000052E0000-0x00000000052E1000-memory.dmpFilesize
4KB
-
memory/4168-0-0x0000000000830000-0x0000000000D5C000-memory.dmpFilesize
5.2MB
-
memory/4168-157-0x0000000000830000-0x0000000000D5C000-memory.dmpFilesize
5.2MB
-
memory/4168-160-0x0000000000830000-0x0000000000D5C000-memory.dmpFilesize
5.2MB
-
memory/4168-18-0x0000000000830000-0x0000000000D5C000-memory.dmpFilesize
5.2MB
-
memory/4168-165-0x0000000000830000-0x0000000000D5C000-memory.dmpFilesize
5.2MB
-
memory/4168-168-0x0000000000830000-0x0000000000D5C000-memory.dmpFilesize
5.2MB
-
memory/4168-171-0x0000000000830000-0x0000000000D5C000-memory.dmpFilesize
5.2MB
-
memory/4168-174-0x0000000000830000-0x0000000000D5C000-memory.dmpFilesize
5.2MB
-
memory/4168-177-0x0000000000830000-0x0000000000D5C000-memory.dmpFilesize
5.2MB
-
memory/4168-180-0x0000000000830000-0x0000000000D5C000-memory.dmpFilesize
5.2MB
-
memory/4168-183-0x0000000000830000-0x0000000000D5C000-memory.dmpFilesize
5.2MB
-
memory/4168-186-0x0000000000830000-0x0000000000D5C000-memory.dmpFilesize
5.2MB
-
memory/4168-189-0x0000000000830000-0x0000000000D5C000-memory.dmpFilesize
5.2MB
-
memory/4168-191-0x0000000000830000-0x0000000000D5C000-memory.dmpFilesize
5.2MB
-
memory/4168-194-0x0000000000830000-0x0000000000D5C000-memory.dmpFilesize
5.2MB
-
memory/4168-7-0x0000000005270000-0x0000000005271000-memory.dmpFilesize
4KB
-
memory/4168-10-0x0000000000831000-0x0000000000890000-memory.dmpFilesize
380KB
-
memory/4168-1-0x00000000776B4000-0x00000000776B6000-memory.dmpFilesize
8KB