Overview

overview

10

Static

static

3

91a8df2a70...18.exe

windows7-x64

10

91a8df2a70...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    03-06-2024 11:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    91a8df2a703c7a45dd810b8ac711b3f1_JaffaCakes118.exe

  • Size

    2.0MB

  • MD5

    91a8df2a703c7a45dd810b8ac711b3f1

  • SHA1

    584704b833ff492ee99ed1cb9a13365a0993a539

  • SHA256

    12dd0096f6d94a29abc4f8da7203dfef2b3f8ce5a0fb4c959fe53caa3b26d4a3

  • SHA512

    d0d20c6896d602801d6cd5e6f779c43db6d5c620a90a87c208f2aa5a5e0b1e119235ba6c919a16069251828fb91af9dcaac7002e1bff80fca70c4cf28ee8762e

  • SSDEEP

    49152:2/t+m+UUUUUUJUUUUUUQ9XpiNfwG0chfhp838YbgBs0qm56TZylx+ZJMV:W+mJUUUUUJUUUUUUZVHhp83xEu6x+/

Score
10/10
cryptbotdiscoveryevasionspywarestealer

Malware Config

Extracted

Family

cryptbot

C2

nkoopw01.top

moraass06.top

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • CryptBot payload 22 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\91a8df2a703c7a45dd810b8ac711b3f1_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\91a8df2a703c7a45dd810b8ac711b3f1_JaffaCakes118.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    PID:1804

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

5
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\JgnJZVO\6u40AdqZ38me.zip
    Filesize

    37KB

    MD5

    416d746565d077f1ffef7486e1654d1f

    SHA1

    1f490301a7f0bc1ce15b68495f267a33c88e5707

    SHA256

    7a1195f10f70ee4cbcaeedd02df4a82b2f36284947ba55d920aa2a2429df8d2a

    SHA512

    735f747895ea658c9babb51ce1dd25c360a16bbb3b25c81e5e708ea61168bbb17d46db3acba2ef2b76a22ad7e0721953386597f89569c991fbc3c7e69eafb30e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\JgnJZVO\_Files\_Information.txt
    Filesize

    8KB

    MD5

    f4217798f5e39c3162d2174edd00850b

    SHA1

    21f7aec5a500d2db465906837b01fa5d04253f05

    SHA256

    ed9048df26edfc753035ceb1bd4925700b7e30dc7dafb56ed485878bdd294a3d

    SHA512

    52fc638e64afea03e6ab83438576494366df231871023d8eac9f51d74ffc749c07e47c7072c61ba85bbf64d7f90be4be2e866e49775ebd2911efee5fd5e9b85e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\JgnJZVO\_Files\_Screen_Desktop.jpeg
    Filesize

    45KB

    MD5

    291fd54df4896ce88a9f944361817291

    SHA1

    c17b8259631b6314a430318116a8508c330ecc02

    SHA256

    2189c2e2d6405d4dbf76bb988543e08da09bdf86e334ce196051a03432533f8b

    SHA512

    c5317f22c820845345e15add64f0562f89a56b51a2ff39bcd3e87494edec717ce1425dcfae5da64d1390c6a93d89d9382c3e0b6b534c8256b3e120684f0968b5

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\JgnJZVO\files_\system_info.txt
    Filesize

    1KB

    MD5

    98df4d720fe99bb8afd38cd2499d100b

    SHA1

    81dfa7b6a77b8d9ece165590878092a16ec3f6dd

    SHA256

    74e4d2ec43e19f68eecf0708ff85feff04fc0cf117607011facdff1ad28cd02c

    SHA512

    af932d0b7e80a2be2f056acc956cb74b43c2a91e6470f4877381c2a773f33cc83a30b33f60ac6a9848855e41b18fb34ff1a80f82199fa86fc079d23bf45858cc

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\JgnJZVO\files_\system_info.txt
    Filesize

    3KB

    MD5

    ded0cd1f97ec5ce01b9173eec31025b7

    SHA1

    097ce438b8023e32126f7940af33f09c495148a5

    SHA256

    b04bcd7e33e0127a9379b1dfdb6eca8545ad4ce8b7d26ba8189c1b4490fff852

    SHA512

    039996becf3c337fd52a9472dec47af4c59a50cae85057a7a0ee7eea1db676d323f5457e99deac458aeb5fc0fd4b5aea547843f4b9410c60cc75fb7f773adac4

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\JgnJZVO\files_\system_info.txt
    Filesize

    5KB

    MD5

    0a0ac06b940cb0508c1840e26e1a4f54

    SHA1

    630be237dd39e971e8ee4431fd84b5fa165ae3c8

    SHA256

    7c182a3f44ffb165f2414c52cfc16155671858954d2be2c989d85c9607e25452

    SHA512

    a0a4b0def82ae71bbdba49cea2fcb3806e45abcd2afae7ae2e57ad3681e3972c7ed963dbd7218dbe9a9f1b9c3194197268c3d3a92737c7a9d7a64883bf8f3ed6

    Download Submit
  • memory/1804-230-0x0000000000150000-0x0000000000640000-memory.dmp
    Filesize

    4.9MB

    Download
  • memory/1804-234-0x0000000000150000-0x0000000000640000-memory.dmp
    Filesize

    4.9MB

    Download
  • memory/1804-8-0x0000000000151000-0x00000000001AC000-memory.dmp
    Filesize

    364KB

    Download
  • memory/1804-9-0x0000000000150000-0x0000000000640000-memory.dmp
    Filesize

    4.9MB

    Download
  • memory/1804-10-0x0000000000150000-0x0000000000640000-memory.dmp
    Filesize

    4.9MB

    Download
  • memory/1804-119-0x0000000000150000-0x0000000000640000-memory.dmp
    Filesize

    4.9MB

    Download
  • memory/1804-3-0x0000000000980000-0x0000000000981000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1804-4-0x0000000000BC0000-0x0000000000BC1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1804-5-0x0000000002410000-0x0000000002411000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1804-6-0x0000000000AC0000-0x0000000000AC1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1804-7-0x00000000007D0000-0x00000000007D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1804-228-0x0000000000150000-0x0000000000640000-memory.dmp
    Filesize

    4.9MB

    Download
  • memory/1804-0-0x0000000000150000-0x0000000000640000-memory.dmp
    Filesize

    4.9MB

    Download
  • memory/1804-232-0x0000000000150000-0x0000000000640000-memory.dmp
    Filesize

    4.9MB

    Download
  • memory/1804-233-0x0000000000150000-0x0000000000640000-memory.dmp
    Filesize

    4.9MB

    Download
  • memory/1804-2-0x0000000000A10000-0x0000000000A11000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1804-235-0x0000000000150000-0x0000000000640000-memory.dmp
    Filesize

    4.9MB

    Download
  • memory/1804-1-0x00000000776C0000-0x00000000776C2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1804-237-0x0000000000150000-0x0000000000640000-memory.dmp
    Filesize

    4.9MB

    Download
  • memory/1804-238-0x0000000000150000-0x0000000000640000-memory.dmp
    Filesize

    4.9MB

    Download
  • memory/1804-241-0x0000000000150000-0x0000000000640000-memory.dmp
    Filesize

    4.9MB

    Download
  • memory/1804-243-0x0000000000150000-0x0000000000640000-memory.dmp
    Filesize

    4.9MB

    Download
  • memory/1804-245-0x0000000000150000-0x0000000000640000-memory.dmp
    Filesize

    4.9MB

    Download
  • memory/1804-247-0x0000000000150000-0x0000000000640000-memory.dmp
    Filesize

    4.9MB

    Download
  • memory/1804-250-0x0000000000150000-0x0000000000640000-memory.dmp
    Filesize

    4.9MB

    Download
  • memory/1804-252-0x0000000000150000-0x0000000000640000-memory.dmp
    Filesize

    4.9MB

    Download
  • memory/1804-254-0x0000000000150000-0x0000000000640000-memory.dmp
    Filesize

    4.9MB

    Download
  • memory/1804-257-0x0000000000150000-0x0000000000640000-memory.dmp
    Filesize

    4.9MB

    Download
  • memory/1804-259-0x0000000000150000-0x0000000000640000-memory.dmp
    Filesize

    4.9MB

    Download
  • memory/1804-261-0x0000000000150000-0x0000000000640000-memory.dmp
    Filesize

    4.9MB

    Download
  • memory/1804-263-0x0000000000150000-0x0000000000640000-memory.dmp
    Filesize

    4.9MB

    Download