Analysis
-
max time kernel
150s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 11:44
Static task
static1
Behavioral task
behavioral1
Sample
91a8df2a703c7a45dd810b8ac711b3f1_JaffaCakes118.exe
Resource
win7-20240215-en
General
-
Target
91a8df2a703c7a45dd810b8ac711b3f1_JaffaCakes118.exe
-
Size
2.0MB
-
MD5
91a8df2a703c7a45dd810b8ac711b3f1
-
SHA1
584704b833ff492ee99ed1cb9a13365a0993a539
-
SHA256
12dd0096f6d94a29abc4f8da7203dfef2b3f8ce5a0fb4c959fe53caa3b26d4a3
-
SHA512
d0d20c6896d602801d6cd5e6f779c43db6d5c620a90a87c208f2aa5a5e0b1e119235ba6c919a16069251828fb91af9dcaac7002e1bff80fca70c4cf28ee8762e
-
SSDEEP
49152:2/t+m+UUUUUUJUUUUUUQ9XpiNfwG0chfhp838YbgBs0qm56TZylx+ZJMV:W+mJUUUUUJUUUUUUZVHhp83xEu6x+/
Malware Config
Extracted
cryptbot
nkoopw01.top
moraass06.top
Signatures
-
CryptBot payload 18 IoCs
Processes:
resource yara_rule behavioral2/memory/2964-6-0x0000000000630000-0x0000000000B20000-memory.dmp family_cryptbot behavioral2/memory/2964-7-0x0000000000630000-0x0000000000B20000-memory.dmp family_cryptbot behavioral2/memory/2964-56-0x0000000000630000-0x0000000000B20000-memory.dmp family_cryptbot behavioral2/memory/2964-214-0x0000000000630000-0x0000000000B20000-memory.dmp family_cryptbot behavioral2/memory/2964-215-0x0000000000630000-0x0000000000B20000-memory.dmp family_cryptbot behavioral2/memory/2964-217-0x0000000000630000-0x0000000000B20000-memory.dmp family_cryptbot behavioral2/memory/2964-219-0x0000000000630000-0x0000000000B20000-memory.dmp family_cryptbot behavioral2/memory/2964-221-0x0000000000630000-0x0000000000B20000-memory.dmp family_cryptbot behavioral2/memory/2964-224-0x0000000000630000-0x0000000000B20000-memory.dmp family_cryptbot behavioral2/memory/2964-226-0x0000000000630000-0x0000000000B20000-memory.dmp family_cryptbot behavioral2/memory/2964-229-0x0000000000630000-0x0000000000B20000-memory.dmp family_cryptbot behavioral2/memory/2964-232-0x0000000000630000-0x0000000000B20000-memory.dmp family_cryptbot behavioral2/memory/2964-235-0x0000000000630000-0x0000000000B20000-memory.dmp family_cryptbot behavioral2/memory/2964-238-0x0000000000630000-0x0000000000B20000-memory.dmp family_cryptbot behavioral2/memory/2964-240-0x0000000000630000-0x0000000000B20000-memory.dmp family_cryptbot behavioral2/memory/2964-243-0x0000000000630000-0x0000000000B20000-memory.dmp family_cryptbot behavioral2/memory/2964-249-0x0000000000630000-0x0000000000B20000-memory.dmp family_cryptbot behavioral2/memory/2964-251-0x0000000000630000-0x0000000000B20000-memory.dmp family_cryptbot -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
91a8df2a703c7a45dd810b8ac711b3f1_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 91a8df2a703c7a45dd810b8ac711b3f1_JaffaCakes118.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
91a8df2a703c7a45dd810b8ac711b3f1_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 91a8df2a703c7a45dd810b8ac711b3f1_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 91a8df2a703c7a45dd810b8ac711b3f1_JaffaCakes118.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
91a8df2a703c7a45dd810b8ac711b3f1_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine 91a8df2a703c7a45dd810b8ac711b3f1_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
91a8df2a703c7a45dd810b8ac711b3f1_JaffaCakes118.exepid process 2964 91a8df2a703c7a45dd810b8ac711b3f1_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
91a8df2a703c7a45dd810b8ac711b3f1_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 91a8df2a703c7a45dd810b8ac711b3f1_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 91a8df2a703c7a45dd810b8ac711b3f1_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
91a8df2a703c7a45dd810b8ac711b3f1_JaffaCakes118.exepid process 2964 91a8df2a703c7a45dd810b8ac711b3f1_JaffaCakes118.exe 2964 91a8df2a703c7a45dd810b8ac711b3f1_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
91a8df2a703c7a45dd810b8ac711b3f1_JaffaCakes118.exepid process 2964 91a8df2a703c7a45dd810b8ac711b3f1_JaffaCakes118.exe 2964 91a8df2a703c7a45dd810b8ac711b3f1_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\91a8df2a703c7a45dd810b8ac711b3f1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\91a8df2a703c7a45dd810b8ac711b3f1_JaffaCakes118.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1032 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\PZLmFMi\3wVKNZeIj.zipFilesize
38KB
MD5f6fa0c8609cc32c96647f360005fd7de
SHA1603d6597805d96c9ec4df45bf75dbc11a2d489c7
SHA256e8e42f366663ba5ee62f71c5dd1b9ae0b79371e942a9881843527cd958a7d99d
SHA5123017171a00b9eec5e3fdac67921083a3372a373d67a744d9077561e2d9c3ceb39cf53a260c7ccacf67190edc79182290127e48b7814dc7725b89458ac1a67ee0
-
C:\Users\Admin\AppData\Local\Temp\PZLmFMi\_Files\_Information.txtFilesize
4KB
MD59194d9b6efc8458467fcd94b74a10118
SHA14da4739f5a39a48ba50aad0ccf27cacae1f6194c
SHA256bb5be695c5906d813a8810ebb7dbb1439d4c9ed432b835b4b8b7dc4fcdf6606f
SHA512c960a46d497951b8d921f8cf5123967fea0fc292f482bb25c4d09790871ebcbd080966daa8a01c936a0c2cd96c4f9977c487de9c05d6bf9390cb75c2f0ea7585
-
C:\Users\Admin\AppData\Local\Temp\PZLmFMi\_Files\_Screen_Desktop.jpegFilesize
44KB
MD59cf03cdbedcc3b9e169e0d330fdd3272
SHA1b375884e35b273ee9e56b4d4d16bdd742a6e8519
SHA2564d78f6a132db2eef7a7bcc4eec606e689ce170fe1f17802f7d2b6a745acee04d
SHA51211d616f564c0c29752d96a83a927f13349922783ea8c1a7dfe60eeea6ec798def12fd8e18217aaf7a7447c246259e6aad53e18b6480bdeeba791e6690c5d3852
-
C:\Users\Admin\AppData\Local\Temp\PZLmFMi\files_\system_info.txtFilesize
1KB
MD5616337c9db3494d210eb971745275d38
SHA1ecb0680d51272df83c462c1065cf2b10be0a0787
SHA256bdf02e9a51b404a34f43c83ad013eb05b09af49b5f4dcf817a7113ac362278b2
SHA5123b036d6a36522a2bf17ac56b87cd23a801d52d372cff7b3ca91b93c111f640a54d743fc54ec11a4d81fe17c37abbf9073a6f64a0da7bdb0cc07be008efba694a
-
C:\Users\Admin\AppData\Local\Temp\PZLmFMi\files_\system_info.txtFilesize
3KB
MD5395a2e7b841982cba1ed4f95c3a532c7
SHA19226e6e703497f96de2c3dc0dda127e9a71ddcd8
SHA256407e7e03298516f27f2d9251a5cac6ca9d523d5406712c81ffa2331ed7c86dad
SHA512ec3c09102e667611e175846b41a3a4a501e3ab59557d2308b917a37792877310cca31e4416be370debec34187b1e44db3335199f8af7f3afd8b4a5a26dac167c
-
C:\Users\Admin\AppData\Local\Temp\PZLmFMi\files_\system_info.txtFilesize
4KB
MD5badb588c555a2b8a8df2ab7e97f97a54
SHA13a20553440ad6c8adb6b07387c9a7c96eebe3287
SHA256c2ec2342a574808d97720e53fc5646c8d9cb1d5627b9526925817929c721330d
SHA512e44feb3f2199c2e41ce652a4eb2dfee7e9f4e96be0019773d0f8ad716719c14c56441b8f5cf8c39bc2c7f01ced7465821fc174a35f2264f60b3acbc8f3533107
-
C:\Users\Admin\AppData\Local\Temp\PZLmFMi\files_\system_info.txtFilesize
4KB
MD5a204e58335e175b68ce590e32f025be7
SHA11682db16b10a6e22374b63548a3e6834d8d7b41b
SHA25625b9bf98e15e73bdc045b0c1602573275efeb91f1271dca9117615d44f250ee5
SHA51244781b638eeba56d183d77bbf70b422a06634628639014026d1b1a115ceecb8b9e9ee38d09932e7f79164ad048d2d8bd1bffa22f9c10be84b4acded00e6472ad
-
C:\Users\Admin\AppData\Local\Temp\PZLmFMi\yHY8NpAVieA4k.zipFilesize
38KB
MD533d046196f4bee3b262bd75074b72716
SHA11b114a64226c6b3f7686dea4daaeff3bc8c4b4cf
SHA256d8272fbe193ee73fecc58b8aafd9f15ecadc3e7bcb91b027a908df1a20ed2786
SHA5129184aab625a1859a83bf5edea1a86d7ec47e5c5596277ba37d8b5a3a1651081e4cbce14b156c50e13717f2ed4c5738e380c60e3f7fd3baff978a0031704d4f05
-
memory/2964-215-0x0000000000630000-0x0000000000B20000-memory.dmpFilesize
4.9MB
-
memory/2964-3-0x00000000051D0000-0x00000000051D1000-memory.dmpFilesize
4KB
-
memory/2964-7-0x0000000000630000-0x0000000000B20000-memory.dmpFilesize
4.9MB
-
memory/2964-6-0x0000000000630000-0x0000000000B20000-memory.dmpFilesize
4.9MB
-
memory/2964-5-0x0000000000631000-0x000000000068C000-memory.dmpFilesize
364KB
-
memory/2964-2-0x00000000051B0000-0x00000000051B1000-memory.dmpFilesize
4KB
-
memory/2964-4-0x00000000051C0000-0x00000000051C1000-memory.dmpFilesize
4KB
-
memory/2964-214-0x0000000000630000-0x0000000000B20000-memory.dmpFilesize
4.9MB
-
memory/2964-0-0x0000000000630000-0x0000000000B20000-memory.dmpFilesize
4.9MB
-
memory/2964-217-0x0000000000630000-0x0000000000B20000-memory.dmpFilesize
4.9MB
-
memory/2964-219-0x0000000000630000-0x0000000000B20000-memory.dmpFilesize
4.9MB
-
memory/2964-56-0x0000000000630000-0x0000000000B20000-memory.dmpFilesize
4.9MB
-
memory/2964-221-0x0000000000630000-0x0000000000B20000-memory.dmpFilesize
4.9MB
-
memory/2964-224-0x0000000000630000-0x0000000000B20000-memory.dmpFilesize
4.9MB
-
memory/2964-226-0x0000000000630000-0x0000000000B20000-memory.dmpFilesize
4.9MB
-
memory/2964-229-0x0000000000630000-0x0000000000B20000-memory.dmpFilesize
4.9MB
-
memory/2964-232-0x0000000000630000-0x0000000000B20000-memory.dmpFilesize
4.9MB
-
memory/2964-235-0x0000000000630000-0x0000000000B20000-memory.dmpFilesize
4.9MB
-
memory/2964-238-0x0000000000630000-0x0000000000B20000-memory.dmpFilesize
4.9MB
-
memory/2964-240-0x0000000000630000-0x0000000000B20000-memory.dmpFilesize
4.9MB
-
memory/2964-243-0x0000000000630000-0x0000000000B20000-memory.dmpFilesize
4.9MB
-
memory/2964-249-0x0000000000630000-0x0000000000B20000-memory.dmpFilesize
4.9MB
-
memory/2964-251-0x0000000000630000-0x0000000000B20000-memory.dmpFilesize
4.9MB
-
memory/2964-1-0x00000000772D4000-0x00000000772D6000-memory.dmpFilesize
8KB