Overview

overview

10

Static

static

3

ac7e35bcbf...18.exe

windows7-x64

10

ac7e35bcbf...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    15-06-2024 01:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ac7e35bcbfd470a51f449556aa1fbe9e_JaffaCakes118.exe

  • Size

    2.1MB

  • MD5

    ac7e35bcbfd470a51f449556aa1fbe9e

  • SHA1

    7dd5876685e9ca21f8ff5098242ead93b8423d36

  • SHA256

    637b36fdc2cb3c6b930fd6ed725211a6f71d4be69f51d78330d6010305b255ac

  • SHA512

    4ed25e226970b4fc12f08a605a7066291929499926c920731c34be476947d987f659f61869daa08c0bf9dfdddcc78f449b2477f4f792eef3ea022e32a2732d53

  • SSDEEP

    49152:vmKgSdJRVHOOoZ/25dTtON+3AFKUstkqpZjv8bnNX:eKgSdJnOOoZen40IKUKRANX

Score
10/10
cryptbotdiscoveryevasionspywarestealer

Malware Config

Extracted

Family

cryptbot

C2

bibinene03.top

moraass05.top

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • CryptBot payload 22 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ac7e35bcbfd470a51f449556aa1fbe9e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ac7e35bcbfd470a51f449556aa1fbe9e_JaffaCakes118.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    PID:2128

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

5
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Pmfdz1RciK\G5FyYiQN6OI.zip
    Filesize

    22KB

    MD5

    532971f7c6a60ff6be5df427b70ea771

    SHA1

    27b8368a9448ee1fa4eb3f1e739bdd0449a2969f

    SHA256

    3397d305a396b15848210e45e865ee08012eddff5b16cce3266b58d6ef4b13dc

    SHA512

    1d6896244967e9632573f6b44287093cde28e6e8025929cd0ee01580c6ab0cef34bf01c100c64e7abea0f2586b005a250e65c8368471c14f78f41dc2e0642815

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Pmfdz1RciK\_Files\_Information.txt
    Filesize

    8KB

    MD5

    6899c61035fce2498ab6c78e0385224f

    SHA1

    cf9a8263c952122f2968315ac2f8c102bf5b190a

    SHA256

    d1faaeadb87b9c0990c505443d827f8a65d081d33b102a367ae053e7bceda446

    SHA512

    58f4d0d07b56a6d41c2da6e47f0fd014239e9a623c608a5fb91be208ab17b623ea43be8ee5e2581c6cadb89aa4b5ae38252d19a10c24d70f11c371ecd28a2519

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Pmfdz1RciK\_Files\_Screen_Desktop.jpeg
    Filesize

    30KB

    MD5

    63d209a8d06f9031c0bb81b2a94768bc

    SHA1

    826e541dbad136c9390b5d69022e657803f16bcc

    SHA256

    ee0eaeb15d9efcd295e2601d8cfc250362ff56691ce2b75fdf336f6617b729f3

    SHA512

    813e3bf1b63eaffaeaa9b216f76492053ccd7608ed7c3d63b3a3cae8cb0ba1896003844efb916c0508b11aada0922aeb2a47584ce8f27400d4d381a03353b800

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Pmfdz1RciK\files_\system_info.txt
    Filesize

    2KB

    MD5

    363b8461d6b84056161bf795dc4b2a98

    SHA1

    d2fdb60dcd03dae0d92708f5d92fcbd46aadbef8

    SHA256

    13ca7a1233a2ce6dc9f1c772b64ddb512f09a55449eec6024e238ca3e11d117b

    SHA512

    bb1570fabf07ba684b6ad60f580fbd1c4ad44051052b48b1a45cb31fa6f629e70c4ea785b9741250196b72037f52385d9feb554c38d1f26e7013fd9defa9a154

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Pmfdz1RciK\files_\system_info.txt
    Filesize

    3KB

    MD5

    6f21a501f0feba7e6345aa6e7c7f8677

    SHA1

    b4d768dd210b594e15658d67f3c379e7cf20d3b5

    SHA256

    61c311d7d3053ea57e22c8325a48ab36773104fd70891c64616c7d39b73a50d2

    SHA512

    5757f6874cd0045bded24c1c8c9995d2483fd99cf0d6bbaa80061ad565d6dab184c5074a2faba84d02a5f9c8880cfbdeb63b2eee5c1142465c6c43e93561484c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Pmfdz1RciK\files_\system_info.txt
    Filesize

    5KB

    MD5

    c5c5ee223afb1a0710fc3cbbc7be5b21

    SHA1

    eac368b177661acfae41d4a8ff01e1f10e82f47a

    SHA256

    8c76f6f74800be11fa061898cd79b3d8812642e912e519b23bd2f4b5b16aeb80

    SHA512

    8dbdbf105369f0c17dc36e00d30900f3c9a4ce1b50d462f952f82796d3757a439ff562e3c7da2818682a48fed46be6057c0abfe123f826df1e386c20f87c1ee1

    Download Submit
  • memory/2128-230-0x0000000001200000-0x000000000170B000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2128-234-0x0000000001200000-0x000000000170B000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2128-8-0x0000000001201000-0x000000000125C000-memory.dmp
    Filesize

    364KB

    Download
  • memory/2128-9-0x0000000001200000-0x000000000170B000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2128-10-0x0000000001200000-0x000000000170B000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2128-119-0x0000000001200000-0x000000000170B000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2128-6-0x0000000000BC0000-0x0000000000BC1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2128-5-0x0000000000E40000-0x0000000000E41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2128-2-0x0000000000A90000-0x0000000000A91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2128-4-0x0000000000CD0000-0x0000000000CD1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2128-3-0x0000000000710000-0x0000000000711000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2128-228-0x0000000001200000-0x000000000170B000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2128-0-0x0000000001200000-0x000000000170B000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2128-231-0x0000000001200000-0x000000000170B000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2128-232-0x0000000001200000-0x000000000170B000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2128-7-0x00000000004D0000-0x00000000004D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2128-235-0x0000000001200000-0x000000000170B000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2128-1-0x0000000077260000-0x0000000077262000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2128-237-0x0000000001200000-0x000000000170B000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2128-238-0x0000000001200000-0x000000000170B000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2128-240-0x0000000001200000-0x000000000170B000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2128-243-0x0000000001200000-0x000000000170B000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2128-245-0x0000000001200000-0x000000000170B000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2128-247-0x0000000001200000-0x000000000170B000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2128-250-0x0000000001200000-0x000000000170B000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2128-252-0x0000000001200000-0x000000000170B000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2128-254-0x0000000001200000-0x000000000170B000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2128-256-0x0000000001200000-0x000000000170B000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2128-259-0x0000000001200000-0x000000000170B000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2128-261-0x0000000001200000-0x000000000170B000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2128-263-0x0000000001200000-0x000000000170B000-memory.dmp
    Filesize

    5.0MB

    Download