Overview

overview

10

Static

static

3

b341f1bc5a...18.exe

windows7-x64

10

b341f1bc5a...18.exe

windows10-2004-x64

10

$PLUGINSDI...ia.dll

windows7-x64

3

$PLUGINSDI...ia.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    16-06-2024 11:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b341f1bc5ac611eb57a63709a8cd6528_JaffaCakes118.exe

  • Size

    4.5MB

  • MD5

    b341f1bc5ac611eb57a63709a8cd6528

  • SHA1

    85ea543a2bdcb385a7fb45e611ea965174673f2a

  • SHA256

    6f5c319abad434df88f93e4068bd85781ccf125546cb6fac3b8d453b347be2f7

  • SHA512

    8915bb1501857b8d3367dbbd141d3795eb1cd72b9f7c006c68cdbdd159b910f2f1f3615da5bf6f346e9be8fcc934bff535adf144839a49e4a3bf011aee1d9d2e

  • SSDEEP

    98304:8U4tsSgLivtRXrIgDMd6nKhTvUWZsPm05:8paLisgoInqv1sPB

Score
10/10
cryptbotdiscoveryevasionspywarestealer

Malware Config

Extracted

Family

cryptbot

C2

bibinene02.top

moraass05.top

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • CryptBot payload 15 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 7 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b341f1bc5ac611eb57a63709a8cd6528_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b341f1bc5ac611eb57a63709a8cd6528_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2072
    • C:\Users\Admin\AppData\Local\Temp\sib197C.tmp\0\1.exe
      "C:\Users\Admin\AppData\Local\Temp\sib197C.tmp\0\1.exe" /s
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Loads dropped DLL
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      PID:2636

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

5
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\PMkoSqEF30\_Files\_Information.txt
    Filesize

    8KB

    MD5

    690838de4741c3b48eed461562cc14ab

    SHA1

    5f361615de478c9be4fd7923d7fafb607c0cd939

    SHA256

    e6be7e5b1e2b930c3c7b43d62e23d3b78ba63e6aa61fdb279d1383939df1d9fe

    SHA512

    7e3eb01758488a6d475bd42724e9aadf76a17dc2f88f2d3769038130474b707341f1730acc837142681592d54b91142ce117f23628f09ba02259ba051ef161cf

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\PMkoSqEF30\_Files\_Screen_Desktop.jpeg
    Filesize

    45KB

    MD5

    7a1df2d196f9e9f8ea7b0a13fef09812

    SHA1

    bff81c694e8f1a9d320b3ffa497f83c304a7a411

    SHA256

    c75a2f044adc6fc90b42585ef4a1d302fec1830c76444fa10a692ac752b90312

    SHA512

    44d531d46eba1ecdb7bc2a6b60d03436e12aa9857b1555bbcf59a3ff744d0fd3c9b9a7b7b14acd85bc8d114bfc3ea6d843ca03ed7b5ec6258ac2b57b43672a23

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\PMkoSqEF30\files_\system_info.txt
    Filesize

    1KB

    MD5

    d81f8068998bb3aac7b0e1ed25542389

    SHA1

    9f839d80f49ef446d002a2dc9dede2d957f2e09c

    SHA256

    13cd97ed34cd03de7777488424ce1c8aff9b66a8399a23d59a4a07729caec446

    SHA512

    5b9d55451ed8bb1cbec96e6f16a551c020cff8fe57bad053dd293cf021812038ac9b1653f9926ea6a76a89dc2f32f7d8602a0fd7ea71f6972b68d68873cf302e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\PMkoSqEF30\files_\system_info.txt
    Filesize

    8KB

    MD5

    a416a190a420f788398ea4659f90419b

    SHA1

    bafc0eb7f815cb01a46af437e8b4d2ba5604c5d6

    SHA256

    76f189ad3f44c86dc5247e9d53819eecd7e7cc49f17a378c2279bc3b2a130fed

    SHA512

    4af9bd611b803161540d5fa23ea2f331824e28a39c39601eb8beec9c54ea348d65a200ecc5e487a45219f82d9fed91a80601e9d172bd5220fa78a033d0603cf1

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\PMkoSqEF30\qmYd7kFcvO.zip
    Filesize

    38KB

    MD5

    bf16526e5d325aaf5cf341ec10760d6d

    SHA1

    0da06d7e1e21ecec1b38da04c6e39e41a99c3cde

    SHA256

    58307b173716e77682e5d11a51bf25214691ecc29bfcaac1a61c15a26d82858c

    SHA512

    f7f71c0f504e8bb457a13cc5a207f01e66a7c6944ad806f0cbcf9c2b4b238b29d4ebd63a2e451f218e21fe96385e233ad1f3111c6b1018a9c5f308c06578d83f

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\nsi18BF.tmp\Sibuia.dll
    Filesize

    524KB

    MD5

    6a3c3c97e92a5949f88311e80268bbb5

    SHA1

    48c11e3f694b468479bc2c978749d27b5d03faa2

    SHA256

    7938db73242aafbe80915e4ca886d38be9b7e872b93bdae1e8ee6cf4a005b7d9

    SHA512

    6141886a889825ccdfa59a419f7670a34ef240c4f90a83bc17223c415f2fbd983280e98e67485710e449746b5bf3284907537bef6ab698a48954dd4910ddf693

    Download Submit
  • \Users\Admin\AppData\Local\Temp\sib197C.tmp\0\1.exe
    Filesize

    2.4MB

    MD5

    d55493aeda49935e851a43faa9a3bac6

    SHA1

    7be85a17d9d7f0ab3beb1bb105d7a2c644d2f2b0

    SHA256

    658a35ce919defd6baf3811dd40570143d078a7370e09720d99f6fefbf1f2bab

    SHA512

    ac1586cff5ef44e1f8c00fc755c8e0a453c7fa988912bcf05470958f25167987eb47ff814fff07e8a364c1acb75dcdee59b21db0ba3fd485f3fce3816dee1793

    Download Submit
  • \Users\Admin\AppData\Local\Temp\sib197C.tmp\SibClr.dll
    Filesize

    51KB

    MD5

    5ea6d2ffeb1be3fc0571961d0c4c2b5f

    SHA1

    902dfe9ae735c83fb0cb46b3e110bbf2aa80209e

    SHA256

    508336b6a7c3226738e74f6ce969e828da904ad9f7610b9112f883a316ee9222

    SHA512

    e81657087f451a37f06a07bf84175117fdaf75d5d8b84cbdc49497fcf88f96e259074518ea3037680d27c9eaeebd7a8df496297593fead88d7edea202a572585

    Download Submit
  • memory/2072-23-0x000000001D1A0000-0x000000001D6F7000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/2072-15-0x000000000EF50000-0x000000000F00A000-memory.dmp
    Filesize

    744KB

    Download
  • memory/2072-10-0x000000007430E000-0x000000007430F000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2072-20-0x0000000074300000-0x00000000749EE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2072-252-0x0000000074300000-0x00000000749EE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2072-251-0x000000007430E000-0x000000007430F000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2072-14-0x0000000003140000-0x0000000003152000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2072-19-0x0000000074300000-0x00000000749EE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2072-16-0x0000000074300000-0x00000000749EE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2636-257-0x00000000013D0000-0x0000000001927000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/2636-264-0x0000000000CB0000-0x0000000001207000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/2636-33-0x00000000779C0000-0x00000000779C2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2636-31-0x00000000013D0000-0x0000000001927000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/2636-253-0x0000000000CB0000-0x0000000001207000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/2636-255-0x0000000000CB0000-0x0000000001207000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/2636-32-0x00000000013D0000-0x0000000001927000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/2636-258-0x0000000000CB0000-0x0000000001207000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/2636-259-0x00000000013D0000-0x0000000001927000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/2636-30-0x00000000013D0000-0x0000000001927000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/2636-261-0x0000000000CB0000-0x0000000001207000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/2636-34-0x0000000000CB1000-0x0000000000D0C000-memory.dmp
    Filesize

    364KB

    Download
  • memory/2636-266-0x0000000000CB0000-0x0000000001207000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/2636-269-0x0000000000CB0000-0x0000000001207000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/2636-271-0x0000000000CB0000-0x0000000001207000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/2636-273-0x0000000000CB0000-0x0000000001207000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/2636-275-0x0000000000CB0000-0x0000000001207000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/2636-278-0x0000000000CB0000-0x0000000001207000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/2636-280-0x0000000000CB0000-0x0000000001207000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/2636-282-0x0000000000CB0000-0x0000000001207000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/2636-284-0x0000000000CB0000-0x0000000001207000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/2636-287-0x0000000000CB0000-0x0000000001207000-memory.dmp
    Filesize

    5.3MB

    Download