Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
16-06-2024 11:24
Static task
static1
Behavioral task
behavioral1
Sample
b341f1bc5ac611eb57a63709a8cd6528_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
b341f1bc5ac611eb57a63709a8cd6528_JaffaCakes118.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/Sibuia.dll
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/Sibuia.dll
Resource
win10v2004-20240611-en
General
-
Target
b341f1bc5ac611eb57a63709a8cd6528_JaffaCakes118.exe
-
Size
4.5MB
-
MD5
b341f1bc5ac611eb57a63709a8cd6528
-
SHA1
85ea543a2bdcb385a7fb45e611ea965174673f2a
-
SHA256
6f5c319abad434df88f93e4068bd85781ccf125546cb6fac3b8d453b347be2f7
-
SHA512
8915bb1501857b8d3367dbbd141d3795eb1cd72b9f7c006c68cdbdd159b910f2f1f3615da5bf6f346e9be8fcc934bff535adf144839a49e4a3bf011aee1d9d2e
-
SSDEEP
98304:8U4tsSgLivtRXrIgDMd6nKhTvUWZsPm05:8paLisgoInqv1sPB
Malware Config
Extracted
cryptbot
bibinene02.top
moraass05.top
Signatures
-
CryptBot payload 15 IoCs
Processes:
resource yara_rule behavioral1/memory/2636-253-0x0000000000CB0000-0x0000000001207000-memory.dmp family_cryptbot behavioral1/memory/2636-255-0x0000000000CB0000-0x0000000001207000-memory.dmp family_cryptbot behavioral1/memory/2636-258-0x0000000000CB0000-0x0000000001207000-memory.dmp family_cryptbot behavioral1/memory/2636-261-0x0000000000CB0000-0x0000000001207000-memory.dmp family_cryptbot behavioral1/memory/2636-264-0x0000000000CB0000-0x0000000001207000-memory.dmp family_cryptbot behavioral1/memory/2636-266-0x0000000000CB0000-0x0000000001207000-memory.dmp family_cryptbot behavioral1/memory/2636-269-0x0000000000CB0000-0x0000000001207000-memory.dmp family_cryptbot behavioral1/memory/2636-271-0x0000000000CB0000-0x0000000001207000-memory.dmp family_cryptbot behavioral1/memory/2636-273-0x0000000000CB0000-0x0000000001207000-memory.dmp family_cryptbot behavioral1/memory/2636-275-0x0000000000CB0000-0x0000000001207000-memory.dmp family_cryptbot behavioral1/memory/2636-278-0x0000000000CB0000-0x0000000001207000-memory.dmp family_cryptbot behavioral1/memory/2636-280-0x0000000000CB0000-0x0000000001207000-memory.dmp family_cryptbot behavioral1/memory/2636-282-0x0000000000CB0000-0x0000000001207000-memory.dmp family_cryptbot behavioral1/memory/2636-284-0x0000000000CB0000-0x0000000001207000-memory.dmp family_cryptbot behavioral1/memory/2636-287-0x0000000000CB0000-0x0000000001207000-memory.dmp family_cryptbot -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
1.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
1.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1.exe -
Executes dropped EXE 1 IoCs
Processes:
1.exepid process 2636 1.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
1.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Wine 1.exe -
Loads dropped DLL 7 IoCs
Processes:
b341f1bc5ac611eb57a63709a8cd6528_JaffaCakes118.exe1.exepid process 2072 b341f1bc5ac611eb57a63709a8cd6528_JaffaCakes118.exe 2072 b341f1bc5ac611eb57a63709a8cd6528_JaffaCakes118.exe 2072 b341f1bc5ac611eb57a63709a8cd6528_JaffaCakes118.exe 2072 b341f1bc5ac611eb57a63709a8cd6528_JaffaCakes118.exe 2636 1.exe 2636 1.exe 2636 1.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
1.exepid process 2636 1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
1.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 1.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
1.exepid process 2636 1.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
1.exepid process 2636 1.exe 2636 1.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
b341f1bc5ac611eb57a63709a8cd6528_JaffaCakes118.exedescription pid process target process PID 2072 wrote to memory of 2636 2072 b341f1bc5ac611eb57a63709a8cd6528_JaffaCakes118.exe 1.exe PID 2072 wrote to memory of 2636 2072 b341f1bc5ac611eb57a63709a8cd6528_JaffaCakes118.exe 1.exe PID 2072 wrote to memory of 2636 2072 b341f1bc5ac611eb57a63709a8cd6528_JaffaCakes118.exe 1.exe PID 2072 wrote to memory of 2636 2072 b341f1bc5ac611eb57a63709a8cd6528_JaffaCakes118.exe 1.exe PID 2072 wrote to memory of 2636 2072 b341f1bc5ac611eb57a63709a8cd6528_JaffaCakes118.exe 1.exe PID 2072 wrote to memory of 2636 2072 b341f1bc5ac611eb57a63709a8cd6528_JaffaCakes118.exe 1.exe PID 2072 wrote to memory of 2636 2072 b341f1bc5ac611eb57a63709a8cd6528_JaffaCakes118.exe 1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b341f1bc5ac611eb57a63709a8cd6528_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b341f1bc5ac611eb57a63709a8cd6528_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\sib197C.tmp\0\1.exe"C:\Users\Admin\AppData\Local\Temp\sib197C.tmp\0\1.exe" /s2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\PMkoSqEF30\_Files\_Information.txtFilesize
8KB
MD5690838de4741c3b48eed461562cc14ab
SHA15f361615de478c9be4fd7923d7fafb607c0cd939
SHA256e6be7e5b1e2b930c3c7b43d62e23d3b78ba63e6aa61fdb279d1383939df1d9fe
SHA5127e3eb01758488a6d475bd42724e9aadf76a17dc2f88f2d3769038130474b707341f1730acc837142681592d54b91142ce117f23628f09ba02259ba051ef161cf
-
C:\Users\Admin\AppData\Local\Temp\PMkoSqEF30\_Files\_Screen_Desktop.jpegFilesize
45KB
MD57a1df2d196f9e9f8ea7b0a13fef09812
SHA1bff81c694e8f1a9d320b3ffa497f83c304a7a411
SHA256c75a2f044adc6fc90b42585ef4a1d302fec1830c76444fa10a692ac752b90312
SHA51244d531d46eba1ecdb7bc2a6b60d03436e12aa9857b1555bbcf59a3ff744d0fd3c9b9a7b7b14acd85bc8d114bfc3ea6d843ca03ed7b5ec6258ac2b57b43672a23
-
C:\Users\Admin\AppData\Local\Temp\PMkoSqEF30\files_\system_info.txtFilesize
1KB
MD5d81f8068998bb3aac7b0e1ed25542389
SHA19f839d80f49ef446d002a2dc9dede2d957f2e09c
SHA25613cd97ed34cd03de7777488424ce1c8aff9b66a8399a23d59a4a07729caec446
SHA5125b9d55451ed8bb1cbec96e6f16a551c020cff8fe57bad053dd293cf021812038ac9b1653f9926ea6a76a89dc2f32f7d8602a0fd7ea71f6972b68d68873cf302e
-
C:\Users\Admin\AppData\Local\Temp\PMkoSqEF30\files_\system_info.txtFilesize
8KB
MD5a416a190a420f788398ea4659f90419b
SHA1bafc0eb7f815cb01a46af437e8b4d2ba5604c5d6
SHA25676f189ad3f44c86dc5247e9d53819eecd7e7cc49f17a378c2279bc3b2a130fed
SHA5124af9bd611b803161540d5fa23ea2f331824e28a39c39601eb8beec9c54ea348d65a200ecc5e487a45219f82d9fed91a80601e9d172bd5220fa78a033d0603cf1
-
C:\Users\Admin\AppData\Local\Temp\PMkoSqEF30\qmYd7kFcvO.zipFilesize
38KB
MD5bf16526e5d325aaf5cf341ec10760d6d
SHA10da06d7e1e21ecec1b38da04c6e39e41a99c3cde
SHA25658307b173716e77682e5d11a51bf25214691ecc29bfcaac1a61c15a26d82858c
SHA512f7f71c0f504e8bb457a13cc5a207f01e66a7c6944ad806f0cbcf9c2b4b238b29d4ebd63a2e451f218e21fe96385e233ad1f3111c6b1018a9c5f308c06578d83f
-
C:\Users\Admin\AppData\Local\Temp\nsi18BF.tmp\Sibuia.dllFilesize
524KB
MD56a3c3c97e92a5949f88311e80268bbb5
SHA148c11e3f694b468479bc2c978749d27b5d03faa2
SHA2567938db73242aafbe80915e4ca886d38be9b7e872b93bdae1e8ee6cf4a005b7d9
SHA5126141886a889825ccdfa59a419f7670a34ef240c4f90a83bc17223c415f2fbd983280e98e67485710e449746b5bf3284907537bef6ab698a48954dd4910ddf693
-
\Users\Admin\AppData\Local\Temp\sib197C.tmp\0\1.exeFilesize
2.4MB
MD5d55493aeda49935e851a43faa9a3bac6
SHA17be85a17d9d7f0ab3beb1bb105d7a2c644d2f2b0
SHA256658a35ce919defd6baf3811dd40570143d078a7370e09720d99f6fefbf1f2bab
SHA512ac1586cff5ef44e1f8c00fc755c8e0a453c7fa988912bcf05470958f25167987eb47ff814fff07e8a364c1acb75dcdee59b21db0ba3fd485f3fce3816dee1793
-
\Users\Admin\AppData\Local\Temp\sib197C.tmp\SibClr.dllFilesize
51KB
MD55ea6d2ffeb1be3fc0571961d0c4c2b5f
SHA1902dfe9ae735c83fb0cb46b3e110bbf2aa80209e
SHA256508336b6a7c3226738e74f6ce969e828da904ad9f7610b9112f883a316ee9222
SHA512e81657087f451a37f06a07bf84175117fdaf75d5d8b84cbdc49497fcf88f96e259074518ea3037680d27c9eaeebd7a8df496297593fead88d7edea202a572585
-
memory/2072-23-0x000000001D1A0000-0x000000001D6F7000-memory.dmpFilesize
5.3MB
-
memory/2072-15-0x000000000EF50000-0x000000000F00A000-memory.dmpFilesize
744KB
-
memory/2072-10-0x000000007430E000-0x000000007430F000-memory.dmpFilesize
4KB
-
memory/2072-20-0x0000000074300000-0x00000000749EE000-memory.dmpFilesize
6.9MB
-
memory/2072-252-0x0000000074300000-0x00000000749EE000-memory.dmpFilesize
6.9MB
-
memory/2072-251-0x000000007430E000-0x000000007430F000-memory.dmpFilesize
4KB
-
memory/2072-14-0x0000000003140000-0x0000000003152000-memory.dmpFilesize
72KB
-
memory/2072-19-0x0000000074300000-0x00000000749EE000-memory.dmpFilesize
6.9MB
-
memory/2072-16-0x0000000074300000-0x00000000749EE000-memory.dmpFilesize
6.9MB
-
memory/2636-257-0x00000000013D0000-0x0000000001927000-memory.dmpFilesize
5.3MB
-
memory/2636-264-0x0000000000CB0000-0x0000000001207000-memory.dmpFilesize
5.3MB
-
memory/2636-33-0x00000000779C0000-0x00000000779C2000-memory.dmpFilesize
8KB
-
memory/2636-31-0x00000000013D0000-0x0000000001927000-memory.dmpFilesize
5.3MB
-
memory/2636-253-0x0000000000CB0000-0x0000000001207000-memory.dmpFilesize
5.3MB
-
memory/2636-255-0x0000000000CB0000-0x0000000001207000-memory.dmpFilesize
5.3MB
-
memory/2636-32-0x00000000013D0000-0x0000000001927000-memory.dmpFilesize
5.3MB
-
memory/2636-258-0x0000000000CB0000-0x0000000001207000-memory.dmpFilesize
5.3MB
-
memory/2636-259-0x00000000013D0000-0x0000000001927000-memory.dmpFilesize
5.3MB
-
memory/2636-30-0x00000000013D0000-0x0000000001927000-memory.dmpFilesize
5.3MB
-
memory/2636-261-0x0000000000CB0000-0x0000000001207000-memory.dmpFilesize
5.3MB
-
memory/2636-34-0x0000000000CB1000-0x0000000000D0C000-memory.dmpFilesize
364KB
-
memory/2636-266-0x0000000000CB0000-0x0000000001207000-memory.dmpFilesize
5.3MB
-
memory/2636-269-0x0000000000CB0000-0x0000000001207000-memory.dmpFilesize
5.3MB
-
memory/2636-271-0x0000000000CB0000-0x0000000001207000-memory.dmpFilesize
5.3MB
-
memory/2636-273-0x0000000000CB0000-0x0000000001207000-memory.dmpFilesize
5.3MB
-
memory/2636-275-0x0000000000CB0000-0x0000000001207000-memory.dmpFilesize
5.3MB
-
memory/2636-278-0x0000000000CB0000-0x0000000001207000-memory.dmpFilesize
5.3MB
-
memory/2636-280-0x0000000000CB0000-0x0000000001207000-memory.dmpFilesize
5.3MB
-
memory/2636-282-0x0000000000CB0000-0x0000000001207000-memory.dmpFilesize
5.3MB
-
memory/2636-284-0x0000000000CB0000-0x0000000001207000-memory.dmpFilesize
5.3MB
-
memory/2636-287-0x0000000000CB0000-0x0000000001207000-memory.dmpFilesize
5.3MB