Overview

overview

10

Static

static

3

b341f1bc5a...18.exe

windows7-x64

10

b341f1bc5a...18.exe

windows10-2004-x64

10

$PLUGINSDI...ia.dll

windows7-x64

3

$PLUGINSDI...ia.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    145s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-06-2024 11:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b341f1bc5ac611eb57a63709a8cd6528_JaffaCakes118.exe

  • Size

    4.5MB

  • MD5

    b341f1bc5ac611eb57a63709a8cd6528

  • SHA1

    85ea543a2bdcb385a7fb45e611ea965174673f2a

  • SHA256

    6f5c319abad434df88f93e4068bd85781ccf125546cb6fac3b8d453b347be2f7

  • SHA512

    8915bb1501857b8d3367dbbd141d3795eb1cd72b9f7c006c68cdbdd159b910f2f1f3615da5bf6f346e9be8fcc934bff535adf144839a49e4a3bf011aee1d9d2e

  • SSDEEP

    98304:8U4tsSgLivtRXrIgDMd6nKhTvUWZsPm05:8paLisgoInqv1sPB

Score
10/10
cryptbotdiscoveryevasionspywarestealer

Malware Config

Extracted

Family

cryptbot

C2

bibinene02.top

moraass05.top

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • CryptBot payload 20 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b341f1bc5ac611eb57a63709a8cd6528_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b341f1bc5ac611eb57a63709a8cd6528_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:4980
    • C:\Users\Admin\AppData\Local\Temp\sib4410.tmp\0\1.exe
      "C:\Users\Admin\AppData\Local\Temp\sib4410.tmp\0\1.exe" /s
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      PID:4624

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

5
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\lPQDbQz6B\_Files\_Information.txt
    Filesize

    7KB

    MD5

    70223d10b35d9849ec88a9906fe794d2

    SHA1

    15d204611fb3e764e696110b3837c05fd7446437

    SHA256

    70fcd37b0f248a964b0f072cc4196700c7c4937265a3966ac2163af46b7aa7e7

    SHA512

    eaf015591dc0b801a8516cd0af8dd8d201fac5ef5c00f34979413a912f48fc71fe196b85dc7b22339dbd02b232996cdd67996af7c9a6cab082ecbde48e8ed25e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\lPQDbQz6B\_Files\_Screen_Desktop.jpeg
    Filesize

    46KB

    MD5

    acf2dae909f0a45fd19b19a4300506ee

    SHA1

    daf4b00ad28b23ab5b6770bd7066e70873173d07

    SHA256

    32416da675acac70f4620637ac57f1eaef8820b16f8f0f586f9a264516a0af75

    SHA512

    334c30b87658cc8d9a50858ecb12236299932c4b432677845d4fff1dfe1ef6aecdfba721854bf75e1b845e1ac405f3e7f8dd5256b63a97686fe638fcd47288d9

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\lPQDbQz6B\files_\system_info.txt
    Filesize

    1KB

    MD5

    f20f1b5dd44042e8b15dbf801200a042

    SHA1

    9d1cdff0cd5a4cf06207fdea9598210f94884354

    SHA256

    0c1f535c69c2f3aa0bc69503240ca29940f8fc52420601c0f78941258b43d640

    SHA512

    6b73e9afff3b139e4c05c3aa6c3b4ab49e5b234a9540fdfc7843a4bbeb166431ff21823fa2edc9c85dfd3eb278273b45f4a9688017191caaed537a9fd95e767e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\lPQDbQz6B\files_\system_info.txt
    Filesize

    3KB

    MD5

    6b3d8672afdd29e1ff9cabb719f8603b

    SHA1

    e473e07e51fe9f1dbd90770818f74f7775053596

    SHA256

    53ca7855472c34ae894fce39ea9cfebf33db7c6f9437d59637caef6c3bd1eba7

    SHA512

    cbacd9c2c7e00ce86314b2ec68c2a661be4ef630e09d5369713e4c475b93d9b3711b579527d4769faa3271fbf5154183bbe7c10c1f735affa24edbf590a24dfb

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\lPQDbQz6B\files_\system_info.txt
    Filesize

    4KB

    MD5

    75fd629cce2ba43c8e42bd604cae4350

    SHA1

    728f8dff6f3268cabb4c7668cd1f085453f6f9c5

    SHA256

    b670c22cccc82288a45210027fbaf868aebf020ef3cbf9663e8c604f299af9ae

    SHA512

    9c7bf003531a902c49fb24f0b5f014ddf8e7d2040998d9236b090e1f9cfe793a0d9ebb1b9e69b97852fbabee42ef1f1498ac38d0c84357958fa5c2a29c3e4420

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\lPQDbQz6B\mVLZQZPEQ1khC.zip
    Filesize

    40KB

    MD5

    5997b7c25dcb67d76c8ec4d63334c495

    SHA1

    b8be163ca68710d2111cb62cb4305f1091cc7718

    SHA256

    e40bd1f961f6b492a86ec25be733372d4d23bbe26da643185f1c8857c925d773

    SHA512

    d0cc59e39ac0ebe8d36d5ff13584eb538d7ac4e5a409f14fdc268bfeecdcbe2a2b2f5cb0e956744687afeee434b62514c442d214d8a73693f90fa8d538eea7fc

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\lPQDbQz6B\tZAygA38ln.zip
    Filesize

    40KB

    MD5

    dc43a0c166f83d5d625160ea5a618f45

    SHA1

    9915bf09403419d7479332fa89e00e6d2ce7ee11

    SHA256

    b37295efc50d4e6d7e596e67007aa4058acb44d0fd48ed0f8785d7b737134d88

    SHA512

    8cb79828578fa186bb1a890234a63c2d178f1f415aa9eca771357f2bdd1083ae1c3708b3cc2d4d1915d61405f324c184f690fcf65188532b40a1f5057327b9d3

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\nso4363.tmp\Sibuia.dll
    Filesize

    524KB

    MD5

    6a3c3c97e92a5949f88311e80268bbb5

    SHA1

    48c11e3f694b468479bc2c978749d27b5d03faa2

    SHA256

    7938db73242aafbe80915e4ca886d38be9b7e872b93bdae1e8ee6cf4a005b7d9

    SHA512

    6141886a889825ccdfa59a419f7670a34ef240c4f90a83bc17223c415f2fbd983280e98e67485710e449746b5bf3284907537bef6ab698a48954dd4910ddf693

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\sib4410.tmp\0\1.exe
    Filesize

    2.4MB

    MD5

    d55493aeda49935e851a43faa9a3bac6

    SHA1

    7be85a17d9d7f0ab3beb1bb105d7a2c644d2f2b0

    SHA256

    658a35ce919defd6baf3811dd40570143d078a7370e09720d99f6fefbf1f2bab

    SHA512

    ac1586cff5ef44e1f8c00fc755c8e0a453c7fa988912bcf05470958f25167987eb47ff814fff07e8a364c1acb75dcdee59b21db0ba3fd485f3fce3816dee1793

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\sib4410.tmp\SibClr.dll
    Filesize

    51KB

    MD5

    5ea6d2ffeb1be3fc0571961d0c4c2b5f

    SHA1

    902dfe9ae735c83fb0cb46b3e110bbf2aa80209e

    SHA256

    508336b6a7c3226738e74f6ce969e828da904ad9f7610b9112f883a316ee9222

    SHA512

    e81657087f451a37f06a07bf84175117fdaf75d5d8b84cbdc49497fcf88f96e259074518ea3037680d27c9eaeebd7a8df496297593fead88d7edea202a572585

    Download Submit
  • memory/4624-25-0x0000000005740000-0x0000000005741000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4624-270-0x0000000000E20000-0x0000000001377000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/4624-26-0x0000000005760000-0x0000000005761000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4624-28-0x0000000000E21000-0x0000000000E7C000-memory.dmp
    Filesize

    364KB

    Download
  • memory/4624-29-0x0000000000E20000-0x0000000001377000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/4624-30-0x0000000000E20000-0x0000000001377000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/4624-24-0x0000000077524000-0x0000000077526000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4624-23-0x0000000000E20000-0x0000000001377000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/4624-138-0x0000000000E20000-0x0000000001377000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/4624-290-0x0000000000E20000-0x0000000001377000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/4624-287-0x0000000000E20000-0x0000000001377000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/4624-285-0x0000000000E20000-0x0000000001377000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/4624-246-0x0000000000E20000-0x0000000001377000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/4624-283-0x0000000000E20000-0x0000000001377000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/4624-277-0x0000000000E20000-0x0000000001377000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/4624-250-0x0000000000E20000-0x0000000001377000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/4624-251-0x0000000000E20000-0x0000000001377000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/4624-252-0x0000000000E20000-0x0000000001377000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/4624-273-0x0000000000E20000-0x0000000001377000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/4624-254-0x0000000000E20000-0x0000000001377000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/4624-256-0x0000000000E20000-0x0000000001377000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/4624-259-0x0000000000E20000-0x0000000001377000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/4624-261-0x0000000000E20000-0x0000000001377000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/4624-264-0x0000000000E20000-0x0000000001377000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/4624-268-0x0000000000E20000-0x0000000001377000-memory.dmp
    Filesize

    5.3MB

    Download
  • memory/4624-27-0x0000000005750000-0x0000000005751000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4980-14-0x0000000010CB0000-0x0000000010CC2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4980-248-0x0000000073D00000-0x00000000744B0000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/4980-247-0x0000000073D0E000-0x0000000073D0F000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4980-15-0x0000000010CD0000-0x0000000010D8A000-memory.dmp
    Filesize

    744KB

    Download
  • memory/4980-10-0x0000000073D0E000-0x0000000073D0F000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4980-16-0x0000000073D00000-0x00000000744B0000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/4980-19-0x0000000073D00000-0x00000000744B0000-memory.dmp
    Filesize

    7.7MB

    Download