Analysis
-
max time kernel
147s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
27-06-2024 06:52
Static task
static1
Behavioral task
behavioral1
Sample
150cc6fff4a7fca07ff09a3e37fb7828_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
150cc6fff4a7fca07ff09a3e37fb7828_JaffaCakes118.exe
-
Size
1.7MB
-
MD5
150cc6fff4a7fca07ff09a3e37fb7828
-
SHA1
0a77ae0762093dedebf497aae917c1bd29ec6407
-
SHA256
f0f167b361376dc23b604f18e3642c459368c71e8e030e00170d5db431ceb45c
-
SHA512
8246091ed11c659f7f8a3f5cf4df448d6632e62644662fddef29301f6ad82ba7c409682e238fec6bd07e95e17f5318b3351cb0e529b8b542ef126985bc070afd
-
SSDEEP
49152:YmS7T6hb8lMKMDQzPFRUmN1lU5XUM8y+90O:C7TQb8+KbzPFRUm9U5kdP
Malware Config
Signatures
-
CryptBot payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/4412-25-0x00000000007D0000-0x00000000008B3000-memory.dmp family_cryptbot behavioral1/memory/4412-27-0x00000000007D0000-0x00000000008B3000-memory.dmp family_cryptbot behavioral1/memory/4412-26-0x00000000007D0000-0x00000000008B3000-memory.dmp family_cryptbot -
Manipulates Digital Signatures 1 TTPs 3 IoCs
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
Processes:
certutil.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION" certutil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION" certutil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7\Name = "szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL" certutil.exe -
Executes dropped EXE 2 IoCs
Processes:
Impaziente.comImpaziente.compid process 5108 Impaziente.com 4412 Impaziente.com -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
150cc6fff4a7fca07ff09a3e37fb7828_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 150cc6fff4a7fca07ff09a3e37fb7828_JaffaCakes118.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Impaziente.comdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Impaziente.com Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Impaziente.com -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Impaziente.compid process 4412 Impaziente.com 4412 Impaziente.com -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
150cc6fff4a7fca07ff09a3e37fb7828_JaffaCakes118.execmd.execmd.exeImpaziente.comdescription pid process target process PID 2328 wrote to memory of 2100 2328 150cc6fff4a7fca07ff09a3e37fb7828_JaffaCakes118.exe cmd.exe PID 2328 wrote to memory of 2100 2328 150cc6fff4a7fca07ff09a3e37fb7828_JaffaCakes118.exe cmd.exe PID 2328 wrote to memory of 2100 2328 150cc6fff4a7fca07ff09a3e37fb7828_JaffaCakes118.exe cmd.exe PID 2328 wrote to memory of 2064 2328 150cc6fff4a7fca07ff09a3e37fb7828_JaffaCakes118.exe cmd.exe PID 2328 wrote to memory of 2064 2328 150cc6fff4a7fca07ff09a3e37fb7828_JaffaCakes118.exe cmd.exe PID 2328 wrote to memory of 2064 2328 150cc6fff4a7fca07ff09a3e37fb7828_JaffaCakes118.exe cmd.exe PID 2064 wrote to memory of 1472 2064 cmd.exe certutil.exe PID 2064 wrote to memory of 1472 2064 cmd.exe certutil.exe PID 2064 wrote to memory of 1472 2064 cmd.exe certutil.exe PID 2064 wrote to memory of 2824 2064 cmd.exe cmd.exe PID 2064 wrote to memory of 2824 2064 cmd.exe cmd.exe PID 2064 wrote to memory of 2824 2064 cmd.exe cmd.exe PID 2824 wrote to memory of 1008 2824 cmd.exe findstr.exe PID 2824 wrote to memory of 1008 2824 cmd.exe findstr.exe PID 2824 wrote to memory of 1008 2824 cmd.exe findstr.exe PID 2824 wrote to memory of 992 2824 cmd.exe certutil.exe PID 2824 wrote to memory of 992 2824 cmd.exe certutil.exe PID 2824 wrote to memory of 992 2824 cmd.exe certutil.exe PID 2824 wrote to memory of 5108 2824 cmd.exe Impaziente.com PID 2824 wrote to memory of 5108 2824 cmd.exe Impaziente.com PID 2824 wrote to memory of 5108 2824 cmd.exe Impaziente.com PID 2824 wrote to memory of 832 2824 cmd.exe PING.EXE PID 2824 wrote to memory of 832 2824 cmd.exe PING.EXE PID 2824 wrote to memory of 832 2824 cmd.exe PING.EXE PID 5108 wrote to memory of 4412 5108 Impaziente.com Impaziente.com PID 5108 wrote to memory of 4412 5108 Impaziente.com Impaziente.com PID 5108 wrote to memory of 4412 5108 Impaziente.com Impaziente.com
Processes
-
C:\Users\Admin\AppData\Local\Temp\150cc6fff4a7fca07ff09a3e37fb7828_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\150cc6fff4a7fca07ff09a3e37fb7828_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c NNEC2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c certutil -decode Pensa.wms Amo.xlsm & cmd < Amo.xlsm2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\certutil.execertutil -decode Pensa.wms Amo.xlsm3⤵
- Manipulates Digital Signatures
-
C:\Windows\SysWOW64\cmd.execmd3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^rPyEJrQNgnNYOJGHLllEjPZqOOhyalmXfkvNlTpNlvGFYUgFTTjIkzZgQtPVPLctYQJChSvRqbxPpzwTmHjmXQLVjoXyrgXm$" Bonta.dll4⤵
-
C:\Windows\SysWOW64\certutil.execertutil -decode Cancellata.pdf v4⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Impaziente.comImpaziente.com v4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Impaziente.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Impaziente.com v5⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 304⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Amo.xlsmFilesize
103KB
MD5b1569f5b72901aa0c93e8b12bc8d4735
SHA140fb7e32396524b39734e121d9a6f38b04813465
SHA2568e8ef98552fe9397b33c194be13c6162a37e7d763d4eae354e427fbaa9628b42
SHA5126e249e280b5eb010aa1b634b086cd8a7e1d05c06bb2d19f31bbda27842ac04a4841a5703abc118bb5391bbf823c712f3cca4412712f7367fd607ff8e0b706723
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Andiate.jpgFilesize
888KB
MD5b2552098717ccc7b6712cd59fd2a8642
SHA10b69645cf69af1932a2af8e2b0c6c826e1d65fda
SHA2569a279bffce95308df7e8e0a5bd788c5785d82f5002f455f5f3ea298e30d4339a
SHA5129d93ea0b4639cc79af9f25d4f00211719d06b97a47bc45be2071089bf49c4cba9ec8c6f2a5f033fe6fc89eb71cbe6d049e58ca35ff97c8f4e9aea52ec03c8f35
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bonta.dllFilesize
921KB
MD526899137853937bb8068032b77b8ff24
SHA15848cf42dd20054ec8d1d5e4a74cc100904ced3d
SHA25659d9b2a6684a4b7d88fd25b0ae80c267db667172b8e87531a7de29a1a9f356a9
SHA512ecd1c36bcfbd12a063cd1e9f8e1015b1fa5e88749c29852f24efe9b1dbe7f96769bfba2d07cd3efc24bfeade3a1bbacdece85510607e0f931d1ed5eb9bd99d81
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Cancellata.pdfFilesize
540KB
MD5aaaf75ec5a1703205397df5c268153a0
SHA1c55b053bc37ef5025766ed4c8d27d666e83d6ac9
SHA256b549a3ce1f9349fcc17843c6d2997a07b41de74ee91a85311462304d8fea503c
SHA5120ae29a091071485d3da3a9a042b96d77a3699a4a08a1d0f6e61baa8008f4a10f49631ed209f321876c66e19453475224540524b1e251ef4d0c580f89b65ec451
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Impaziente.comFilesize
921KB
MD578ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pensa.wmsFilesize
143KB
MD5104094356b76688e39c145e72ae47c1f
SHA17ad4a21e54df68a654d60bd376737074a8b46d12
SHA256ced57416210a03c632d11634c839da10e9d696742bdecc37435f9bea6eca9003
SHA5125837a50aea46b5ea70e156350ed9a8ba692a92b4ca67cfacebcf04757c08bb397a0018f4e440a88da559c4c38bbe46c6238b3b37411256f11a3cb7b774eefb64
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vFilesize
391KB
MD5cd5dd08e9bccf743f473866f2a1332cc
SHA14b04a9646493eb634791882af5821f2bf2f1a521
SHA25627b93f39c6d6f3edda2e7bdaa5743c93d073d86bad715e7f9b37a20da1d925b6
SHA51203631e23b2963056bbd72080b0e00530ab57de6c6f45870f4ce8e16ea2cb4d585d9f7153886778d4edebf5f22fe54956f2c4b45c88e08024b09846e73a16a83f
-
C:\Users\Admin\AppData\Local\Temp\PZIhmWab\VKtRCMuEVHo.zipFilesize
50KB
MD56fe743809fcc9b680bf2930213797cbb
SHA1246a09fa1f1fd2e104c56b1d72ee17586c367767
SHA256f025d880ac63e25bfe0581e7d7cec7f9f70726931a2b3c2ed85d75d328e84ee7
SHA51290e945c23caacd771281accf475dc9d3bb6d8ee82f5961084c769767ddab19fabe1e2406d77fa577c64c1b45aea2c642856264969552f8de0a0d53082475ae35
-
C:\Users\Admin\AppData\Local\Temp\PZIhmWab\_Files\_Information.txtFilesize
1KB
MD5e0242ec428528589d0d9b488b28239a3
SHA18fd4c95da5245df6d0b98f081864b83bf8a39476
SHA256484a6d347f7e788b6e307de23faec849de41f7c0f4e8b3dd217395bce48bc3e2
SHA512a9f2661226c57d7423ea86107d731f2a4d0f00816213abbd69a00b1587f58ce0a20d3e96b125088b31cd364ff84d656cf243e1325becb3997c97e472538a85e9
-
C:\Users\Admin\AppData\Local\Temp\PZIhmWab\_Files\_Information.txtFilesize
4KB
MD5504fa615607fb2d5d5ec37852be6e329
SHA130c5ca2c4e51439be0be3a71b98aa2a4174a1185
SHA25606abeb6154914433deb2c57c472f9a2f5fd009d47383e04d7899e60a6bfe25b1
SHA5129572850dea72a420971204e2e453f04dc947383b08e40e728acf7513a94b33d7ac79bdaa99ada72ab0f99913e1881b7cdd7bf900552dace95db11edec2b9beb8
-
C:\Users\Admin\AppData\Local\Temp\PZIhmWab\_Files\_Screen_Desktop.jpegFilesize
55KB
MD5dbb379b477ccffcb80ca2e949fd5eaf4
SHA1279aba95f06ea96a3a0b3e06d82c949c3fba4506
SHA2564a767e85d33d0b34a85b69c61d5b8a18b6c3de180fc72ccd3c67d41801d3e941
SHA512a5d9ddcfe0ff61b69ed12ade80589260f26c876e6f865a6a8b0db55d4d7a327330f53372e8663b645d1abcf235c65375f6fb6e5f368739775aaea1b1e7374fba
-
C:\Users\Admin\AppData\Local\Temp\PZIhmWab\files_\system_info.txtFilesize
7KB
MD587c6551d95a344121da2059e242754aa
SHA15048c66d9c53ff9a7159b2ae66e075891da04905
SHA256f06b7cf4e70f2f763c8e64abd7c5ffd2725eaf4755ed6d02f7638e38e916d11a
SHA512f802f840d4e94af2863eaa8ad286cf971f1608e2ea88fe720960cbdc178afa980b6eab242d2a1f38da025b47edb5467bc5e4bf611cdd6eacf645e815937351eb
-
memory/4412-24-0x00000000007D0000-0x00000000008B3000-memory.dmpFilesize
908KB
-
memory/4412-26-0x00000000007D0000-0x00000000008B3000-memory.dmpFilesize
908KB
-
memory/4412-27-0x00000000007D0000-0x00000000008B3000-memory.dmpFilesize
908KB
-
memory/4412-25-0x00000000007D0000-0x00000000008B3000-memory.dmpFilesize
908KB
-
memory/4412-23-0x00000000007D0000-0x00000000008B3000-memory.dmpFilesize
908KB
-
memory/4412-22-0x00000000007D0000-0x00000000008B3000-memory.dmpFilesize
908KB