Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
07-04-2024 11:49
Static task
static1
Behavioral task
behavioral1
Sample
e4dbf85869e7764aaf5032599c98d3c9_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
e4dbf85869e7764aaf5032599c98d3c9_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
e4dbf85869e7764aaf5032599c98d3c9_JaffaCakes118.exe
-
Size
1.4MB
-
MD5
e4dbf85869e7764aaf5032599c98d3c9
-
SHA1
1e937f87fdccbe88fad3236bca8705f4ded8c4ac
-
SHA256
86a67fa63d48d6a4ffb95f26a3c0a2ffcb9819422766c94a3a3d6b45944f7c62
-
SHA512
7b1a0b968b671547ef66a79c989dfd9dc5aaf7bca957c64af5e149467846ea682d83066e91e662ddec2326decab673be48810014b14647cce104ee6dbadfe2e3
-
SSDEEP
24576:U9VubLNAafeunjgHujoVvRWrW+neNZeA23/wHPISs2YB2jh2Nl5Zgrqd/7KA0pG:KubvGujgHuEVvzYej0oHPM2RkNlcm57X
Malware Config
Extracted
cryptbot
lyspoh51.top
morecj05.top
-
payload_url
http://damyeb07.top/download.php?file=lv.exe
Signatures
-
CryptBot payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2824-28-0x0000000003A00000-0x0000000003AA3000-memory.dmp family_cryptbot behavioral1/memory/2824-29-0x0000000003A00000-0x0000000003AA3000-memory.dmp family_cryptbot behavioral1/memory/2824-30-0x0000000003A00000-0x0000000003AA3000-memory.dmp family_cryptbot behavioral1/memory/2824-31-0x0000000003A00000-0x0000000003AA3000-memory.dmp family_cryptbot behavioral1/memory/2824-251-0x0000000003A00000-0x0000000003AA3000-memory.dmp family_cryptbot -
Executes dropped EXE 2 IoCs
Processes:
Naufrago.exe.comNaufrago.exe.compid process 2584 Naufrago.exe.com 2824 Naufrago.exe.com -
Loads dropped DLL 2 IoCs
Processes:
cmd.exeNaufrago.exe.compid process 2884 cmd.exe 2584 Naufrago.exe.com -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
e4dbf85869e7764aaf5032599c98d3c9_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" e4dbf85869e7764aaf5032599c98d3c9_JaffaCakes118.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Naufrago.exe.comdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Naufrago.exe.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Naufrago.exe.com -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of FindShellTrayWindow 8 IoCs
Processes:
Naufrago.exe.comNaufrago.exe.compid process 2584 Naufrago.exe.com 2584 Naufrago.exe.com 2584 Naufrago.exe.com 2824 Naufrago.exe.com 2824 Naufrago.exe.com 2824 Naufrago.exe.com 2824 Naufrago.exe.com 2824 Naufrago.exe.com -
Suspicious use of SendNotifyMessage 6 IoCs
Processes:
Naufrago.exe.comNaufrago.exe.compid process 2584 Naufrago.exe.com 2584 Naufrago.exe.com 2584 Naufrago.exe.com 2824 Naufrago.exe.com 2824 Naufrago.exe.com 2824 Naufrago.exe.com -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
e4dbf85869e7764aaf5032599c98d3c9_JaffaCakes118.execmd.execmd.exeNaufrago.exe.comdescription pid process target process PID 2068 wrote to memory of 2176 2068 e4dbf85869e7764aaf5032599c98d3c9_JaffaCakes118.exe dllhost.exe PID 2068 wrote to memory of 2176 2068 e4dbf85869e7764aaf5032599c98d3c9_JaffaCakes118.exe dllhost.exe PID 2068 wrote to memory of 2176 2068 e4dbf85869e7764aaf5032599c98d3c9_JaffaCakes118.exe dllhost.exe PID 2068 wrote to memory of 2176 2068 e4dbf85869e7764aaf5032599c98d3c9_JaffaCakes118.exe dllhost.exe PID 2068 wrote to memory of 1804 2068 e4dbf85869e7764aaf5032599c98d3c9_JaffaCakes118.exe cmd.exe PID 2068 wrote to memory of 1804 2068 e4dbf85869e7764aaf5032599c98d3c9_JaffaCakes118.exe cmd.exe PID 2068 wrote to memory of 1804 2068 e4dbf85869e7764aaf5032599c98d3c9_JaffaCakes118.exe cmd.exe PID 2068 wrote to memory of 1804 2068 e4dbf85869e7764aaf5032599c98d3c9_JaffaCakes118.exe cmd.exe PID 1804 wrote to memory of 2884 1804 cmd.exe cmd.exe PID 1804 wrote to memory of 2884 1804 cmd.exe cmd.exe PID 1804 wrote to memory of 2884 1804 cmd.exe cmd.exe PID 1804 wrote to memory of 2884 1804 cmd.exe cmd.exe PID 2884 wrote to memory of 2532 2884 cmd.exe findstr.exe PID 2884 wrote to memory of 2532 2884 cmd.exe findstr.exe PID 2884 wrote to memory of 2532 2884 cmd.exe findstr.exe PID 2884 wrote to memory of 2532 2884 cmd.exe findstr.exe PID 2884 wrote to memory of 2584 2884 cmd.exe Naufrago.exe.com PID 2884 wrote to memory of 2584 2884 cmd.exe Naufrago.exe.com PID 2884 wrote to memory of 2584 2884 cmd.exe Naufrago.exe.com PID 2884 wrote to memory of 2584 2884 cmd.exe Naufrago.exe.com PID 2884 wrote to memory of 2636 2884 cmd.exe PING.EXE PID 2884 wrote to memory of 2636 2884 cmd.exe PING.EXE PID 2884 wrote to memory of 2636 2884 cmd.exe PING.EXE PID 2884 wrote to memory of 2636 2884 cmd.exe PING.EXE PID 2584 wrote to memory of 2824 2584 Naufrago.exe.com Naufrago.exe.com PID 2584 wrote to memory of 2824 2584 Naufrago.exe.com Naufrago.exe.com PID 2584 wrote to memory of 2824 2584 Naufrago.exe.com Naufrago.exe.com PID 2584 wrote to memory of 2824 2584 Naufrago.exe.com Naufrago.exe.com
Processes
-
C:\Users\Admin\AppData\Local\Temp\e4dbf85869e7764aaf5032599c98d3c9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e4dbf85869e7764aaf5032599c98d3c9_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\dllhost.exedllhost.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Ore.mid2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^TsnBsoCmfklVmpndLzwEdrlekuDBjXalIgQvIAieVclRTWGoGGYRoMDPicdkEqjaSqjkaeIlkZIUTaofmxVFYAeWKwgjlWbVpRYTJcQDYOGorJVOjwLltGzsYdAsNcZfCNKexfFtDaGlU$" Implorando.mid4⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Naufrago.exe.comNaufrago.exe.com G4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Naufrago.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Naufrago.exe.com G5⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\PING.EXEping BISMIZHX -n 304⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Implorando.midFilesize
872KB
MD537ff73dabe362f9298351c8693cb8725
SHA130344545902a4e23fb4313bd93d16205536f55eb
SHA256c294a1bb47c7f107272d37b86c758039920f066701ba06b439646385b621214f
SHA51231f52019c81b2fee5ab2def4c0801f07a16ea58b9b326921f164095f3c34df644d7a3a27dd1a8772e173f73a717c7fa724b399883ae6f43b4678d87d157e99a7
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ore.midFilesize
660B
MD53eb2d46a619ae2119e3aae57ff87a051
SHA1cdae20ad65fe853a7f5193d30b4ed541291d10b2
SHA25645b63d95d59e900b9d0a065694ecd5049d822f768a7324962a3fb8d8c14d447f
SHA512e975d17b44def8a837fb6c8e6284a4630e8f2eb3ba08144dda44ed42c9a05e26e977e1b6e0e3c38037a080a731f0c2490d03e1485069b52da992da6429423349
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sorso.midFilesize
700KB
MD5912beeb3b0a46f21952b72dbcd598c58
SHA1adf632d0da955983b00c25a25a0f3ef8e4e9cdbd
SHA2562e08a01b1806b7eb7a945043a1e20fd0a4cd182fa5a06b02169dcfea3f10c871
SHA5123264d65f58ec079a9dc42608e270e709e898cee88bb9c0eaa3a3d8a7b084b51a62d1c12a0ec27740a1f3d4f472f7ad1451048e71bc73e7cf82e3e1891415ca6e
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Specie.midFilesize
634KB
MD5f27f237a4cb2dc1778854ad6b0aa4072
SHA1afc03486054cd003a21e2b0be2535a4859befaa2
SHA256221e356e2c0892ad0b209edb29f17dd147ea7a3f8cf6b4e36160b23030d24685
SHA512d7595174e5be53518d9d4d793c8a53e5528b2affaceb2e8b1e77e0762693ef39fc79af176f2e27d83599a66dc621ab2fcb3e68abd5924c4f69af16695c55d771
-
C:\Users\Admin\AppData\Local\Temp\Mxn2qoZBOg6v\V6j6Ttk3PW1n.zipFilesize
35KB
MD5c96fc6ceb0d5fd83c94eab88c80f2deb
SHA190e676dd7e4ea6cc4dd91e46a110209eac571da5
SHA2568386b256feca3362013a24a919f55480c93437276bb287f0e2469ddbf4e460f0
SHA512620bc0e2fd7178a3d2ef98304d2b7664e8460fc904344727aaf2ab94b2b155f9f9d33158cd8924796b865da0b7349386f02125760c0f5eefec971e335c445a04
-
C:\Users\Admin\AppData\Local\Temp\Mxn2qoZBOg6v\_Files\_Information.txtFilesize
4KB
MD59c976198b46e261f4a2d90858b569440
SHA12b17f69f3d5df21e0681be85fad1cc8b78c34104
SHA256e1f23b289643cccbd38aa6ddf737514dec67fdcab8c4def72e9cfd05632cc912
SHA51237a1a063d80ad66b31d693b3654d0b96f5898810fb2845c14536a1901df2fcd847d646343c3db8580a3f90997949c80d317c952d4d86a49a72f190864ea92b6b
-
C:\Users\Admin\AppData\Local\Temp\Mxn2qoZBOg6v\_Files\_Information.txtFilesize
1KB
MD5797b178e73c5e7b2ffd610cc3a7373b7
SHA13a17be106a598486a03841f2d688981d260713f9
SHA256b60b779faee9a86fd25942e41d6bb1213b65457d3d65be6e33b84a8c6859b08b
SHA51256d5ae7e1056c9d7f482a307960fc1b1075edc0e66d78689edcc3b8c452410f32b3310a7bc623ca499195906ad3fcd3a42680626a5f324c47f0bfa1fec51357d
-
C:\Users\Admin\AppData\Local\Temp\Mxn2qoZBOg6v\_Files\_Information.txtFilesize
1KB
MD5cb0ab4452d85bb224b7189bab67a9274
SHA14da143c04ff0d66e403f52f66c0e5c9f64f9c989
SHA25634619f7d32b90e660dc444327fa1ee73b7eaf5d3760be7509f6ce0bea9282105
SHA512d60efd2d694ffc3974603b6d73ec856f5bf50720a180b63f36df4c5fc44d7240770339a750df1ec35e7addbba4114caf5c29f1a7fb3cc3f92e93a371f8374276
-
C:\Users\Admin\AppData\Local\Temp\Mxn2qoZBOg6v\_Files\_Information.txtFilesize
3KB
MD5bb9b581c2fbc2b72c74495bfb47b986d
SHA1c9743c0071bcf79d36d58674e7c623511002ccbc
SHA2569b063d27f485eab6d65de047689f8c81f3c14847a9c343f5ecf68378ae90d172
SHA5123397d79cb7b562e4476fcf585b92295f276e40152f12ad746d00dcf38cbef5a280f68cc0207afc972712fb52183068acc13b565f66dd4171581a4756122b547c
-
C:\Users\Admin\AppData\Local\Temp\Mxn2qoZBOg6v\_Files\_Information.txtFilesize
3KB
MD5e60b41e21bb02e6114db037f8f99ec4d
SHA140ed8d60b0b4dbf4af55c5f77445db512082906c
SHA25639da526e49d7d5fe313992d333e41114319e8843b23dad7f9ec88d63c3058ebe
SHA51247cd926c9b8b0d560637a5a77c1705c809bdb6aaacdac39e72cb1659544b7206244cc29f21df38e13f296e06eb375dae3b6096e818a23d3b1312b5c775b9e1e6
-
C:\Users\Admin\AppData\Local\Temp\Mxn2qoZBOg6v\_Files\_Information.txtFilesize
3KB
MD514fb441953acb09cb5ce030e9be95fbf
SHA1e52c32b89070381557cd34c846feaaf478a36f0e
SHA2561c72daa2cb576dab4cba074f918322b989ea7e4c2ed670b7e199b6cf410081f2
SHA512308003098ce5ed1bfbac08f89190dd25f6a1e44e24434178addc06a9fd7e0b4a250358eeed10e0c0f459afbda383fe92b46aab69f92a521d2e6d30c6bb85cd29
-
C:\Users\Admin\AppData\Local\Temp\Mxn2qoZBOg6v\_Files\_Screen_Desktop.jpegFilesize
43KB
MD5e7af687d22eb0a2c5dae6461ec751ca1
SHA1b369230b1d0cc456bcac0fe525a07f34cc89e964
SHA256b506018534e59859f2a11f7d7b428252d216f8553373e39000b7d7519a119980
SHA51272062c5f68e222cd394c74e8c4d49aa7ef65e479456b3c6e39880fd85e3a2377b0b22c7a0e316fe2175252e220b68d0e1441e0aa25ab21f12f9c5b4523c2e9bf
-
C:\Users\Admin\AppData\Local\Temp\Mxn2qoZBOg6v\files_\system_info.txtFilesize
1KB
MD5774096e43d36f4a1767d1f25ef0cd760
SHA1b8cd6b11c72c1a24b2aba6e8494606a92ce53ab4
SHA256b4fe09719caf2773392bda9f0d868515cce47d303464221bb8ec0dfac2a37eb4
SHA512b4fbb711520aed472cd7cacefd757f0a5f649d2c07d4cfb86d5ec561a2c01aa7d5156bc005fcc0499ddaa33e1b6bd546397a03e438ae430b558c2bf3858c2406
-
C:\Users\Admin\AppData\Local\Temp\Mxn2qoZBOg6v\files_\system_info.txtFilesize
8KB
MD5f5add35924bbaf994b98a34eb0ed2ecd
SHA1d49fb95b70d6138d4b312daa4f4b9012ada6702c
SHA256752957e28739c1a45d10ff1327cde5fd21e77391346aa98e1cc3862b1e04601d
SHA5127ed0232b11409527683b03d5966d53b21383cdea08f6955719e4917da67d303fb4d0e425a60ade35800410e9566b0d3f951a57c355096e169c05dd19996ae4e7
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Naufrago.exe.comFilesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
memory/2824-25-0x0000000003A00000-0x0000000003AA3000-memory.dmpFilesize
652KB
-
memory/2824-32-0x0000000000C00000-0x0000000000C01000-memory.dmpFilesize
4KB
-
memory/2824-31-0x0000000003A00000-0x0000000003AA3000-memory.dmpFilesize
652KB
-
memory/2824-30-0x0000000003A00000-0x0000000003AA3000-memory.dmpFilesize
652KB
-
memory/2824-29-0x0000000003A00000-0x0000000003AA3000-memory.dmpFilesize
652KB
-
memory/2824-28-0x0000000003A00000-0x0000000003AA3000-memory.dmpFilesize
652KB
-
memory/2824-27-0x0000000003A00000-0x0000000003AA3000-memory.dmpFilesize
652KB
-
memory/2824-26-0x0000000003A00000-0x0000000003AA3000-memory.dmpFilesize
652KB
-
memory/2824-251-0x0000000003A00000-0x0000000003AA3000-memory.dmpFilesize
652KB
-
memory/2824-252-0x0000000000C00000-0x0000000000C01000-memory.dmpFilesize
4KB
-
memory/2824-24-0x00000000000C0000-0x00000000000C1000-memory.dmpFilesize
4KB