Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07-04-2024 11:49
Static task
static1
Behavioral task
behavioral1
Sample
e4dbf85869e7764aaf5032599c98d3c9_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
e4dbf85869e7764aaf5032599c98d3c9_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
e4dbf85869e7764aaf5032599c98d3c9_JaffaCakes118.exe
-
Size
1.4MB
-
MD5
e4dbf85869e7764aaf5032599c98d3c9
-
SHA1
1e937f87fdccbe88fad3236bca8705f4ded8c4ac
-
SHA256
86a67fa63d48d6a4ffb95f26a3c0a2ffcb9819422766c94a3a3d6b45944f7c62
-
SHA512
7b1a0b968b671547ef66a79c989dfd9dc5aaf7bca957c64af5e149467846ea682d83066e91e662ddec2326decab673be48810014b14647cce104ee6dbadfe2e3
-
SSDEEP
24576:U9VubLNAafeunjgHujoVvRWrW+neNZeA23/wHPISs2YB2jh2Nl5Zgrqd/7KA0pG:KubvGujgHuEVvzYej0oHPM2RkNlcm57X
Malware Config
Extracted
cryptbot
lyspoh51.top
morecj05.top
-
payload_url
http://damyeb07.top/download.php?file=lv.exe
Signatures
-
CryptBot payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/1016-25-0x0000000004730000-0x00000000047D3000-memory.dmp family_cryptbot behavioral2/memory/1016-26-0x0000000004730000-0x00000000047D3000-memory.dmp family_cryptbot behavioral2/memory/1016-27-0x0000000004730000-0x00000000047D3000-memory.dmp family_cryptbot behavioral2/memory/1016-29-0x0000000004730000-0x00000000047D3000-memory.dmp family_cryptbot behavioral2/memory/1016-237-0x0000000004730000-0x00000000047D3000-memory.dmp family_cryptbot -
Executes dropped EXE 2 IoCs
Processes:
Naufrago.exe.comNaufrago.exe.compid process 3732 Naufrago.exe.com 1016 Naufrago.exe.com -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
e4dbf85869e7764aaf5032599c98d3c9_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" e4dbf85869e7764aaf5032599c98d3c9_JaffaCakes118.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Naufrago.exe.comdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Naufrago.exe.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Naufrago.exe.com -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of FindShellTrayWindow 8 IoCs
Processes:
Naufrago.exe.comNaufrago.exe.compid process 3732 Naufrago.exe.com 3732 Naufrago.exe.com 3732 Naufrago.exe.com 1016 Naufrago.exe.com 1016 Naufrago.exe.com 1016 Naufrago.exe.com 1016 Naufrago.exe.com 1016 Naufrago.exe.com -
Suspicious use of SendNotifyMessage 6 IoCs
Processes:
Naufrago.exe.comNaufrago.exe.compid process 3732 Naufrago.exe.com 3732 Naufrago.exe.com 3732 Naufrago.exe.com 1016 Naufrago.exe.com 1016 Naufrago.exe.com 1016 Naufrago.exe.com -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
e4dbf85869e7764aaf5032599c98d3c9_JaffaCakes118.execmd.execmd.exeNaufrago.exe.comdescription pid process target process PID 1760 wrote to memory of 2112 1760 e4dbf85869e7764aaf5032599c98d3c9_JaffaCakes118.exe dllhost.exe PID 1760 wrote to memory of 2112 1760 e4dbf85869e7764aaf5032599c98d3c9_JaffaCakes118.exe dllhost.exe PID 1760 wrote to memory of 2112 1760 e4dbf85869e7764aaf5032599c98d3c9_JaffaCakes118.exe dllhost.exe PID 1760 wrote to memory of 4832 1760 e4dbf85869e7764aaf5032599c98d3c9_JaffaCakes118.exe cmd.exe PID 1760 wrote to memory of 4832 1760 e4dbf85869e7764aaf5032599c98d3c9_JaffaCakes118.exe cmd.exe PID 1760 wrote to memory of 4832 1760 e4dbf85869e7764aaf5032599c98d3c9_JaffaCakes118.exe cmd.exe PID 4832 wrote to memory of 3836 4832 cmd.exe cmd.exe PID 4832 wrote to memory of 3836 4832 cmd.exe cmd.exe PID 4832 wrote to memory of 3836 4832 cmd.exe cmd.exe PID 3836 wrote to memory of 1104 3836 cmd.exe findstr.exe PID 3836 wrote to memory of 1104 3836 cmd.exe findstr.exe PID 3836 wrote to memory of 1104 3836 cmd.exe findstr.exe PID 3836 wrote to memory of 3732 3836 cmd.exe Naufrago.exe.com PID 3836 wrote to memory of 3732 3836 cmd.exe Naufrago.exe.com PID 3836 wrote to memory of 3732 3836 cmd.exe Naufrago.exe.com PID 3836 wrote to memory of 756 3836 cmd.exe PING.EXE PID 3836 wrote to memory of 756 3836 cmd.exe PING.EXE PID 3836 wrote to memory of 756 3836 cmd.exe PING.EXE PID 3732 wrote to memory of 1016 3732 Naufrago.exe.com Naufrago.exe.com PID 3732 wrote to memory of 1016 3732 Naufrago.exe.com Naufrago.exe.com PID 3732 wrote to memory of 1016 3732 Naufrago.exe.com Naufrago.exe.com
Processes
-
C:\Users\Admin\AppData\Local\Temp\e4dbf85869e7764aaf5032599c98d3c9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e4dbf85869e7764aaf5032599c98d3c9_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\dllhost.exedllhost.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Ore.mid2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^TsnBsoCmfklVmpndLzwEdrlekuDBjXalIgQvIAieVclRTWGoGGYRoMDPicdkEqjaSqjkaeIlkZIUTaofmxVFYAeWKwgjlWbVpRYTJcQDYOGorJVOjwLltGzsYdAsNcZfCNKexfFtDaGlU$" Implorando.mid4⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Naufrago.exe.comNaufrago.exe.com G4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Naufrago.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Naufrago.exe.com G5⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\PING.EXEping JKRSODLE -n 304⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Implorando.midFilesize
872KB
MD537ff73dabe362f9298351c8693cb8725
SHA130344545902a4e23fb4313bd93d16205536f55eb
SHA256c294a1bb47c7f107272d37b86c758039920f066701ba06b439646385b621214f
SHA51231f52019c81b2fee5ab2def4c0801f07a16ea58b9b326921f164095f3c34df644d7a3a27dd1a8772e173f73a717c7fa724b399883ae6f43b4678d87d157e99a7
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Naufrago.exe.comFilesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ore.midFilesize
660B
MD53eb2d46a619ae2119e3aae57ff87a051
SHA1cdae20ad65fe853a7f5193d30b4ed541291d10b2
SHA25645b63d95d59e900b9d0a065694ecd5049d822f768a7324962a3fb8d8c14d447f
SHA512e975d17b44def8a837fb6c8e6284a4630e8f2eb3ba08144dda44ed42c9a05e26e977e1b6e0e3c38037a080a731f0c2490d03e1485069b52da992da6429423349
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sorso.midFilesize
700KB
MD5912beeb3b0a46f21952b72dbcd598c58
SHA1adf632d0da955983b00c25a25a0f3ef8e4e9cdbd
SHA2562e08a01b1806b7eb7a945043a1e20fd0a4cd182fa5a06b02169dcfea3f10c871
SHA5123264d65f58ec079a9dc42608e270e709e898cee88bb9c0eaa3a3d8a7b084b51a62d1c12a0ec27740a1f3d4f472f7ad1451048e71bc73e7cf82e3e1891415ca6e
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Specie.midFilesize
634KB
MD5f27f237a4cb2dc1778854ad6b0aa4072
SHA1afc03486054cd003a21e2b0be2535a4859befaa2
SHA256221e356e2c0892ad0b209edb29f17dd147ea7a3f8cf6b4e36160b23030d24685
SHA512d7595174e5be53518d9d4d793c8a53e5528b2affaceb2e8b1e77e0762693ef39fc79af176f2e27d83599a66dc621ab2fcb3e68abd5924c4f69af16695c55d771
-
C:\Users\Admin\AppData\Local\Temp\eSYrcY3L8\SrsEDIIIKy1s.zipFilesize
38KB
MD55cbac01d7a5b5234e22598806bc4167e
SHA197b07909deacedc4a7358c671b2fbafd60aa959f
SHA2566fa028c64fb149f8506ca925da81a26506e2a4dff296d0cf0b1a7c3e95c9919b
SHA5121f6daeb08887c146f84804737c974a4f9bedf0daeb9db3ae24f4333a6b2ba10c8dd1335924266c525c28dbcb50ca47dfb426aa116e351cf9fac5918ad40f2faa
-
C:\Users\Admin\AppData\Local\Temp\eSYrcY3L8\_Files\_Information.txtFilesize
1KB
MD542b8dd9045a86263fdd1f4ff120bf313
SHA13e5a1ea44bc1aaa03aee2a17dc4aebb63aac34bf
SHA25617c4cc6e4ec8b37329bf4da887da7430be297a7830289d68aaa9d5e9b5c8538b
SHA5125761fc3fff34e0c33d59c9908ba23787349646010b7760db6cdba14cd783ac132ddae86b82d066f0e73b40319a026c018fcc9c1b119ea0d4dd34c327609cbee7
-
C:\Users\Admin\AppData\Local\Temp\eSYrcY3L8\_Files\_Information.txtFilesize
1KB
MD5c29ac03a8080df3921a6ab57a5e944c6
SHA13a73e63b957088423895bf1835c8c8334a6ed4f3
SHA25690bae1f593ba794b8dad4cd296ed942b74df53348761178553ed01ff61adb113
SHA51292fd3b0936cb9dd3919470d8851a07060782d8d5034d8df12eb5f82690e0fb58f92386010107cc5ba0fb1b1604932570b0cafe2235d9afbab58d163c3e565905
-
C:\Users\Admin\AppData\Local\Temp\eSYrcY3L8\_Files\_Information.txtFilesize
4KB
MD5c5ab7db085873c20ccc960b1e76b887e
SHA12c8d036ab3005c65483bb7f0cc70231ec7ef39f3
SHA256f13051ef79e5e8dd8c1612205a76d40f781b85cd1f2b5c5e83ca9cb6a0f902a4
SHA512843b106287d7bd71ac86d57c4ffb88cf8ed0afc7bb5752b6e9e95fd8d4b4f3da0f44f2a4719be6ef0ed3d4f08628f1f655a1b9b1943c70debd7e10ae5719e0b3
-
C:\Users\Admin\AppData\Local\Temp\eSYrcY3L8\_Files\_Screen_Desktop.jpegFilesize
44KB
MD50303babcb80b13d3ca35b991c5448f35
SHA107edff1569d4abb4f1a867e815c1bd7f28b0fc49
SHA256a9819d1527d11a8895a658d9c621c3014209d4e68bf49a4b355e123f8c9c04f8
SHA512158e0015389f3e71895cbb7d82fa745f6bb0bee06fe8b078651f9cd6c82e9d02d09cf0aea25c8c8d0105e7b8a567f93bd5d4e5548252b49736ce2f5c8e5b9384
-
C:\Users\Admin\AppData\Local\Temp\eSYrcY3L8\files_\system_info.txtFilesize
700B
MD5d297a59d81fa4818d0750c3ac9ca4681
SHA15f8517dc4bb72d645423c6c0fc76852b0e53e747
SHA25648aeb56c7b802cedc1ffda5e2bc92eb7207905523e0fc5089cc7dbc9985277fa
SHA512802b2065d06669f97dbf1130bdb23d7c6d346fda9aab6b19dd18748cb97fedb6d3e1c22d3d29f1d3c45fff0316b469d358a1932f482feb10f99f2496174c6861
-
C:\Users\Admin\AppData\Local\Temp\eSYrcY3L8\files_\system_info.txtFilesize
1KB
MD57bbdfd1954cb544f3129fd123ce28903
SHA1fe34f21ee42bac249137daf5f57d80a5d23ea213
SHA2560e056bdfe93b56170076e833d1af75eb6f387904a043f57fb5f89386b5a023c6
SHA5123c09e138a1b22858f8175970930da6c52d68c6c27fbe47d30f274c0668c0eb4a2a88b4399379d25e83ecbf1394408a2ee19583965585477bf83e0333bbc99fdb
-
C:\Users\Admin\AppData\Local\Temp\eSYrcY3L8\files_\system_info.txtFilesize
4KB
MD57d525a7b191e1df275453cb95dfb8bcf
SHA1d53cf2d8c00514e4536fa799bd8ec9a2eee2057b
SHA256492cd428f647e0fbf40b1ed39540f91cfed1a3e8889004a1f17e5e79b5080510
SHA51232cce8cda98f58d60bc0e5ab2d028f8aebe7202c60952f58039a24493f339df2b38cde7be9eb8898eec6d8e14b4841b521093d86592a6af28dcf3199d2d074cc
-
memory/1016-21-0x0000000002090000-0x0000000002091000-memory.dmpFilesize
4KB
-
memory/1016-29-0x0000000004730000-0x00000000047D3000-memory.dmpFilesize
652KB
-
memory/1016-27-0x0000000004730000-0x00000000047D3000-memory.dmpFilesize
652KB
-
memory/1016-26-0x0000000004730000-0x00000000047D3000-memory.dmpFilesize
652KB
-
memory/1016-25-0x0000000004730000-0x00000000047D3000-memory.dmpFilesize
652KB
-
memory/1016-24-0x0000000004730000-0x00000000047D3000-memory.dmpFilesize
652KB
-
memory/1016-23-0x0000000004730000-0x00000000047D3000-memory.dmpFilesize
652KB
-
memory/1016-22-0x0000000004730000-0x00000000047D3000-memory.dmpFilesize
652KB
-
memory/1016-237-0x0000000004730000-0x00000000047D3000-memory.dmpFilesize
652KB