Analysis
-
max time kernel
147s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
11-04-2024 04:44
Static task
static1
Behavioral task
behavioral1
Sample
ecb1af6d6c9818c93ffb5c9a54ea9a8a_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
ecb1af6d6c9818c93ffb5c9a54ea9a8a_JaffaCakes118.exe
-
Size
1.6MB
-
MD5
ecb1af6d6c9818c93ffb5c9a54ea9a8a
-
SHA1
c74e20b6423d7536429ff8593c45ab6b999e473b
-
SHA256
7ef4fa243476257544a992beb265e6f26ea3a3f439488d27bd9700cae2199ae8
-
SHA512
4f5f1276b260face9b05a1c51eca4ec2d277303ffba6208ead7ed901299555705de8b50cff4dca4f2bd874d756e41a813503943c415e528d28607327b079037d
-
SSDEEP
49152:1YNosFaoyKxdY4nT+kWQZQtZOby7D/YPBVQ3IBbiLoSG:1K5a6dJPWQQtZO2PmBVQ3I1iLoZ
Malware Config
Extracted
cryptbot
-
payload_url
http://ewsjasew03.top/download.php?file=lv.exe
Signatures
-
CryptBot payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/5060-26-0x0000000004030000-0x0000000004113000-memory.dmp family_cryptbot behavioral1/memory/5060-27-0x0000000004030000-0x0000000004113000-memory.dmp family_cryptbot behavioral1/memory/5060-28-0x0000000004030000-0x0000000004113000-memory.dmp family_cryptbot behavioral1/memory/5060-30-0x0000000004030000-0x0000000004113000-memory.dmp family_cryptbot behavioral1/memory/5060-238-0x0000000004030000-0x0000000004113000-memory.dmp family_cryptbot -
Manipulates Digital Signatures 1 TTPs 3 IoCs
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
Processes:
certutil.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION" certutil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION" certutil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7\Name = "szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL" certutil.exe -
Executes dropped EXE 2 IoCs
Processes:
Illusione.comIllusione.compid process 2624 Illusione.com 5060 Illusione.com -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ecb1af6d6c9818c93ffb5c9a54ea9a8a_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" ecb1af6d6c9818c93ffb5c9a54ea9a8a_JaffaCakes118.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Illusione.comdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Illusione.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Illusione.com -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Illusione.compid process 5060 Illusione.com 5060 Illusione.com -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
ecb1af6d6c9818c93ffb5c9a54ea9a8a_JaffaCakes118.execmd.execmd.exeIllusione.comdescription pid process target process PID 1840 wrote to memory of 2776 1840 ecb1af6d6c9818c93ffb5c9a54ea9a8a_JaffaCakes118.exe cmd.exe PID 1840 wrote to memory of 2776 1840 ecb1af6d6c9818c93ffb5c9a54ea9a8a_JaffaCakes118.exe cmd.exe PID 1840 wrote to memory of 2776 1840 ecb1af6d6c9818c93ffb5c9a54ea9a8a_JaffaCakes118.exe cmd.exe PID 1840 wrote to memory of 2796 1840 ecb1af6d6c9818c93ffb5c9a54ea9a8a_JaffaCakes118.exe cmd.exe PID 1840 wrote to memory of 2796 1840 ecb1af6d6c9818c93ffb5c9a54ea9a8a_JaffaCakes118.exe cmd.exe PID 1840 wrote to memory of 2796 1840 ecb1af6d6c9818c93ffb5c9a54ea9a8a_JaffaCakes118.exe cmd.exe PID 2796 wrote to memory of 2068 2796 cmd.exe certutil.exe PID 2796 wrote to memory of 2068 2796 cmd.exe certutil.exe PID 2796 wrote to memory of 2068 2796 cmd.exe certutil.exe PID 2796 wrote to memory of 4608 2796 cmd.exe cmd.exe PID 2796 wrote to memory of 4608 2796 cmd.exe cmd.exe PID 2796 wrote to memory of 4608 2796 cmd.exe cmd.exe PID 4608 wrote to memory of 1208 4608 cmd.exe findstr.exe PID 4608 wrote to memory of 1208 4608 cmd.exe findstr.exe PID 4608 wrote to memory of 1208 4608 cmd.exe findstr.exe PID 4608 wrote to memory of 2580 4608 cmd.exe certutil.exe PID 4608 wrote to memory of 2580 4608 cmd.exe certutil.exe PID 4608 wrote to memory of 2580 4608 cmd.exe certutil.exe PID 4608 wrote to memory of 2624 4608 cmd.exe Illusione.com PID 4608 wrote to memory of 2624 4608 cmd.exe Illusione.com PID 4608 wrote to memory of 2624 4608 cmd.exe Illusione.com PID 4608 wrote to memory of 4964 4608 cmd.exe PING.EXE PID 4608 wrote to memory of 4964 4608 cmd.exe PING.EXE PID 4608 wrote to memory of 4964 4608 cmd.exe PING.EXE PID 2624 wrote to memory of 5060 2624 Illusione.com Illusione.com PID 2624 wrote to memory of 5060 2624 Illusione.com Illusione.com PID 2624 wrote to memory of 5060 2624 Illusione.com Illusione.com
Processes
-
C:\Users\Admin\AppData\Local\Temp\ecb1af6d6c9818c93ffb5c9a54ea9a8a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ecb1af6d6c9818c93ffb5c9a54ea9a8a_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c dOPsYvb2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c certutil -decode Sorso.xltm Pallore.accde & cmd < Pallore.accde2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\certutil.execertutil -decode Sorso.xltm Pallore.accde3⤵
- Manipulates Digital Signatures
-
C:\Windows\SysWOW64\cmd.execmd3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^VagMWnXqBIFcKZdYcTQuiOWIjFBjSYnEBJsCtnoFZOuMjCNfLyEyGViicGmsXKiClqUqIOUWLkuzIlcJRjBNxaYFClubZRHgGDBk$" Sapro.vst4⤵
-
C:\Windows\SysWOW64\certutil.execertutil -decode Subitanea.xlsx l4⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Illusione.comIllusione.com l4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Illusione.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Illusione.com l5⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 304⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\BbXUcQOXvv\_Files\_Information.txtFilesize
1KB
MD57f61405e530a5f92af91aafe78c7a832
SHA1c48aad7627b70ca6beddb95c4e7a524ad555439d
SHA2562d5758970fcefe9163fd23b83ed2af5d9856d090290d6df547599169fb25c69b
SHA512d68a00a796b996c4436e1129d4af0f02d0b1ae492cf10276679232b9218efbd7c7a037f16a4fbfabca8f13d45fd42473144119db084b6dc2611dc37a0f3dfa6e
-
C:\Users\Admin\AppData\Local\Temp\BbXUcQOXvv\_Files\_Information.txtFilesize
2KB
MD52dcd09067b9dd838b91ee26ffed31faa
SHA1720829e4b68925924372cb4e1aa48152451ec8a0
SHA256319e4427d6e285e9577dddbb5dd0b55468aa7a422eb230a0e15f962bf87a54a6
SHA512e798b92a09ba4380c0220406ebbb362c426557e246828a7aad4aa9590112f02b34958d0623d0db27768109547b8d3aefedfeaf0505e530d7c6eedb096ae27cb4
-
C:\Users\Admin\AppData\Local\Temp\BbXUcQOXvv\_Files\_Information.txtFilesize
3KB
MD5a15f4f7325b991615543a77a733b9ea4
SHA174540e2c5c6b07dd0966828fd11277fba660eabc
SHA25615005f5afde11fe356d0585de77205931d31587c5c4e48a09c38d395abeb4e6f
SHA512c3119ec32eb3af6a48e02600476b1f0dd62eb9d939ac61e7bdfa6ab5e2ec5c9746551988ca233cbe47e9d312d09fe6f2e48ee3923d568d09a9fee9f945f8813a
-
C:\Users\Admin\AppData\Local\Temp\BbXUcQOXvv\_Files\_Information.txtFilesize
7KB
MD5f46d4914e812b22645c09996eb1e80b6
SHA1fe836a0a9f44639ac0683d066e68a929c46f988a
SHA2566c473c10b1c79213b480ade4ed0b370600e33e27237075a6b3acbdccb736febc
SHA51267d63bb27f59514b019ab45b268b0ca1af118fc548607fe293630735127e3aeb73e05ba96ad2a4e98d1fbfb206534e72ce5fec5e5302d15006333befa533aa28
-
C:\Users\Admin\AppData\Local\Temp\BbXUcQOXvv\_Files\_Screen_Desktop.jpegFilesize
49KB
MD59f318bf7dfae6defa2b788f23933434c
SHA1c561a9b19870456d825724494a28a70826c4580b
SHA25654c874b4611898dd5bda810f65730377c03eaa2f77e136d5a551ad4671914da4
SHA51230e2cb574cc337ac8bcaf41bc7cdf048e2ad1c5c00aee0277ac73b7a0f8de13896dd115298986bc513db8a6f5d5e98edbc029fcb1f29770f09ba6c61cd71e9e2
-
C:\Users\Admin\AppData\Local\Temp\BbXUcQOXvv\files_\system_info.txtFilesize
1KB
MD5bd94b87af60d4e77736a045cf78fc3b5
SHA1edbfd0382f677706db71e7236932e76f8e69de8f
SHA256dceb681a6456883581c0986d5a778a70bd5bf0454407ffac2580c4d4cbf041f3
SHA51222328b7aa15709eb37f6c7cf9a0f442278887d3d39dfe34e2f31cedf5f0fd41935a9fffb6ec8da2fa13cdf03d70dd9224bc005ea7c2fea906430c1e58474b0b4
-
C:\Users\Admin\AppData\Local\Temp\BbXUcQOXvv\files_\system_info.txtFilesize
1KB
MD5f8bf07e60b0c9b03569d732d41be8234
SHA106955567d8c016fef76ef1056e89ef30c49dd1f5
SHA25604f575afce6355503b6fde2834bb42fca6ee1ce8c0a2f6aa9ffe5593126ecb3d
SHA512184698e2d0fadcfe6a0bca6dc611bc00045f93097450d143b2e13c68c99d0a0a7befeaf5eec820d5443fcd75a25952e0e327be3fcac4d0363bbaf91b9beb5910
-
C:\Users\Admin\AppData\Local\Temp\BbXUcQOXvv\files_\system_info.txtFilesize
4KB
MD524c1740722dab312b0079981abb726cb
SHA14962588ca76638cf85ff76b7938df719835f6677
SHA256437dc2443e2af3ff803f4efcc74d7a86006403cae746b393143675e811bc4d3a
SHA512f6f99922983feeb88c350133f130257106a181bff32b978f08d99e73dbbfd39803839a5c12a66ce808196b566899cd35656126735b87f9e8effec29c7bc82b46
-
C:\Users\Admin\AppData\Local\Temp\BbXUcQOXvv\oTmbnaTfduvJFo.zipFilesize
43KB
MD5755caabd67925aa3b2013e1fccba4a5c
SHA12f04be1f0feea48236919e422283225156f87086
SHA2566f9e497694533b895b68de3f22d05fcbc09b35a8562993b4b39449f037948f6b
SHA512cd4fad5c3082b0c8884e2fd0024a4b75d2e99bf3d692dfab84f916490fae2176f056157a518841933c766d3d90738fce7463e1103bd4195dba3742cbd0c5fbe6
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Aveva.vssFilesize
888KB
MD5970b6737c469629d6a289d1c1ff45a62
SHA1c94b7d73545fcfebf16d74864816de0083448afc
SHA2566d93374eed3e39ed112d76647c8df9a0a4651970d0dec309a1370483ddd06864
SHA512eabe5c49d52a31cda5b25e3aa8d02ff8f12eec1f02eb07818fcda6f186f87aa23ded297193ef5dcdb56bff7ea6ea42750753685a66d95e6b40a92ab0d8b63016
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Illusione.comFilesize
921KB
MD578ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pallore.accdeFilesize
27KB
MD5ff0a5d410cb9c7ac26fb826444110430
SHA1999a5a7c1957091e2972974db59f02c7465e1d4a
SHA256660bf9d18618e101d9f547ee57329731e8c36d9e6b41c22b8d2db5aceadf4e6c
SHA5126958e216cb2b872f1df7626be10a097ef1ab8990a5cad354e2002f872acab0b162d55d882735c3f477a528cb41142f3254e68ae30b07a1ccf97e58c882c0c8cc
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sapro.vstFilesize
921KB
MD5524c5cb95000d79ff092ac1bbc834051
SHA19015a75614448901985a74caf632aca9742fb6f9
SHA256797d9bb4e5dc777f4204fdb50ce85b3ed956e3e151c06e1d78d97663a81cd042
SHA5126a9af9fc45e87ca35c447a409d554984820b11de2871b3ccfef9b46685055d979b17352b649dd6344f23566a1c1fe829c58994125c58b59622656dae0344a4e1
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sorso.xltmFilesize
38KB
MD58ed844dfd87dade7cf42085edcbeed5b
SHA16a32bd4c765b720988105f155ff0f7ef24d4d635
SHA25639960e1c7fe74e983fc1f3772a0fca8be5835d4928524dd56848b459c232756c
SHA51226258c17fe26db165c583aa91ad33179dc5ed1069382e2dd25ed96b3061376e01bddf5dfc5ef1fdc3004741e87855bd31ddc99c0e0eb3732c575df402c1fd48c
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Subitanea.xlsxFilesize
655KB
MD56f738d19c97ad52482daaeb7dd740f56
SHA165c1a1e843906a8f557f9d83001d61925d9bc9d2
SHA25685cd887056455ce2d4ac5ba252eec2baa91d1f0b75f30afec153bb02941fbb88
SHA51201733aaa9a0234bedb3714e37fdf585e5b82ece6dc5a2ddc650c4a074fed94f0190fe538e097a8e69b5eba60764c726a5606f122dcba471e1a213baa56d13869
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lFilesize
476KB
MD505eb879d18fb669c75062eef75a5c50d
SHA19aec8a888907ece2a20d184324d9d2f61b01e592
SHA256911dd3e2748cea7b384f51b6c5d41a5d252533b32b299f4480ce23d3595f683d
SHA51260c832b8a164a59535ace303bd55ecaca48c63d53c46be4e28e7a539f4fcc8327cae5cbeb529119edf862e521c52c3bc529bdd8c08070785847b333836af543b
-
memory/5060-28-0x0000000004030000-0x0000000004113000-memory.dmpFilesize
908KB
-
memory/5060-22-0x0000000001850000-0x0000000001851000-memory.dmpFilesize
4KB
-
memory/5060-23-0x0000000004030000-0x0000000004113000-memory.dmpFilesize
908KB
-
memory/5060-24-0x0000000004030000-0x0000000004113000-memory.dmpFilesize
908KB
-
memory/5060-30-0x0000000004030000-0x0000000004113000-memory.dmpFilesize
908KB
-
memory/5060-25-0x0000000004030000-0x0000000004113000-memory.dmpFilesize
908KB
-
memory/5060-27-0x0000000004030000-0x0000000004113000-memory.dmpFilesize
908KB
-
memory/5060-238-0x0000000004030000-0x0000000004113000-memory.dmpFilesize
908KB
-
memory/5060-26-0x0000000004030000-0x0000000004113000-memory.dmpFilesize
908KB