Analysis
-
max time kernel
154s -
max time network
178s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
12-04-2024 00:31
Static task
static1
Behavioral task
behavioral1
Sample
eeb62173d7b2f4d2719c16b1dc2809fe_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
eeb62173d7b2f4d2719c16b1dc2809fe_JaffaCakes118.exe
-
Size
574KB
-
MD5
eeb62173d7b2f4d2719c16b1dc2809fe
-
SHA1
acc4c9e1901a3fb601ce2f4e002023a2d8f3d556
-
SHA256
6b9e4d4db87e97bddd7428853a603b4cf3de855b1016523bade50bc88904eca2
-
SHA512
445ba6a41c46bcc86a815a6e293e40e5c7d9fddf91aaf0995791c30f55b0ef1c4fbf45a7a969c07226dcf8c12f2349d355186d11e196345add842cd2f55c7925
-
SSDEEP
12288:1XW3sCPAMQi9JUK0cxlrS0R+gNrWL3hSh9ak87ti0WMRxwoO:1m8CPAduU5cxMHl3ho9ak87tdp
Malware Config
Extracted
cryptbot
haiezf32.top
morcyr03.top
-
payload_url
http://zelstb04.top/download.php?file=lv.exe
Signatures
-
CryptBot payload 7 IoCs
Processes:
resource yara_rule behavioral2/memory/4496-2-0x0000000004A90000-0x0000000004B30000-memory.dmp family_cryptbot behavioral2/memory/4496-3-0x0000000000400000-0x0000000002CC7000-memory.dmp family_cryptbot behavioral2/memory/4496-4-0x0000000000400000-0x0000000002CC7000-memory.dmp family_cryptbot behavioral2/memory/4496-5-0x0000000000400000-0x0000000002CC7000-memory.dmp family_cryptbot behavioral2/memory/4496-114-0x0000000000400000-0x0000000002CC7000-memory.dmp family_cryptbot behavioral2/memory/4496-218-0x0000000000400000-0x0000000002CC7000-memory.dmp family_cryptbot behavioral2/memory/4496-220-0x0000000004A90000-0x0000000004B30000-memory.dmp family_cryptbot -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
eeb62173d7b2f4d2719c16b1dc2809fe_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 eeb62173d7b2f4d2719c16b1dc2809fe_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString eeb62173d7b2f4d2719c16b1dc2809fe_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
eeb62173d7b2f4d2719c16b1dc2809fe_JaffaCakes118.exepid process 4496 eeb62173d7b2f4d2719c16b1dc2809fe_JaffaCakes118.exe 4496 eeb62173d7b2f4d2719c16b1dc2809fe_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\eeb62173d7b2f4d2719c16b1dc2809fe_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\eeb62173d7b2f4d2719c16b1dc2809fe_JaffaCakes118.exe"1⤵
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4120 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ArvrdiZ6X\26WnhhAJARcCG.zipFilesize
37KB
MD534766529a6148515719569bf651ea292
SHA17324634e7b9ab9008b85b9b8e9ef8a9897955e58
SHA25679418f19c2bc2b82ecb2b3fd827a81e5891a94772ce8112ba468646b11b28d61
SHA512ec303f8df85d47888e462e31af8e9abd176c550466b0ba08e629909177ead0e76e6cacbe2bf785210e1cc1349a454f619c01033b31801323523047d51d7898b3
-
C:\Users\Admin\AppData\Local\Temp\ArvrdiZ6X\_Files\_Information.txtFilesize
1KB
MD5b2056a9bba4bbe9f72ade25a68aaec8a
SHA19c27d574c74d81a56b255c01cdbdba0d297e61e5
SHA25669a0812e70784b2db6398373318078990dc7d695f6349e743694a7d27d7c845b
SHA512102a8e935f35f3b0f6f4091030cace68ce05517a88fa9b48a9ac07299f73163f126a4bdac1b7429d8d589e1ffc910c0246b97fcdceb80298862606da84cf5b37
-
C:\Users\Admin\AppData\Local\Temp\ArvrdiZ6X\_Files\_Information.txtFilesize
3KB
MD5bbc858c6a01006d66ae901145801fbce
SHA1e87b2e325c1db0e571121ee5cf43f774a72d4dcf
SHA256d1b9bb0077dcb3f6bb0f861bb60d2e7ff1135842303af29b6d905acc0249f085
SHA512121b14d664d41ea3f4c28643d2508e0b4e45d6ea8ead5c25a711ffb72d154ae5ad1058eeb6f434f1ceec7c06ed7d87d0ba946c4f6935fc28f50c258959eb8fa2
-
C:\Users\Admin\AppData\Local\Temp\ArvrdiZ6X\_Files\_Information.txtFilesize
4KB
MD54aee1149f6846d92e2fe8ac51a889fbe
SHA1799ed78078362ab28a22dbdb4aaca1475b0a8a19
SHA256181141553ebe4f88ef2d9b84ea6b8fb9678d088e20dfd1e0b02b3acb42993d50
SHA512b1c910a1e926e1338885d5f5670fe9e6448ddca9a096f9dacfb1200220cf68156cf6401e7f3a98bc9a7a6f33d324906e776ef0ab7af5695ea70673e449d530f5
-
C:\Users\Admin\AppData\Local\Temp\ArvrdiZ6X\_Files\_Screen_Desktop.jpegFilesize
43KB
MD5a5764cf22b5976aac88028abcfd53d5a
SHA1675589498961c126ad97ce75a8303c866b0b3660
SHA256b94f668d447da106bef509dda0949a280889e4bb0596800684fc088539938630
SHA51232059fd669edeebaa4c8590c515b644d75245b2180968d9d0aa46625acd4d5a58d93fb9d1666f78cac16d2e62906139d6934ea360fe7616f806003716f9ba356
-
C:\Users\Admin\AppData\Local\Temp\ArvrdiZ6X\files_\system_info.txtFilesize
746B
MD5fb0b59274f2dc273a1a45be25aff469f
SHA1d9675069bdbc44f7bc851c0610c1ec8bc7b0dfa0
SHA256144f05cdfb122efae6f5420673fa99d41e72a02b9aa5bd7e98a5a07f2832cecf
SHA5124b280b7f00b170cbb3fd3557845509d6ab747b53fb3e3ca43dce734daee1873668cae1b0deaf4b8953bbb8b6a5951dd238404ae79aa7ebb0f5b7d3a2cbd514c3
-
C:\Users\Admin\AppData\Local\Temp\ArvrdiZ6X\files_\system_info.txtFilesize
1KB
MD5bd2b7e04f35adb917401b13f76bf6040
SHA1c7e0ed885793fee4e5efd424f6a8cf85be5d419d
SHA256b5e7fdc9fe745d4cd288e6cd166d34ba62756e04913caf90d92894a80cd98373
SHA5120f9417a89b796b7b9618397d4b7edcbf2ef2fbd6d6ad946cc943d24c786d46e32b1d06c874f282bbdbf2114aa3f20fef0ded1cde85d1bae90d48860268cd4c9d
-
C:\Users\Admin\AppData\Local\Temp\ArvrdiZ6X\files_\system_info.txtFilesize
7KB
MD5dacb88beef1c66255a474085517602bd
SHA16865bf07312f4a99bb11a1f65005a36f060be54b
SHA256b83c17e40aeef02682881e60319fd5395023c9c780b6641d7e850e98296c742c
SHA512ce75ab978a58bf87380f946250cfc4b7662077c9f2f19b027674da333b93fa8c3b2f605f41d0defeb389cee9174d91738a5f36f1a9424faae19cc19105279dd4
-
memory/4496-5-0x0000000000400000-0x0000000002CC7000-memory.dmpFilesize
40.8MB
-
memory/4496-114-0x0000000000400000-0x0000000002CC7000-memory.dmpFilesize
40.8MB
-
memory/4496-4-0x0000000000400000-0x0000000002CC7000-memory.dmpFilesize
40.8MB
-
memory/4496-3-0x0000000000400000-0x0000000002CC7000-memory.dmpFilesize
40.8MB
-
memory/4496-1-0x0000000003000000-0x0000000003100000-memory.dmpFilesize
1024KB
-
memory/4496-218-0x0000000000400000-0x0000000002CC7000-memory.dmpFilesize
40.8MB
-
memory/4496-219-0x0000000003000000-0x0000000003100000-memory.dmpFilesize
1024KB
-
memory/4496-220-0x0000000004A90000-0x0000000004B30000-memory.dmpFilesize
640KB
-
memory/4496-2-0x0000000004A90000-0x0000000004B30000-memory.dmpFilesize
640KB