Overview

overview

10

Static

static

3

f23000a51a...18.exe

windows10-2004-x64

10

Aggiogati.pptx

windows7-x64

1

Aggiogati.pptx

windows10-2004-x64

1

Fresco.pptx

windows7-x64

1

Fresco.pptx

windows10-2004-x64

1

Pel.pptx

windows7-x64

1

Pel.pptx

windows10-2004-x64

1

Seduce.pptx

windows7-x64

1

Seduce.pptx

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f23000a51a7ac80b39bab71e83c3983a_JaffaCakes118

  • Size

    1.5MB

  • Sample

    240415-3n9arabd98

  • MD5

    f23000a51a7ac80b39bab71e83c3983a

  • SHA1

    647a3ce6cfc9e4a4f5c952678d8c7bda038a14f5

  • SHA256

    bd7020c913d0170d15354c8e693a4b2469d2332768ef477c702bd1c51e41887c

  • SHA512

    e7193498cea1d3a56a4a207c3f94aff45b591d4dc95b2ba67830a1252dd79560b63c8abdb36216f90e74fae22123c38f82b606953551ca54f1b015ca987ee7f3

  • SSDEEP

    24576:VyEptD7sRjWDFtr9xE8OoNTtfvJeqkIftCstIt2J5CNmfh8+IED471iuejTya:jZARsFtrTRbdtw4tC0LkyqED4xiuej

Score
10/10
cryptbotdiscoverypersistencespywarestealer

Malware Config

Extracted

Family

cryptbot

C2

ewaqfe45.top

morjau04.top
Attributes
  • payload_url

    http://winhaf05.top/download.php?file=lv.exe

Targets

    • Target

      f23000a51a7ac80b39bab71e83c3983a_JaffaCakes118

    • Size

      1.5MB

    • MD5

      f23000a51a7ac80b39bab71e83c3983a

    • SHA1

      647a3ce6cfc9e4a4f5c952678d8c7bda038a14f5

    • SHA256

      bd7020c913d0170d15354c8e693a4b2469d2332768ef477c702bd1c51e41887c

    • SHA512

      e7193498cea1d3a56a4a207c3f94aff45b591d4dc95b2ba67830a1252dd79560b63c8abdb36216f90e74fae22123c38f82b606953551ca54f1b015ca987ee7f3

    • SSDEEP

      24576:VyEptD7sRjWDFtr9xE8OoNTtfvJeqkIftCstIt2J5CNmfh8+IED471iuejTya:jZARsFtrTRbdtw4tC0LkyqED4xiuej

    Score
    10/10
    cryptbotdiscoverypersistencespywarestealer

    • CryptBot

      A C++ stealer distributed widely in bundle with other software.

      spywarestealercryptbot

    • CryptBot payload

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral1

    • Target

      Aggiogati.pptx

    • Size

      872KB

    • MD5

      f435197ac66954c9aaa768c402bb2f6e

    • SHA1

      81cb16becf08ab1cb2d88c1a0d51872aac7af78f

    • SHA256

      682c0c70fdc6522a9ee445de9439348405b945ef9707b983ddf3e88c869ea576

    • SHA512

      ca39a95f003340290b4ae5037313432061c1213f976253bbda8b5149f0f1e295cacbc43dbe63fa1cc54e5336a3161eac7962f73afad775a4122ad23f0330117b

    • SSDEEP

      12288:CpVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31twoPTdFxgawV2M01:CT3E53Myyzl0hMf1tr7Caw8M01

    Score
    1/10
    behavioral2behavioral3

    • Target

      Fresco.pptx

    • Size

      733KB

    • MD5

      6ef148867d1e6e66271e86d6bfab3869

    • SHA1

      589cfd4129777c088f4b53f5dc723ada5f51b302

    • SHA256

      0768633b95a60df47da99c4f6c92cb703c61e547652e6831ff918a9c48ae7720

    • SHA512

      8ba444184340843551dbe1dbec38f15a8a30aa3e97811e300b4fcae2c791254c84576d3b8d7299cca48ae0a3a8e443bbc71d0325283df7a46773747ef72b41e3

    • SSDEEP

      12288:FFoEOMuKv6UbT/Me7QIKclK/MnItmmsrvU1lUwCT27BQmN6oTwdBMf1Aq42Z2Ckk:PoEu46UbAe7ZlGEcc6vZIA/mWt3VmDW

    Score
    1/10
    behavioral4behavioral5

    • Target

      Pel.pptx

    • Size

      487B

    • MD5

      b508376c348b13291d124eab9cce3534

    • SHA1

      26e23e157da1b214a98d84c581c103a97d2f4121

    • SHA256

      a0a6240b767c17f2bbe16985044599f369fdee62ee626a4326e975edbb01a9b4

    • SHA512

      018c7dcf04180da81065647d957e4d08e40ee7e6ca93fe70ab6bfa49ab8532fcd40fe9add8ddc09816e343f04174b1d3e3dc16ba4cd7c93545814fc1992256b8

    Score
    1/10
    behavioral6behavioral7

    • Target

      Seduce.pptx

    • Size

      634KB

    • MD5

      c5a42d35b245941d0acde1ecc0858cd2

    • SHA1

      d34859da52fe96c5ea0b580d24dd05404af91a89

    • SHA256

      0f7917bc1c77ced2004a06f52195e492fcbc4a1bee59f345dd8210df14e12e4c

    • SHA512

      a6d283988467152fe85fa9bac1f6dbd7fa88631af90198d10b912b5589186b1a8920ec3f8a6fee5ce3c58c415c860ab429b10c1d1c77de2a3f4c91843ee63564

    • SSDEEP

      12288:apP74pS2FftpNhsbIvSwPW99EJlCI4pNBZo63Q6EG3hk1V0f71CWobeFXbN+D:8ktfttsbIM2JlCIqfhgc3sV471RseFJk

    Score
    1/10
    behavioral8behavioral9

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

5
T1112

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

10
T1012

System Information Discovery

10
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks