Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
16-04-2024 04:57
Static task
static1
Behavioral task
behavioral1
Sample
f2bd0df5311675a26219beb6a7ecf4c3_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f2bd0df5311675a26219beb6a7ecf4c3_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
f2bd0df5311675a26219beb6a7ecf4c3_JaffaCakes118.exe
-
Size
1.5MB
-
MD5
f2bd0df5311675a26219beb6a7ecf4c3
-
SHA1
a7bd8e4857dfbb5186f822868422a25628c8981c
-
SHA256
20f73e57b047b1b45f2537f0780b17cd5ad2324a60bacfd05ebf796f8ff51da3
-
SHA512
756052c3ddce25b2987464d01f2532ecd1b876ee279a2ac6c09cb725819bcfcb986dc1ad029747ccef27ab284c25c252151f9fb5ceecaa6b6d6fe7f7075bf14d
-
SSDEEP
24576:KGFBn/Vm6itNg/LpSxvsfC3KIZGhbOvYbCXOg8EpGw65lMuwDS14fbUaEmAlUEFn:FFBnNmlCjoxZZdvYbCXOTzwWvwG10bC+
Malware Config
Extracted
cryptbot
ewazda75.top
moraiw07.top
-
payload_url
http://winfyn10.top/download.php?file=lv.exe
Signatures
-
CryptBot payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/2152-25-0x0000000003E70000-0x0000000003F13000-memory.dmp family_cryptbot behavioral2/memory/2152-26-0x0000000003E70000-0x0000000003F13000-memory.dmp family_cryptbot behavioral2/memory/2152-27-0x0000000003E70000-0x0000000003F13000-memory.dmp family_cryptbot behavioral2/memory/2152-29-0x0000000003E70000-0x0000000003F13000-memory.dmp family_cryptbot behavioral2/memory/2152-243-0x0000000003E70000-0x0000000003F13000-memory.dmp family_cryptbot -
Executes dropped EXE 2 IoCs
Processes:
Obliare.exe.comObliare.exe.compid process 1188 Obliare.exe.com 2152 Obliare.exe.com -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
f2bd0df5311675a26219beb6a7ecf4c3_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" f2bd0df5311675a26219beb6a7ecf4c3_JaffaCakes118.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Obliare.exe.comdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Obliare.exe.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Obliare.exe.com -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Obliare.exe.compid process 2152 Obliare.exe.com 2152 Obliare.exe.com -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
f2bd0df5311675a26219beb6a7ecf4c3_JaffaCakes118.execmd.execmd.exeObliare.exe.comdescription pid process target process PID 3868 wrote to memory of 5068 3868 f2bd0df5311675a26219beb6a7ecf4c3_JaffaCakes118.exe dllhost.exe PID 3868 wrote to memory of 5068 3868 f2bd0df5311675a26219beb6a7ecf4c3_JaffaCakes118.exe dllhost.exe PID 3868 wrote to memory of 5068 3868 f2bd0df5311675a26219beb6a7ecf4c3_JaffaCakes118.exe dllhost.exe PID 3868 wrote to memory of 2108 3868 f2bd0df5311675a26219beb6a7ecf4c3_JaffaCakes118.exe cmd.exe PID 3868 wrote to memory of 2108 3868 f2bd0df5311675a26219beb6a7ecf4c3_JaffaCakes118.exe cmd.exe PID 3868 wrote to memory of 2108 3868 f2bd0df5311675a26219beb6a7ecf4c3_JaffaCakes118.exe cmd.exe PID 2108 wrote to memory of 856 2108 cmd.exe cmd.exe PID 2108 wrote to memory of 856 2108 cmd.exe cmd.exe PID 2108 wrote to memory of 856 2108 cmd.exe cmd.exe PID 856 wrote to memory of 4428 856 cmd.exe findstr.exe PID 856 wrote to memory of 4428 856 cmd.exe findstr.exe PID 856 wrote to memory of 4428 856 cmd.exe findstr.exe PID 856 wrote to memory of 1188 856 cmd.exe Obliare.exe.com PID 856 wrote to memory of 1188 856 cmd.exe Obliare.exe.com PID 856 wrote to memory of 1188 856 cmd.exe Obliare.exe.com PID 856 wrote to memory of 2196 856 cmd.exe PING.EXE PID 856 wrote to memory of 2196 856 cmd.exe PING.EXE PID 856 wrote to memory of 2196 856 cmd.exe PING.EXE PID 1188 wrote to memory of 2152 1188 Obliare.exe.com Obliare.exe.com PID 1188 wrote to memory of 2152 1188 Obliare.exe.com Obliare.exe.com PID 1188 wrote to memory of 2152 1188 Obliare.exe.com Obliare.exe.com
Processes
-
C:\Users\Admin\AppData\Local\Temp\f2bd0df5311675a26219beb6a7ecf4c3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f2bd0df5311675a26219beb6a7ecf4c3_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\dllhost.exedllhost.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Tese.cda2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^SkrprNmxsapVXgwQJIfBGsUyrxvnNVjZIUgrROXCmqXbKCPONriyOFRAsXuJsqHvuphrqXYVLNeFxvcAEILJNukeeNMTIhknzBsAgMNPyjzqDkuV$" Far.cda4⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Obliare.exe.comObliare.exe.com q4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Obliare.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Obliare.exe.com q5⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 304⤵
- Runs ping.exe
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1040 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1sgwqg5\EQtOTjbkayaSca.zipFilesize
252KB
MD5db6c142a55f0a9a259e95c3eab1b45ac
SHA1de8e619e661b329c1f618cb16864245ff211110c
SHA256093ae3706deb63dc1a85be177f631e7fb3e8df52a4f9e681b2aa6f2601ada58c
SHA51236aa1a2df335e91478fc431be768bc970e4a5d95ee00e1f15540938038691223a6a9a6e1a6ff46f5bfc0a88cbb2987ae90fa06941bf704ff3348b5396f99f402
-
C:\Users\Admin\AppData\Local\Temp\1sgwqg5\_Files\_Files\OutRestore.txtFilesize
208KB
MD55122aaf43b327229ebb3082972f1b5ca
SHA1da82ab8ea98a673d7417885b6577a46402fabacf
SHA256bf53a60320b7a7c19019013ad73084023d47ddd95cd507295a3e0e0d4a5b564a
SHA512f9b6ea25da1e344609e432ed73263ad63fe37b1716d6f20b3bf56c94349b6338557e7974bc0af9b4618ef6b316b3236773eb4b824e52206030528beaba57d247
-
C:\Users\Admin\AppData\Local\Temp\1sgwqg5\_Files\_Information.txtFilesize
1KB
MD5128958cfa4c06ddd467730e0c55653ff
SHA1febf1f12dddc4fbff29940413fc30d3b094c5241
SHA2569b7953da780b1273cbae924d33c911e4572119951ea77151d35b9c040ab25db6
SHA5125d00d82a192e5fc9dd571afc210b82f7b7926dde5f1f84a2c0c72f0515a80eb74b9365fed4a6aff59dd7f03f4c33cbf5086aaf1604f3776808d97c573ee786dc
-
C:\Users\Admin\AppData\Local\Temp\1sgwqg5\_Files\_Information.txtFilesize
7KB
MD5e474882696c7dd6af21fb68f2feb5cd2
SHA17c57c9451fa2f421f123f99731bb07c1dbe0ffc4
SHA2567cf9360228574ee2f1c5ea1bb477bb82c3336dfd679b22a784b9b9cfc4744e67
SHA512d0bd7b1f21c09af303166f019b1fab5d2d750da7aaba2b813d31d9afc3b5ef03d984302187523138017f9bab74953ec9b53c5a0dc7eef1884cbeba64ccbee9d1
-
C:\Users\Admin\AppData\Local\Temp\1sgwqg5\_Files\_Screen_Desktop.jpegFilesize
49KB
MD52065ecf197b8f43dc88410331c1ffdb2
SHA13386427c254d797970a1f3cbae8e1d4a5e0578b0
SHA256023d9538a6120d40c845d5777ef9a2fa112a173af73409b2be9759a6e9b000de
SHA51286e1aa22f888db245e45fd084c09a5870135ada1d3796a824010610a0228ba93ee58ba00e45020e4710f711696d742c3f920ed48c85b3415b9dba32b96d477dc
-
C:\Users\Admin\AppData\Local\Temp\1sgwqg5\files_\system_info.txtFilesize
698B
MD58232844a13abae5a3d7fa0945fdc91cc
SHA1d0953f1dcc1be92192e8aec5447359b8fb9f4fd0
SHA256d3d4ba1d058d381157497af3abb752d69f34bd13fcf00c0399bae67c74bd03fd
SHA512fa92f7eb750e15dc89c435ac2edd19ca1fce3d3547169d2838d7e496a8e903734b3eeb73d4651acadf80e4383f472ec3485555942f57e5087fbe90b75a3292c4
-
C:\Users\Admin\AppData\Local\Temp\1sgwqg5\files_\system_info.txtFilesize
1KB
MD5cea2d71ece6389ff3d369eed35b999ba
SHA1f48483538cbf38c519029e9eed40904862ae7343
SHA256323edfbc4ec2137d1596888791fd457a5c022a720eeb10ebe1d9be77c3966aed
SHA5121126b2a050ac211ade13090e75503c1b6fe4a7c26c332f4b523000b8a325fbbb6ed4744f219a37cd6fe5e4e6528616639b5b7d0a747b35d8003c7da880978ede
-
C:\Users\Admin\AppData\Local\Temp\1sgwqg5\files_\system_info.txtFilesize
7KB
MD5a94caf88b5b8ecd2c0246e0a4ad3d86a
SHA1347b8083c90466f4b2678c2dc5f7bc97209ca0fd
SHA256044a1cd8f9f64ecc628f62396cd49d898ecd9759e452e8852409b029633de3ae
SHA51294d287ef51fbe4c11841808550bd9c51c3d9370f9ff721d49adc527723349093f1747b905ccf458aa4fffa3bb73822236fdd5e4120682362b8511a1bec85f459
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Far.cdaFilesize
872KB
MD5e8965baeaf038d5abe64c8eb90cc3e19
SHA1d1e45c2432106e09625c70f0d3c456fca26132ff
SHA256b6d20957a61943a9bc2f6ace4170a5c631c774e35d22382cc6f60c39514ffbae
SHA5121f4eda3751d27df9b702ce6a1c1471307a3e7947ff9959ea895fab19d34057e68868d6e93712bfe3aa4ef8cab663c13c51a04412de6173a7c4f87db5d4d1e333
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Obliare.exe.comFilesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sogni.cdaFilesize
634KB
MD533ea431acdc54eb20055057f41e6fc6e
SHA1efdc7197e542a048873b464640abf48bde6e0855
SHA25639afe9026b4c30249948f45bb4a1fcadba83642b5af0e7da03583ef58a8e10d1
SHA51259b1dc7ca075c14520068bd9eadcbb6c561b182190671edc1b3f0426db7e4d95e4e950b1aa788b52386f96d2ddb523a6c447ddb6b6b8757fb16f0bec612e1567
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Splendore.cdaFilesize
745KB
MD51bbdc57424a53f6a10b2692db95066a8
SHA11ce47faa742a4312abd9ee1d6e67ad04b45afae2
SHA2564ca0f711bdef0fdcd6dfc84fa03189555afe30e7c335a243e89bf702d9892e46
SHA5129dc675231c47bcb3d60c054f72a1c198cc490f88ed49f781bb679166913694782b43d732107738fb99cb2a74c90fd84503c19dcb10a0971518061af8cc956d4b
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tese.cdaFilesize
459B
MD505e2ab200a15fe20d618c59990c8b9f3
SHA1ceb19d0006b3372187582f880242fb718046fc8a
SHA256bdc88dfbfe456b5b1c21bd69e8588654e7a7c2105f740cade301e0f91a5795db
SHA5121a3f3538aaea1092ad6fe1c633f8dbe5e669cf88bf3f750c82d517713011387da3a76e4c8fd8c3a355decb4e1b532bb22f852e5ddb4b9d6b74c0090ab806d332
-
memory/2152-21-0x0000000000A70000-0x0000000000A71000-memory.dmpFilesize
4KB
-
memory/2152-29-0x0000000003E70000-0x0000000003F13000-memory.dmpFilesize
652KB
-
memory/2152-27-0x0000000003E70000-0x0000000003F13000-memory.dmpFilesize
652KB
-
memory/2152-26-0x0000000003E70000-0x0000000003F13000-memory.dmpFilesize
652KB
-
memory/2152-25-0x0000000003E70000-0x0000000003F13000-memory.dmpFilesize
652KB
-
memory/2152-24-0x0000000003E70000-0x0000000003F13000-memory.dmpFilesize
652KB
-
memory/2152-23-0x0000000003E70000-0x0000000003F13000-memory.dmpFilesize
652KB
-
memory/2152-243-0x0000000003E70000-0x0000000003F13000-memory.dmpFilesize
652KB
-
memory/2152-22-0x0000000003E70000-0x0000000003F13000-memory.dmpFilesize
652KB