growtopia | e4c2460165de097c187d1a646cfc513d32a9130a0e3fe40a359f82b54987bb23

General

Target

f51b489073e0a0e9fff1a9d8f0e09185_JaffaCakes118.exe
Size

5.4MB
MD5

f51b489073e0a0e9fff1a9d8f0e09185
SHA1

c8a2cf999334870c51ead8e366ce51ee916b6e3f
SHA256

e4c2460165de097c187d1a646cfc513d32a9130a0e3fe40a359f82b54987bb23
SHA512

c724d3245868a6a6a90ad0f169ba39857f192809ac0e0b7919ebd53ca7669080703571fd235e129130ddc157286534905dcb6ca7e951e7d8ce3347184eb89484
SSDEEP

98304:7aK90IOLFoFMy2Wt6E8jtpOEv9NdHkyLhiCyIgFfffHyBUMUbv5wOJERH:X9POJa2WD69Nay8Mg1ffS2/K4ER

Score

10^/10

growtopia stealer vmprotect

Malware Config

Signatures

Growtopia
Growtopa is an opensource modular stealer written in C#.
stealer growtopia

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/1104-2-0x0000000000E10000-0x00000000016C0000-memory.dmp	vmprotect
behavioral2/memory/1104-66-0x0000000000E10000-0x00000000016C0000-memory.dmp	vmprotect

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

9 icanhazip.com

flow	ioc
9	icanhazip.com

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

f51b489073e0a0e9fff1a9d8f0e09185_JaffaCakes118.exepowershell.exe

pid	process
1104	f51b489073e0a0e9fff1a9d8f0e09185_JaffaCakes118.exe
1104	f51b489073e0a0e9fff1a9d8f0e09185_JaffaCakes118.exe
1588	powershell.exe
1588	powershell.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

powershell.exe

description	pid	process
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeIncreaseQuotaPrivilege	1588	powershell.exe
Token: SeSecurityPrivilege	1588	powershell.exe
Token: SeTakeOwnershipPrivilege	1588	powershell.exe
Token: SeLoadDriverPrivilege	1588	powershell.exe
Token: SeSystemProfilePrivilege	1588	powershell.exe
Token: SeSystemtimePrivilege	1588	powershell.exe
Token: SeProfSingleProcessPrivilege	1588	powershell.exe
Token: SeIncBasePriorityPrivilege	1588	powershell.exe
Token: SeCreatePagefilePrivilege	1588	powershell.exe
Token: SeBackupPrivilege	1588	powershell.exe
Token: SeRestorePrivilege	1588	powershell.exe
Token: SeShutdownPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeSystemEnvironmentPrivilege	1588	powershell.exe
Token: SeRemoteShutdownPrivilege	1588	powershell.exe
Token: SeUndockPrivilege	1588	powershell.exe
Token: SeManageVolumePrivilege	1588	powershell.exe
Token: 33	1588	powershell.exe
Token: 34	1588	powershell.exe
Token: 35	1588	powershell.exe
Token: 36	1588	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

f51b489073e0a0e9fff1a9d8f0e09185_JaffaCakes118.execmd.exe

description	pid	process	target process
PID 1104 wrote to memory of 4624	1104	f51b489073e0a0e9fff1a9d8f0e09185_JaffaCakes118.exe	cmd.exe
PID 1104 wrote to memory of 4624	1104	f51b489073e0a0e9fff1a9d8f0e09185_JaffaCakes118.exe	cmd.exe
PID 1104 wrote to memory of 4624	1104	f51b489073e0a0e9fff1a9d8f0e09185_JaffaCakes118.exe	cmd.exe
PID 4624 wrote to memory of 1588	4624	cmd.exe	powershell.exe
PID 4624 wrote to memory of 1588	4624	cmd.exe	powershell.exe
PID 4624 wrote to memory of 1588	4624	cmd.exe	powershell.exe
PID 1104 wrote to memory of 4036	1104	f51b489073e0a0e9fff1a9d8f0e09185_JaffaCakes118.exe	cmd.exe
PID 1104 wrote to memory of 4036	1104	f51b489073e0a0e9fff1a9d8f0e09185_JaffaCakes118.exe	cmd.exe
PID 1104 wrote to memory of 4036	1104	f51b489073e0a0e9fff1a9d8f0e09185_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\f51b489073e0a0e9fff1a9d8f0e09185_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f51b489073e0a0e9fff1a9d8f0e09185_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MAC.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4624
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell get-NetAdapter
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1588
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\GenReg.exe" [29548]--[441325395]--[14774,14774c,14774w,14774wc]--[330994046,330994046c]
  2⤵
  PID:4036

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MAC.bat

Filesize
42B

MD5
56120ea7d97e691243935b98d32f4b65

SHA1
f89f6249a946882410de06765ec07e11f2608177

SHA256
1d6a29ec8b4f624b3246450c2a34ae1a8b3e35cdc7f3fa86a680e14169e01a67

SHA512
4cda70d6283fc48105a64c157c50fbe61bc5c77aa0f28e8c1176943cfdfa4345df77f09573d49ff896830cfc8315547a453a7bcbe68c00dd140b99ead94c8b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAC.zb

Filesize
369B

MD5
14ffde76db65568c139e7d55e00085e1

SHA1
f6013770a0a3be2f924851a8a17a251568cbfbda

SHA256
402acf83f09cf87461b4a25d9b09cb3d197e79883ad526c3efc9911114717eab

SHA512
08023212fa359d7a9b34785b15101f9632ffd49430e0a60cfb05bdd7fa3a87ff573a4a976c2068bdec5d723b1b6ed2e5dc870ebad9601e59cf071e607b0b4248

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0oadypff.gqn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1104-2-0x0000000000E10000-0x00000000016C0000-memory.dmp

Filesize
8.7MB

Download
memory/1104-66-0x0000000000E10000-0x00000000016C0000-memory.dmp

Filesize
8.7MB

Download
memory/1104-0-0x0000000000880000-0x0000000000881000-memory.dmp

Filesize
4KB

Download
memory/1588-40-0x000000007F420000-0x000000007F430000-memory.dmp

Filesize
64KB

Download
memory/1588-53-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/1588-24-0x0000000005260000-0x0000000005888000-memory.dmp

Filesize
6.2MB

Download
memory/1588-26-0x0000000005900000-0x0000000005966000-memory.dmp

Filesize
408KB

Download
memory/1588-36-0x0000000005970000-0x00000000059D6000-memory.dmp

Filesize
408KB

Download
memory/1588-37-0x0000000005B00000-0x0000000005E54000-memory.dmp

Filesize
3.3MB

Download
memory/1588-38-0x0000000005FB0000-0x0000000005FCE000-memory.dmp

Filesize
120KB

Download
memory/1588-39-0x00000000060B0000-0x00000000060FC000-memory.dmp

Filesize
304KB

Download
memory/1588-23-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/1588-41-0x0000000006580000-0x00000000065B2000-memory.dmp

Filesize
200KB

Download
memory/1588-42-0x0000000070330000-0x000000007037C000-memory.dmp

Filesize
304KB

Download
memory/1588-25-0x0000000005000000-0x0000000005022000-memory.dmp

Filesize
136KB

Download
memory/1588-52-0x00000000065C0000-0x00000000065DE000-memory.dmp

Filesize
120KB

Download
memory/1588-54-0x0000000006FC0000-0x0000000007063000-memory.dmp

Filesize
652KB

Download
memory/1588-55-0x0000000007920000-0x0000000007F9A000-memory.dmp

Filesize
6.5MB

Download
memory/1588-56-0x00000000072D0000-0x00000000072EA000-memory.dmp

Filesize
104KB

Download
memory/1588-57-0x0000000007340000-0x000000000734A000-memory.dmp

Filesize
40KB

Download
memory/1588-58-0x0000000007560000-0x00000000075F6000-memory.dmp

Filesize
600KB

Download
memory/1588-59-0x00000000074D0000-0x00000000074E1000-memory.dmp

Filesize
68KB

Download
memory/1588-60-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/1588-63-0x0000000073A30000-0x00000000741E0000-memory.dmp

Filesize
7.7MB

Download
memory/1588-22-0x0000000073A30000-0x00000000741E0000-memory.dmp

Filesize
7.7MB

Download
memory/1588-21-0x00000000026A0000-0x00000000026D6000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads