Overview

overview

10

Static

static

3

0cd3d87242...18.exe

windows7-x64

10

0cd3d87242...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-05-2024 23:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0cd3d8724238e5bc80d2b890c56489ab_JaffaCakes118.exe

  • Size

    2.3MB

  • MD5

    0cd3d8724238e5bc80d2b890c56489ab

  • SHA1

    cc6b11f8efe41593e7b9bf83af6c501ada065655

  • SHA256

    816a1b2e626d2819767b6667b7e9ce51f704d98899ff4dc2e74db2dc537b9f64

  • SHA512

    e24bcd0f26f6f82650c89d9e61335de3b040b7223c3a587b97f164d26012195920cc968920347b1a48e1178f56fc7ea27a7d8debe9fdf9b359af4413f25d24ae

  • SSDEEP

    49152:udLroH9hYKB3ZkXUi934XElBgvAPJtyc+:uho91B3yXUKI0lX6c+

Score
10/10
cryptbotdiscoveryevasionspywarestealer

Malware Config

Extracted

Family

cryptbot

C2

bibinene01.top

moraass05.top

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • CryptBot payload 20 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0cd3d8724238e5bc80d2b890c56489ab_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0cd3d8724238e5bc80d2b890c56489ab_JaffaCakes118.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    PID:4568

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

5
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\hUoWjDDnyeog\Hvd04kNMOOW.zip
    Filesize

    39KB

    MD5

    b03412ec7cb04c8c550927255ce4b9de

    SHA1

    e344194d1d799cd3c54a6d5edee9e8ae62f72e1e

    SHA256

    282589acb29005ef95ea7041912fae3bb529d0a458685aad7a4113abf395f929

    SHA512

    2dc037c64a5f605daa03159db193a097db232aa03bd528783e3b195772552bc539777c201d119b17dfa2565748ac6e5511900a6fcc11025a50813bfb43b3f310

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\hUoWjDDnyeog\Xi1kySBR.zip
    Filesize

    39KB

    MD5

    d9a6bde25f5a2a9c443bf9ef19eb0c7b

    SHA1

    357f17df179b9961992c0d4763a817c87e213848

    SHA256

    d059d48e592c4fdea80487797eac87a339195fe1df9ba4636825fcd0d7348e04

    SHA512

    7928b3d4f1386005954fb18393a6bbecfdfb63a55abc3e19ac5b1e261d3f3d102cab533d4a6185dfecaaaf4c48d1f12fe47b34f4c0015789ea20a4c8566cab69

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\hUoWjDDnyeog\_Files\_Information.txt
    Filesize

    7KB

    MD5

    0b15afe019bb1f836bc84861f44f0c61

    SHA1

    bdb59b513b8c1e0498d566197e4b5729d6e1d8b9

    SHA256

    9f2b83c98e47c11b82b6585c11e83ae5b558dab8882b515cb85699ffcbc0d38b

    SHA512

    d9f0af8136005326ef4207aadcd21a30b50ab8139d128add0cfd27326ef7bafe9e415b299f92e4e6dd9426496d61286213eb96240d2e8a0a10c30329393c2afc

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\hUoWjDDnyeog\_Files\_Screen_Desktop.jpeg
    Filesize

    46KB

    MD5

    904761bbf14222d431017100ad80933c

    SHA1

    c7ba9b1075ed1e4c04952234631ee86bc44467e8

    SHA256

    8e9463b7e638859fa6ce537b1a166528be225c107a1aeab2fddcef6cefba2868

    SHA512

    2625657fff641707d045598921fa1cf8cc1199afb420c9487ba6220d3f486c41034e5b4cb36adc89b4fb33b1f2a18968ea55243abc5fadfae8e4832b441b19d2

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\hUoWjDDnyeog\files_\system_info.txt
    Filesize

    7KB

    MD5

    9452976c10e60ab7f676c47188266fc4

    SHA1

    ee643b3ef8b99a71cfb09410b6996b02d0a6cc55

    SHA256

    4fc7bcb0a3bd58cf131673a9e97e54632d27f62a4774f5d9b207db1b817072d9

    SHA512

    f83af10c0693737ff118345c0576486f06142f4d86650f6d50bf6f70733e1e6a38cf3b65acfcf909c56fa7fb04b75c55df2ccd091929cd1d490a3f5de330acff

    Download Submit
  • memory/4568-228-0x0000000001000000-0x000000000153B000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4568-231-0x0000000001000000-0x000000000153B000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4568-7-0x0000000001000000-0x000000000153B000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4568-8-0x0000000001000000-0x000000000153B000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4568-2-0x00000000056C0000-0x00000000056C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4568-3-0x00000000056D0000-0x00000000056D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4568-116-0x0000000001000000-0x000000000153B000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4568-4-0x00000000056F0000-0x00000000056F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4568-224-0x0000000001000000-0x000000000153B000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4568-226-0x0000000001000000-0x000000000153B000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4568-5-0x00000000056E0000-0x00000000056E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4568-0-0x0000000001000000-0x000000000153B000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4568-229-0x0000000001000000-0x000000000153B000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4568-6-0x0000000001001000-0x000000000105C000-memory.dmp
    Filesize

    364KB

    Download
  • memory/4568-233-0x0000000001000000-0x000000000153B000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4568-235-0x0000000001000000-0x000000000153B000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4568-239-0x0000000001000000-0x000000000153B000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4568-241-0x0000000001000000-0x000000000153B000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4568-244-0x0000000001000000-0x000000000153B000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4568-247-0x0000000001000000-0x000000000153B000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4568-250-0x0000000001000000-0x000000000153B000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4568-252-0x0000000001000000-0x000000000153B000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4568-258-0x0000000001000000-0x000000000153B000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4568-260-0x0000000001000000-0x000000000153B000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4568-1-0x0000000077D44000-0x0000000077D46000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4568-263-0x0000000001000000-0x000000000153B000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4568-265-0x0000000001000000-0x000000000153B000-memory.dmp
    Filesize

    5.2MB

    Download