Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
01-05-2024 23:14
Static task
static1
Behavioral task
behavioral1
Sample
0cd3d8724238e5bc80d2b890c56489ab_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
0cd3d8724238e5bc80d2b890c56489ab_JaffaCakes118.exe
-
Size
2.3MB
-
MD5
0cd3d8724238e5bc80d2b890c56489ab
-
SHA1
cc6b11f8efe41593e7b9bf83af6c501ada065655
-
SHA256
816a1b2e626d2819767b6667b7e9ce51f704d98899ff4dc2e74db2dc537b9f64
-
SHA512
e24bcd0f26f6f82650c89d9e61335de3b040b7223c3a587b97f164d26012195920cc968920347b1a48e1178f56fc7ea27a7d8debe9fdf9b359af4413f25d24ae
-
SSDEEP
49152:udLroH9hYKB3ZkXUi934XElBgvAPJtyc+:uho91B3yXUKI0lX6c+
Malware Config
Extracted
cryptbot
bibinene01.top
moraass05.top
Signatures
-
CryptBot payload 20 IoCs
Processes:
resource yara_rule behavioral2/memory/4568-7-0x0000000001000000-0x000000000153B000-memory.dmp family_cryptbot behavioral2/memory/4568-8-0x0000000001000000-0x000000000153B000-memory.dmp family_cryptbot behavioral2/memory/4568-116-0x0000000001000000-0x000000000153B000-memory.dmp family_cryptbot behavioral2/memory/4568-224-0x0000000001000000-0x000000000153B000-memory.dmp family_cryptbot behavioral2/memory/4568-226-0x0000000001000000-0x000000000153B000-memory.dmp family_cryptbot behavioral2/memory/4568-228-0x0000000001000000-0x000000000153B000-memory.dmp family_cryptbot behavioral2/memory/4568-229-0x0000000001000000-0x000000000153B000-memory.dmp family_cryptbot behavioral2/memory/4568-231-0x0000000001000000-0x000000000153B000-memory.dmp family_cryptbot behavioral2/memory/4568-233-0x0000000001000000-0x000000000153B000-memory.dmp family_cryptbot behavioral2/memory/4568-235-0x0000000001000000-0x000000000153B000-memory.dmp family_cryptbot behavioral2/memory/4568-239-0x0000000001000000-0x000000000153B000-memory.dmp family_cryptbot behavioral2/memory/4568-241-0x0000000001000000-0x000000000153B000-memory.dmp family_cryptbot behavioral2/memory/4568-244-0x0000000001000000-0x000000000153B000-memory.dmp family_cryptbot behavioral2/memory/4568-247-0x0000000001000000-0x000000000153B000-memory.dmp family_cryptbot behavioral2/memory/4568-250-0x0000000001000000-0x000000000153B000-memory.dmp family_cryptbot behavioral2/memory/4568-252-0x0000000001000000-0x000000000153B000-memory.dmp family_cryptbot behavioral2/memory/4568-258-0x0000000001000000-0x000000000153B000-memory.dmp family_cryptbot behavioral2/memory/4568-260-0x0000000001000000-0x000000000153B000-memory.dmp family_cryptbot behavioral2/memory/4568-263-0x0000000001000000-0x000000000153B000-memory.dmp family_cryptbot behavioral2/memory/4568-265-0x0000000001000000-0x000000000153B000-memory.dmp family_cryptbot -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
0cd3d8724238e5bc80d2b890c56489ab_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 0cd3d8724238e5bc80d2b890c56489ab_JaffaCakes118.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
0cd3d8724238e5bc80d2b890c56489ab_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 0cd3d8724238e5bc80d2b890c56489ab_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 0cd3d8724238e5bc80d2b890c56489ab_JaffaCakes118.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
0cd3d8724238e5bc80d2b890c56489ab_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Software\Wine 0cd3d8724238e5bc80d2b890c56489ab_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
0cd3d8724238e5bc80d2b890c56489ab_JaffaCakes118.exepid process 4568 0cd3d8724238e5bc80d2b890c56489ab_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
0cd3d8724238e5bc80d2b890c56489ab_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 0cd3d8724238e5bc80d2b890c56489ab_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 0cd3d8724238e5bc80d2b890c56489ab_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
0cd3d8724238e5bc80d2b890c56489ab_JaffaCakes118.exepid process 4568 0cd3d8724238e5bc80d2b890c56489ab_JaffaCakes118.exe 4568 0cd3d8724238e5bc80d2b890c56489ab_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
0cd3d8724238e5bc80d2b890c56489ab_JaffaCakes118.exepid process 4568 0cd3d8724238e5bc80d2b890c56489ab_JaffaCakes118.exe 4568 0cd3d8724238e5bc80d2b890c56489ab_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0cd3d8724238e5bc80d2b890c56489ab_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0cd3d8724238e5bc80d2b890c56489ab_JaffaCakes118.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\hUoWjDDnyeog\Hvd04kNMOOW.zipFilesize
39KB
MD5b03412ec7cb04c8c550927255ce4b9de
SHA1e344194d1d799cd3c54a6d5edee9e8ae62f72e1e
SHA256282589acb29005ef95ea7041912fae3bb529d0a458685aad7a4113abf395f929
SHA5122dc037c64a5f605daa03159db193a097db232aa03bd528783e3b195772552bc539777c201d119b17dfa2565748ac6e5511900a6fcc11025a50813bfb43b3f310
-
C:\Users\Admin\AppData\Local\Temp\hUoWjDDnyeog\Xi1kySBR.zipFilesize
39KB
MD5d9a6bde25f5a2a9c443bf9ef19eb0c7b
SHA1357f17df179b9961992c0d4763a817c87e213848
SHA256d059d48e592c4fdea80487797eac87a339195fe1df9ba4636825fcd0d7348e04
SHA5127928b3d4f1386005954fb18393a6bbecfdfb63a55abc3e19ac5b1e261d3f3d102cab533d4a6185dfecaaaf4c48d1f12fe47b34f4c0015789ea20a4c8566cab69
-
C:\Users\Admin\AppData\Local\Temp\hUoWjDDnyeog\_Files\_Information.txtFilesize
7KB
MD50b15afe019bb1f836bc84861f44f0c61
SHA1bdb59b513b8c1e0498d566197e4b5729d6e1d8b9
SHA2569f2b83c98e47c11b82b6585c11e83ae5b558dab8882b515cb85699ffcbc0d38b
SHA512d9f0af8136005326ef4207aadcd21a30b50ab8139d128add0cfd27326ef7bafe9e415b299f92e4e6dd9426496d61286213eb96240d2e8a0a10c30329393c2afc
-
C:\Users\Admin\AppData\Local\Temp\hUoWjDDnyeog\_Files\_Screen_Desktop.jpegFilesize
46KB
MD5904761bbf14222d431017100ad80933c
SHA1c7ba9b1075ed1e4c04952234631ee86bc44467e8
SHA2568e9463b7e638859fa6ce537b1a166528be225c107a1aeab2fddcef6cefba2868
SHA5122625657fff641707d045598921fa1cf8cc1199afb420c9487ba6220d3f486c41034e5b4cb36adc89b4fb33b1f2a18968ea55243abc5fadfae8e4832b441b19d2
-
C:\Users\Admin\AppData\Local\Temp\hUoWjDDnyeog\files_\system_info.txtFilesize
7KB
MD59452976c10e60ab7f676c47188266fc4
SHA1ee643b3ef8b99a71cfb09410b6996b02d0a6cc55
SHA2564fc7bcb0a3bd58cf131673a9e97e54632d27f62a4774f5d9b207db1b817072d9
SHA512f83af10c0693737ff118345c0576486f06142f4d86650f6d50bf6f70733e1e6a38cf3b65acfcf909c56fa7fb04b75c55df2ccd091929cd1d490a3f5de330acff
-
memory/4568-228-0x0000000001000000-0x000000000153B000-memory.dmpFilesize
5.2MB
-
memory/4568-231-0x0000000001000000-0x000000000153B000-memory.dmpFilesize
5.2MB
-
memory/4568-7-0x0000000001000000-0x000000000153B000-memory.dmpFilesize
5.2MB
-
memory/4568-8-0x0000000001000000-0x000000000153B000-memory.dmpFilesize
5.2MB
-
memory/4568-2-0x00000000056C0000-0x00000000056C1000-memory.dmpFilesize
4KB
-
memory/4568-3-0x00000000056D0000-0x00000000056D1000-memory.dmpFilesize
4KB
-
memory/4568-116-0x0000000001000000-0x000000000153B000-memory.dmpFilesize
5.2MB
-
memory/4568-4-0x00000000056F0000-0x00000000056F1000-memory.dmpFilesize
4KB
-
memory/4568-224-0x0000000001000000-0x000000000153B000-memory.dmpFilesize
5.2MB
-
memory/4568-226-0x0000000001000000-0x000000000153B000-memory.dmpFilesize
5.2MB
-
memory/4568-5-0x00000000056E0000-0x00000000056E1000-memory.dmpFilesize
4KB
-
memory/4568-0-0x0000000001000000-0x000000000153B000-memory.dmpFilesize
5.2MB
-
memory/4568-229-0x0000000001000000-0x000000000153B000-memory.dmpFilesize
5.2MB
-
memory/4568-6-0x0000000001001000-0x000000000105C000-memory.dmpFilesize
364KB
-
memory/4568-233-0x0000000001000000-0x000000000153B000-memory.dmpFilesize
5.2MB
-
memory/4568-235-0x0000000001000000-0x000000000153B000-memory.dmpFilesize
5.2MB
-
memory/4568-239-0x0000000001000000-0x000000000153B000-memory.dmpFilesize
5.2MB
-
memory/4568-241-0x0000000001000000-0x000000000153B000-memory.dmpFilesize
5.2MB
-
memory/4568-244-0x0000000001000000-0x000000000153B000-memory.dmpFilesize
5.2MB
-
memory/4568-247-0x0000000001000000-0x000000000153B000-memory.dmpFilesize
5.2MB
-
memory/4568-250-0x0000000001000000-0x000000000153B000-memory.dmpFilesize
5.2MB
-
memory/4568-252-0x0000000001000000-0x000000000153B000-memory.dmpFilesize
5.2MB
-
memory/4568-258-0x0000000001000000-0x000000000153B000-memory.dmpFilesize
5.2MB
-
memory/4568-260-0x0000000001000000-0x000000000153B000-memory.dmpFilesize
5.2MB
-
memory/4568-1-0x0000000077D44000-0x0000000077D46000-memory.dmpFilesize
8KB
-
memory/4568-263-0x0000000001000000-0x000000000153B000-memory.dmpFilesize
5.2MB
-
memory/4568-265-0x0000000001000000-0x000000000153B000-memory.dmpFilesize
5.2MB