Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

6febfef814...18.exe

windows7-x64

10

6febfef814...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/05/2024, 21:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6febfef814559223cecd46a376011b9a_JaffaCakes118.exe

  • Size

    2.1MB

  • MD5

    6febfef814559223cecd46a376011b9a

  • SHA1

    c1cbd367b8859834e56baecbb4adae006de66852

  • SHA256

    72454e25fcf6428797f032ba6e5ab9a2c4a49c33fd3f353ce15b6c87979f4b54

  • SHA512

    be52e9fed62afb08753c0af6513a3d0196c3ab519082bbf09973c3f5dd47da9978a24c39b09552684b443d76248e358d8053ea53b85036c009d26ccdd2c242b3

  • SSDEEP

    49152:6MPAcFI+Oa9vb9cCp0RUFE9y6cthn/2mO7Vy/R5nsQ:6MPAcFI5+vb9cCQevhn5+Vy/Rt

Score
10/10
cryptbotdiscoveryevasionspywarestealer

Malware Config

Extracted

Family

cryptbot

C2

bibinene01.top

moraass05.top

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • CryptBot payload 17 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6febfef814559223cecd46a376011b9a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\6febfef814559223cecd46a376011b9a_JaffaCakes118.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    PID:1292

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\KUs22JIZTC\8qLyeasm5IY4a.zip
    Filesize

    41KB

    MD5

    e1f2b9823036da6a95102d4f61774e4a

    SHA1

    4cf112b1dc90b75a5c6c49c5f87daf80e8aefbf7

    SHA256

    7bc1ee1dfb248e1d60020435cd1b7710792f698824033f069b14c387b837fa31

    SHA512

    713a044144c3c3f09f19bcd8a1080bddd11c3a6fc38202f2666a7fc0f01818e87c882c5adc3741305493758c3d20f77e75e28b8b3220b83ec203822c6d3ca879

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\KUs22JIZTC\_Files\_Information.txt
    Filesize

    1KB

    MD5

    0c18f1b65d37f2bce723d78b91f174db

    SHA1

    d0ddf304efb6a1f718b7016114c06424ed8bbedc

    SHA256

    d880fde66ccd8509c57a113bc4c43e40ee49046e7ec4374389eb92a873da1ade

    SHA512

    4229de12c8951347ff8a69faac17ffaf237645c688e938c2fdedac9a3f1c10dfde0906e7fc4c6fa8418d4207f30de7df4c7ced6e1c8ee02562dccc5d1e08a7a0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\KUs22JIZTC\_Files\_Information.txt
    Filesize

    1KB

    MD5

    5efc7e59bde9b31436401897656a6789

    SHA1

    905f98c197df5e286ff6d095c5f99f4db4ce85e0

    SHA256

    c29a4f74181dc99bcb42aced998c45c20d97748268e63c021606d222ccf7c30c

    SHA512

    15ef8cf1df1203d91f7320324a612f9d14c0b625eb8e4e13503732654b8a9dff9e5b638e836507e5a23a700d58b8deb734709d878d19ea767edfbc413408851e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\KUs22JIZTC\_Files\_Information.txt
    Filesize

    4KB

    MD5

    ffa7a3e32759a5c6412b1549232c393e

    SHA1

    d136358b6d67540478ede48a5cedd461a0a79a06

    SHA256

    75209a36ef136fc3a36e0be67b2e13efa53606ada8b7ff3f0624c5b45b69869b

    SHA512

    4dc53a159b39bf383229e6d6155b16f1826efcda1768ed3f9ee054af8625b5617a3c0cdca1b2356fd1ea52af74c0179a701ccdb1333441a2207edad94b122902

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\KUs22JIZTC\_Files\_Information.txt
    Filesize

    4KB

    MD5

    7cf0e14f5441c519e5d51e5aea82fec8

    SHA1

    a9e9b7a19aa84f33bd4be8d7cb4455ede344e564

    SHA256

    99a4fcfc881dbc1293c1dddb9856592280677c08396f25a1eb14244ec65e431b

    SHA512

    f597129a26334bfc73e22857c36fc5d3981b8cf6eb6b07d952929a372cb8f247c942b9cba245641358db256ac4e1958347ff0bb780f22c7e1ca961f3dfe89378

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\KUs22JIZTC\_Files\_Screen_Desktop.jpeg
    Filesize

    47KB

    MD5

    e7b8097248ee3845feb9adce7755c59c

    SHA1

    b25ebf3612bf280fef47f55129e432e966a46691

    SHA256

    3d35049c80a7ea03f0f13ecc9f2bb123679f046718ba13f57a96718609197b56

    SHA512

    c1c357cfac72d6e5cb4387fcd1584de1b1e2f0ea6b91e0ea459749a3eab972a03ce213aa6fd5a206678096752225630f4507633f23f6eb675992208b5d85709d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\KUs22JIZTC\files_\system_info.txt
    Filesize

    7KB

    MD5

    7bcfcf3616d7de2754389d6a178b55a8

    SHA1

    729fa2a4c2bd485e72ca6005a4fcf15fa28369a8

    SHA256

    b355f4efc3c9af28d2f5fd0e128ee62bfa464132c8ca2763f437476e21e2994b

    SHA512

    b2cbcece5e177b211fa2297cc51c553b30d45479f7666016369e214374fe84869cd7d796992cc6373227ee3189972b26353cc12ba9658ed50e261aa6ca6d8638

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\KUs22JIZTC\oroAfErW.zip
    Filesize

    41KB

    MD5

    1df3cc486979fd649d2bafa7b9f6f4fa

    SHA1

    17c399f375aaff6e4ad6f9d6c9641fbcd645d976

    SHA256

    5fe3175f2f23b505477da8a781b98c084ea0beb22a66bb950f1775e06c177de2

    SHA512

    dc46ae88aa3ecb821dcd152fa2dfe45171d68a5c57ebde88df146223ab0be68a08ff8335a6c5abd15165f1050be1ed439caa1177cfb71aa6ea53f99a89416cef

    Download Submit

  • memory/1292-223-0x0000000000560000-0x0000000000A76000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/1292-232-0x0000000000560000-0x0000000000A76000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/1292-5-0x0000000000561000-0x00000000005BC000-memory.dmp

    Filesize

    364KB

    Download

  • memory/1292-2-0x0000000004D10000-0x0000000004D11000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1292-3-0x0000000004D30000-0x0000000004D31000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1292-221-0x0000000000560000-0x0000000000A76000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/1292-0-0x0000000000560000-0x0000000000A76000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/1292-4-0x0000000004D20000-0x0000000004D21000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1292-226-0x0000000000560000-0x0000000000A76000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/1292-227-0x0000000000560000-0x0000000000A76000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/1292-229-0x0000000000560000-0x0000000000A76000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/1292-6-0x0000000000560000-0x0000000000A76000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/1292-235-0x0000000000560000-0x0000000000A76000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/1292-238-0x0000000000560000-0x0000000000A76000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/1292-240-0x0000000000560000-0x0000000000A76000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/1292-243-0x0000000000560000-0x0000000000A76000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/1292-246-0x0000000000560000-0x0000000000A76000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/1292-249-0x0000000000560000-0x0000000000A76000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/1292-254-0x0000000000560000-0x0000000000A76000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/1292-257-0x0000000000560000-0x0000000000A76000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/1292-1-0x0000000077D94000-0x0000000077D96000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1292-259-0x0000000000560000-0x0000000000A76000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/1292-263-0x0000000000560000-0x0000000000A76000-memory.dmp

    Filesize

    5.1MB

    Download