Overview
overview
10Static
static
36f2f7f2ce0...18.exe
windows7-x64
106f2f7f2ce0...18.exe
windows10-2004-x64
10$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDIR/UAC.dll
windows7-x64
3$PLUGINSDIR/UAC.dll
windows10-2004-x64
3$PLUGINSDI...fo.dll
windows7-x64
3$PLUGINSDI...fo.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3Setup.exe
windows7-x64
10Setup.exe
windows10-2004-x64
10Setupres.exe
windows7-x64
9Setupres.exe
windows10-2004-x64
9VMProtectSDK32.dll
windows7-x64
1VMProtectSDK32.dll
windows10-2004-x64
1ipras.vbs
windows7-x64
8ipras.vbs
windows10-2004-x64
8Analysis
-
max time kernel
141s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 16:52
Static task
static1
Behavioral task
behavioral1
Sample
6f2f7f2ce0ef33d170cf9ee67265770d_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
6f2f7f2ce0ef33d170cf9ee67265770d_JaffaCakes118.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240215-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/UAC.dll
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/UAC.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240215-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240508-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
Setup.exe
Resource
win7-20240220-en
Behavioral task
behavioral14
Sample
Setup.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
Setupres.exe
Resource
win7-20240508-en
Behavioral task
behavioral16
Sample
Setupres.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral17
Sample
VMProtectSDK32.dll
Resource
win7-20231129-en
Behavioral task
behavioral18
Sample
VMProtectSDK32.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral19
Sample
ipras.vbs
Resource
win7-20240508-en
Behavioral task
behavioral20
Sample
ipras.vbs
Resource
win10v2004-20240226-en
General
-
Target
Setup.exe
-
Size
2.2MB
-
MD5
112612c1ceaf7965ed7beb7d2341e0e2
-
SHA1
4a2e3df41d122e0ab2e4d8b774e806554f4a6296
-
SHA256
b5ee04d73e9cfa30a1719d2cbf9d17e76a5c8dc6149f9bb571365d5ee5b00072
-
SHA512
5ebf8b9f98497c35629d6924e03ca5d7661fea4ff5ae46ae56c56111f38d3af2ad51818d4363985424991e53663d1b96c366d84cbeb34dbecf641e7d09c1eeba
-
SSDEEP
49152:8NE9c7j+VxRCE0ntUyaDou+DuPSQQN/630zOKDYhKk:2j+0jntUODuPwdyZKDYhKk
Malware Config
Extracted
cryptbot
biss01.info
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
Setup.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Setup.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Setup.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Setup.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Setup.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Setup.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
Setup.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Wine Setup.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 12 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
Setup.exepid process 4116 Setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Setup.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Setup.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1628 timeout.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Setup.exepid process 4116 Setup.exe 4116 Setup.exe -
Suspicious use of FindShellTrayWindow 12 IoCs
Processes:
Setup.exepid process 4116 Setup.exe 4116 Setup.exe 4116 Setup.exe 4116 Setup.exe 4116 Setup.exe 4116 Setup.exe 4116 Setup.exe 4116 Setup.exe 4116 Setup.exe 4116 Setup.exe 4116 Setup.exe 4116 Setup.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
Setup.execmd.exedescription pid process target process PID 4116 wrote to memory of 708 4116 Setup.exe cmd.exe PID 4116 wrote to memory of 708 4116 Setup.exe cmd.exe PID 4116 wrote to memory of 708 4116 Setup.exe cmd.exe PID 708 wrote to memory of 1628 708 cmd.exe timeout.exe PID 708 wrote to memory of 1628 708 cmd.exe timeout.exe PID 708 wrote to memory of 1628 708 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\PMf26YKoN8aTolh & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Setup.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 23⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\PMf26YKoN8aTolh\47283761.txtFilesize
156B
MD5b5089e0c5a3d5377e9bd19c0557ef04e
SHA19402e326be3d240e234c06892b15c24e93c93eb8
SHA256d77789b2c49759c882f4fdd6f53e665b0d012f8f0949d0150eaba47fbf2a0eb5
SHA512942349ccb99854f274ef1e20b623660588e15bd0d25bfc817fe9b2d010db656af340652e0e67b41edbf0cf259d55ab880d6b50acb1d7e8ab394f1393f7956c13
-
C:\ProgramData\PMf26YKoN8aTolh\Files\_Info.txtFilesize
8KB
MD5c6ee6a7ab9b77686cf57fc7ae10a2ab4
SHA11574a197fd6149eb2f820d3d5dcaeaf48474a09b
SHA256beccedef92c92e655d75f92219b3ef874771c8dfab95bc91b63e9608029d1e95
SHA5122a6d57b2f58bbb70e37cafcde51612271afd90a621137fbd9b5e9f631797da5eb42d802a5a88611331ddd11e2eb50a3b5f8c29c43bf17eba9466f087ee47959f
-
C:\ProgramData\PMf26YKoN8aTolh\Files\_Info.txtFilesize
1KB
MD543f6639238e97b835e764817ed790622
SHA19a80abc9675eb78d9b22bdcd0cc73cf80fe112b0
SHA2567430cddf0f439dcf6edbee18e9f1054166dda11445f9584dfc5ec93c0df93a53
SHA51231a0795a4fc64a7bfd2559d440a298519c0a49d240698e089b336e9ebdd04d84391c6b6fa8ee99183dad9c99386071f2f2a09af0ed90b82f8dab98b43aabbaa8
-
C:\ProgramData\PMf26YKoN8aTolh\Files\_Info.txtFilesize
2KB
MD51ad7b2f4ca8d894965e4b34eac3cfb1d
SHA12d6c864e58e7b65cf57bcd67b4bb73af2927ca7d
SHA2562d10704e5ba73a54c839359831bf113ec03ea99a6068a5a979e4e131470ad34e
SHA512597c84cdb4fdccac7ffb26a29cceddd3c876cb2650c53eb9d9990e12fe805d36f2ab9e9640ada11e0bc1424cae27a3f5a9407da69d41de629acfec381bc5f963
-
C:\ProgramData\PMf26YKoN8aTolh\Files\_Info.txtFilesize
4KB
MD518676ac89d770d8f5a8fd0f710fe7e92
SHA10a782ed65c31c2390597b4cdab0dfccbac042f12
SHA256eb8d4b2135c250d758348f1fd3a0b6da3c581b89c58322aa79b422daf947dfb5
SHA5126cc904723faf4a0c6cd6d05f22a63cd89335f0c81883b272df1931f8fa8eba40b631dc3510e501509acee4f4a1a10140bbdf8572121d4052b467bc3e52383363
-
C:\ProgramData\PMf26YKoN8aTolh\Files\_Screen.jpgFilesize
51KB
MD55fa3528b745090b3112653f305c20823
SHA1951b8a311ce3f01fcbb59fdf6ffde5dfe3a1b94f
SHA256541b64894cd8061f5ac2857465fbd31dfb00c1bd79aa4fd1e3587cf2661542eb
SHA512a2354c74cd4ced8a35907363d3e37dc2cb76fcc519b19f3650d7d9018efd0d793f705f3e9d70794c6c1083a823bd04ece0e993b388db33db2f9f8059e6e0c26f
-
C:\ProgramData\PMf26YKoN8aTolh\MOZ_CO~1.DBFilesize
96KB
MD5d367ddfda80fdcf578726bc3b0bc3e3c
SHA123fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA2560b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA51240e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77
-
C:\ProgramData\PMf26YKoN8aTolh\njDsWUBSG0R.zipFilesize
47KB
MD5dfc27f04441350c9458f7091522bd6f5
SHA1fa4de3ae5d6e380dea4d6553a594a63416f9cad7
SHA256875336205eb914a162e39ac4b58810568d5ad9d2dbee577fc898b83d725475ac
SHA51273a1f965787eeac5432ca00a586e5bf8d6df2537a6ab5e801cc231d2e49762f22f1356c4fd340e0ac4a2d4c056de45ba3e10e0f3136a6a75db0fb03fb733e860
-
memory/4116-154-0x0000000000A70000-0x0000000000FA7000-memory.dmpFilesize
5.2MB
-
memory/4116-165-0x0000000000A70000-0x0000000000FA7000-memory.dmpFilesize
5.2MB
-
memory/4116-17-0x0000000000A70000-0x0000000000FA7000-memory.dmpFilesize
5.2MB
-
memory/4116-16-0x0000000000A70000-0x0000000000FA7000-memory.dmpFilesize
5.2MB
-
memory/4116-5-0x0000000005070000-0x0000000005071000-memory.dmpFilesize
4KB
-
memory/4116-6-0x0000000005080000-0x0000000005081000-memory.dmpFilesize
4KB
-
memory/4116-151-0x0000000000A70000-0x0000000000FA7000-memory.dmpFilesize
5.2MB
-
memory/4116-7-0x0000000005010000-0x0000000005011000-memory.dmpFilesize
4KB
-
memory/4116-0-0x0000000000A70000-0x0000000000FA7000-memory.dmpFilesize
5.2MB
-
memory/4116-155-0x0000000000A70000-0x0000000000FA7000-memory.dmpFilesize
5.2MB
-
memory/4116-157-0x0000000000A70000-0x0000000000FA7000-memory.dmpFilesize
5.2MB
-
memory/4116-159-0x0000000000A70000-0x0000000000FA7000-memory.dmpFilesize
5.2MB
-
memory/4116-163-0x0000000000A70000-0x0000000000FA7000-memory.dmpFilesize
5.2MB
-
memory/4116-20-0x0000000000A70000-0x0000000000FA7000-memory.dmpFilesize
5.2MB
-
memory/4116-168-0x0000000000A70000-0x0000000000FA7000-memory.dmpFilesize
5.2MB
-
memory/4116-171-0x0000000000A70000-0x0000000000FA7000-memory.dmpFilesize
5.2MB
-
memory/4116-175-0x0000000000A70000-0x0000000000FA7000-memory.dmpFilesize
5.2MB
-
memory/4116-177-0x0000000000A70000-0x0000000000FA7000-memory.dmpFilesize
5.2MB
-
memory/4116-180-0x0000000000A70000-0x0000000000FA7000-memory.dmpFilesize
5.2MB
-
memory/4116-184-0x0000000000A70000-0x0000000000FA7000-memory.dmpFilesize
5.2MB
-
memory/4116-186-0x0000000000A70000-0x0000000000FA7000-memory.dmpFilesize
5.2MB
-
memory/4116-189-0x0000000000A70000-0x0000000000FA7000-memory.dmpFilesize
5.2MB
-
memory/4116-192-0x0000000000A70000-0x0000000000FA7000-memory.dmpFilesize
5.2MB
-
memory/4116-10-0x0000000000A71000-0x0000000000AD0000-memory.dmpFilesize
380KB
-
memory/4116-4-0x0000000005050000-0x0000000005051000-memory.dmpFilesize
4KB
-
memory/4116-1-0x00000000779B4000-0x00000000779B6000-memory.dmpFilesize
8KB