Overview
overview
10Static
static
388f8f695e6...18.exe
windows7-x64
1088f8f695e6...18.exe
windows10-2004-x64
10$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDIR/UAC.dll
windows7-x64
3$PLUGINSDIR/UAC.dll
windows10-2004-x64
3$PLUGINSDI...fo.dll
windows7-x64
3$PLUGINSDI...fo.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3DowloadX.exe
windows7-x64
9DowloadX.exe
windows10-2004-x64
9Download.exe
windows7-x64
10Download.exe
windows10-2004-x64
10ipras.vbs
windows7-x64
8ipras.vbs
windows10-2004-x64
8Analysis
-
max time kernel
147s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2024 01:25
Static task
static1
Behavioral task
behavioral1
Sample
88f8f695e6af7d58da5f5b7ef60d0bde_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
88f8f695e6af7d58da5f5b7ef60d0bde_JaffaCakes118.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/UAC.dll
Resource
win7-20240419-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/UAC.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240220-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240508-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral13
Sample
DowloadX.exe
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
DowloadX.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
Download.exe
Resource
win7-20240508-en
Behavioral task
behavioral16
Sample
Download.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral17
Sample
ipras.vbs
Resource
win7-20240419-en
Behavioral task
behavioral18
Sample
ipras.vbs
Resource
win10v2004-20240508-en
General
-
Target
88f8f695e6af7d58da5f5b7ef60d0bde_JaffaCakes118.exe
-
Size
4.1MB
-
MD5
88f8f695e6af7d58da5f5b7ef60d0bde
-
SHA1
16b06bd05058abf520703ab656826099f93a094b
-
SHA256
41ce8dc9fe52cbb66ddf436ec0d9160bf9ce9194c423fbc0397705793f8ddc2c
-
SHA512
37781b0d848f512caf258f3d21836827d8206ecafabced9f579f9fc25537c60ed20cf5e509b0de882dee7b4d09751fcc8a68541ae9e2d60175b2e4d9f6344ddc
-
SSDEEP
98304:HQCkuQvwiizV8qUOMbKQ4G2ZQFyEVBo9OAFKlAmdxGQyx7AAkvvj:HQCfJV8qUOMqZHEfnl1xGQ4AAkvb
Malware Config
Extracted
cryptbot
cede01.info
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
Download.exeDowloadX.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Download.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ DowloadX.exe -
Blocklisted process makes network request 3 IoCs
Processes:
CScript.exeflow pid process 6 3724 CScript.exe 8 3724 CScript.exe 10 3724 CScript.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Download.exeDowloadX.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Download.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Download.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DowloadX.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DowloadX.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Download.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation Download.exe -
Executes dropped EXE 2 IoCs
Processes:
Download.exeDowloadX.exepid process 2980 Download.exe 3660 DowloadX.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
Download.exeDowloadX.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Wine Download.exe Key opened \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Wine DowloadX.exe -
Loads dropped DLL 2 IoCs
Processes:
88f8f695e6af7d58da5f5b7ef60d0bde_JaffaCakes118.exepid process 1916 88f8f695e6af7d58da5f5b7ef60d0bde_JaffaCakes118.exe 1916 88f8f695e6af7d58da5f5b7ef60d0bde_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 24 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
Download.exeDowloadX.exepid process 2980 Download.exe 3660 DowloadX.exe -
Drops file in Program Files directory 3 IoCs
Processes:
88f8f695e6af7d58da5f5b7ef60d0bde_JaffaCakes118.exedescription ioc process File created C:\Program Files (x86)\Doper\DowloadX.exe 88f8f695e6af7d58da5f5b7ef60d0bde_JaffaCakes118.exe File created C:\Program Files (x86)\Doper\Download.exe 88f8f695e6af7d58da5f5b7ef60d0bde_JaffaCakes118.exe File created C:\Program Files (x86)\Doper\ipras.vbs 88f8f695e6af7d58da5f5b7ef60d0bde_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Download.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Download.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Download.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 4664 timeout.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Download.exeDowloadX.exepid process 2980 Download.exe 2980 Download.exe 3660 DowloadX.exe 3660 DowloadX.exe -
Suspicious use of FindShellTrayWindow 12 IoCs
Processes:
Download.exepid process 2980 Download.exe 2980 Download.exe 2980 Download.exe 2980 Download.exe 2980 Download.exe 2980 Download.exe 2980 Download.exe 2980 Download.exe 2980 Download.exe 2980 Download.exe 2980 Download.exe 2980 Download.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
88f8f695e6af7d58da5f5b7ef60d0bde_JaffaCakes118.exeDownload.execmd.exedescription pid process target process PID 1916 wrote to memory of 3724 1916 88f8f695e6af7d58da5f5b7ef60d0bde_JaffaCakes118.exe CScript.exe PID 1916 wrote to memory of 3724 1916 88f8f695e6af7d58da5f5b7ef60d0bde_JaffaCakes118.exe CScript.exe PID 1916 wrote to memory of 3724 1916 88f8f695e6af7d58da5f5b7ef60d0bde_JaffaCakes118.exe CScript.exe PID 1916 wrote to memory of 2980 1916 88f8f695e6af7d58da5f5b7ef60d0bde_JaffaCakes118.exe Download.exe PID 1916 wrote to memory of 2980 1916 88f8f695e6af7d58da5f5b7ef60d0bde_JaffaCakes118.exe Download.exe PID 1916 wrote to memory of 2980 1916 88f8f695e6af7d58da5f5b7ef60d0bde_JaffaCakes118.exe Download.exe PID 2980 wrote to memory of 3048 2980 Download.exe cmd.exe PID 2980 wrote to memory of 3048 2980 Download.exe cmd.exe PID 2980 wrote to memory of 3048 2980 Download.exe cmd.exe PID 3048 wrote to memory of 4664 3048 cmd.exe timeout.exe PID 3048 wrote to memory of 4664 3048 cmd.exe timeout.exe PID 3048 wrote to memory of 4664 3048 cmd.exe timeout.exe PID 1916 wrote to memory of 3660 1916 88f8f695e6af7d58da5f5b7ef60d0bde_JaffaCakes118.exe DowloadX.exe PID 1916 wrote to memory of 3660 1916 88f8f695e6af7d58da5f5b7ef60d0bde_JaffaCakes118.exe DowloadX.exe PID 1916 wrote to memory of 3660 1916 88f8f695e6af7d58da5f5b7ef60d0bde_JaffaCakes118.exe DowloadX.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\88f8f695e6af7d58da5f5b7ef60d0bde_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\88f8f695e6af7d58da5f5b7ef60d0bde_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\CScript.exe"C:\Windows\system32\CScript.exe" "C:\Program Files (x86)\Doper\ipras.vbs" //e:vbscript //B //NOLOGO2⤵
- Blocklisted process makes network request
-
C:\Program Files (x86)\Doper\Download.exe"C:\Program Files (x86)\Doper\Download.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\ZZzoj5r5rbrtm & timeout 2 & del /f /q "C:\Program Files (x86)\Doper\Download.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 24⤵
- Delays execution with timeout.exe
-
C:\Program Files (x86)\Doper\DowloadX.exe"C:\Program Files (x86)\Doper\DowloadX.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Doper\DowloadX.exeFilesize
2.0MB
MD5c24b993d6ac519ab2ddf590710ddbb13
SHA18e0629da1cbaf775b28682732bea82458c3f4e1c
SHA2560da0ce6849d2c36b47b6d2977926eeeed2175738e81efafd0e741119dfc40e69
SHA512124abad84c76795a516b3c5dca47d65bae45fff8a0e3a9401d2d4ee394f79ff5cc2897a7ff2305bcb87a90f2c609cc0a982467edb30b22adc4d2e2e5bc702ecd
-
C:\Program Files (x86)\Doper\Download.exeFilesize
2.1MB
MD5b8312084a400862a2c19797691c6f0a6
SHA1d675f4ed00508ff0208f75fd6851d14348c9bed4
SHA2569f23b60e0b3c3360a2b67cc40d977577a74d1b16306522aa306b0feb29dad07b
SHA512beae195ed8dd2572e7299cdbe137d80f152cefa89c8bca25bafcf9527b34157833972cc3142d803e8cef33d5fe72217278253f423cc203585097a7ec1a0496ce
-
C:\Program Files (x86)\Doper\ipras.vbsFilesize
126B
MD5b802ff9244875f69db2fae0f78e92b10
SHA149385a89cd575894a29fbda969b99cc1f5cf8076
SHA256a1b0cb16fb2ecd66fccf156024404801ad694056e8a596326c1b27b57d8eabe8
SHA512609856415a7ae2b3e260f945f1c8a8d2a28884c202d37181bea948708918f24b42ae03f17dba1520fddc91b2f7a182b0b8f885f33ea6f81bb3ee4c72e4e9350e
-
C:\ProgramData\ZZzoj5r5rbrtm\47283761.txtFilesize
156B
MD5b5089e0c5a3d5377e9bd19c0557ef04e
SHA19402e326be3d240e234c06892b15c24e93c93eb8
SHA256d77789b2c49759c882f4fdd6f53e665b0d012f8f0949d0150eaba47fbf2a0eb5
SHA512942349ccb99854f274ef1e20b623660588e15bd0d25bfc817fe9b2d010db656af340652e0e67b41edbf0cf259d55ab880d6b50acb1d7e8ab394f1393f7956c13
-
C:\ProgramData\ZZzoj5r5rbrtm\DlPCLv1UNzcnAE.zipFilesize
48KB
MD5da5a48e2a81bff6238568a4fa66146c4
SHA140a83f2b88621eec7e580dcfc0f394ae5e7d4912
SHA2563caf84524ea99a4c97aa03534e8a71e429749fec60ec35b913d226cf73bd5cc4
SHA512ec7c13e02c9bac06d9de514410a87595364532340a6f963f9ed3e18fd696247d114201083b932c60be9bb94e3642df5466af060c60749b3eec241bb9028bd277
-
C:\ProgramData\ZZzoj5r5rbrtm\Files\_Info.txtFilesize
4KB
MD51f07378fd4485c8bce14404f067b0bc3
SHA1c31a4e29d4cd979b681b55d2cf426cc4c1937260
SHA25654b20d0bdbddc96d877df07089bc2f9d6757b6838f88f6b7a1dc582a9d94f193
SHA5126e8fc17bb4965525f5bf5c3eb6bd7dab3bfe503c868da71c9e24edf167597e0aab2038f1abeb6ffafafefc35edad1b3b2b370e904301ad9dd5fec7ad16199058
-
C:\ProgramData\ZZzoj5r5rbrtm\Files\_Info.txtFilesize
8KB
MD5b3122bbdf8309ad8378204ea3922b964
SHA104c089ea0b65691163e90b426dfd9bfefa6cd0f3
SHA25679cfd0fb89fb17dab52e98794f03b0c3a58e5d429737e16a27eaea63ed39f8f7
SHA51263075db4ca79f2006cc2591186d8b58a9bc2fbf150b241fc18c3164c171b12fdc19aa07375f3bb24a579ea396e88ef0a827abcd29382987cf4f299e9eda93ba8
-
C:\ProgramData\ZZzoj5r5rbrtm\Files\_Info.txtFilesize
2KB
MD5f01aa7557f5f811137c9d2d0935e3e9d
SHA16c477a8d18dbcce9d17419ab1b36936277668702
SHA256ec6e17428da6997491704b68b598ebd643118173b5307df2cb4231af7da1986d
SHA512e5ddda93223b5233828ec6f7addaaa6161bb0659d406ba71504df9b1de1ec68e36484ec78ef52149b6b6009bdaea977b54d5bdc74e070ddc54c8318a080bbb8c
-
C:\ProgramData\ZZzoj5r5rbrtm\Files\_Screen.jpgFilesize
52KB
MD58fe0581b5066708064bbf0793eb9b7ff
SHA1bd5242e23e8b48809bd7860262f93159c1e05980
SHA2565d20c32b2db1ad90fe96124771de9b83003f5293dd6d2f36875f7712c0fd84f1
SHA51256e4fa4195c3d78dced5082453cbdc31998c6d823f4d990ee82adf9d1b7a7af042a1af076b2928ad07a13e3b381715157a39ecdb332bd20bee286d74a9dccb76
-
C:\ProgramData\ZZzoj5r5rbrtm\MOZ_CO~1.DBFilesize
96KB
MD5d367ddfda80fdcf578726bc3b0bc3e3c
SHA123fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA2560b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA51240e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77
-
C:\Users\Admin\AppData\Local\Temp\nsw3E71.tmp\UAC.dllFilesize
14KB
MD5adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
-
C:\Users\Admin\AppData\Local\Temp\nsw3E71.tmp\nsExec.dllFilesize
6KB
MD5132e6153717a7f9710dcea4536f364cd
SHA1e39bc82c7602e6dd0797115c2bd12e872a5fb2ab
SHA256d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2
SHA5129aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1
-
memory/2980-28-0x00000000053A0000-0x00000000053A1000-memory.dmpFilesize
4KB
-
memory/2980-191-0x0000000000740000-0x0000000000C6C000-memory.dmpFilesize
5.2MB
-
memory/2980-41-0x0000000000740000-0x0000000000C6C000-memory.dmpFilesize
5.2MB
-
memory/2980-26-0x0000000005370000-0x0000000005371000-memory.dmpFilesize
4KB
-
memory/2980-40-0x0000000000740000-0x0000000000C6C000-memory.dmpFilesize
5.2MB
-
memory/2980-27-0x0000000005390000-0x0000000005391000-memory.dmpFilesize
4KB
-
memory/2980-169-0x0000000000740000-0x0000000000C6C000-memory.dmpFilesize
5.2MB
-
memory/2980-176-0x0000000000740000-0x0000000000C6C000-memory.dmpFilesize
5.2MB
-
memory/2980-29-0x0000000005330000-0x0000000005331000-memory.dmpFilesize
4KB
-
memory/2980-179-0x0000000000740000-0x0000000000C6C000-memory.dmpFilesize
5.2MB
-
memory/2980-180-0x0000000000740000-0x0000000000C6C000-memory.dmpFilesize
5.2MB
-
memory/2980-181-0x0000000000740000-0x0000000000C6C000-memory.dmpFilesize
5.2MB
-
memory/2980-183-0x0000000000740000-0x0000000000C6C000-memory.dmpFilesize
5.2MB
-
memory/2980-185-0x0000000000740000-0x0000000000C6C000-memory.dmpFilesize
5.2MB
-
memory/2980-188-0x0000000000740000-0x0000000000C6C000-memory.dmpFilesize
5.2MB
-
memory/2980-44-0x0000000000740000-0x0000000000C6C000-memory.dmpFilesize
5.2MB
-
memory/2980-194-0x0000000000740000-0x0000000000C6C000-memory.dmpFilesize
5.2MB
-
memory/2980-197-0x0000000000740000-0x0000000000C6C000-memory.dmpFilesize
5.2MB
-
memory/2980-200-0x0000000000740000-0x0000000000C6C000-memory.dmpFilesize
5.2MB
-
memory/2980-203-0x0000000000740000-0x0000000000C6C000-memory.dmpFilesize
5.2MB
-
memory/2980-206-0x0000000000740000-0x0000000000C6C000-memory.dmpFilesize
5.2MB
-
memory/2980-208-0x0000000000740000-0x0000000000C6C000-memory.dmpFilesize
5.2MB
-
memory/2980-211-0x0000000000740000-0x0000000000C6C000-memory.dmpFilesize
5.2MB
-
memory/2980-214-0x0000000000740000-0x0000000000C6C000-memory.dmpFilesize
5.2MB
-
memory/2980-217-0x0000000000740000-0x0000000000C6C000-memory.dmpFilesize
5.2MB
-
memory/2980-219-0x0000000000740000-0x0000000000C6C000-memory.dmpFilesize
5.2MB
-
memory/2980-32-0x0000000000741000-0x00000000007A0000-memory.dmpFilesize
380KB
-
memory/2980-25-0x0000000077B54000-0x0000000077B56000-memory.dmpFilesize
8KB
-
memory/2980-24-0x0000000000740000-0x0000000000C6C000-memory.dmpFilesize
5.2MB
-
memory/3660-231-0x0000000000400000-0x0000000000902000-memory.dmpFilesize
5.0MB