Overview

overview

10

Static

static

3

afa7b150f5...18.exe

windows7-x64

10

afa7b150f5...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-06-2024 17:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    afa7b150f54cbc139f9586b16594bec4_JaffaCakes118.exe

  • Size

    2.2MB

  • MD5

    afa7b150f54cbc139f9586b16594bec4

  • SHA1

    08109ddd53482cdcd6138d888626a5b860bc0925

  • SHA256

    fe87a5839e5ead9a79ac2298a796b773b5b683c3f08736ef72b733a0d2295cd8

  • SHA512

    75f39564c813419c5f275dd50113be54801e7afbd365e489c7c365d9e4e14c5ec15474f4bf451a9ffa7555e2e711f869da572149d0654c34fd92664cdfec6431

  • SSDEEP

    49152:qG4GoaF4thIhzSZJQDOIxBxzDcKxQeE91SbgUJYmh:qGM8S0DOolDcK2eEPSbgUJYmh

Score
10/10
cryptbotdiscoveryevasionspywarestealer

Malware Config

Extracted

Family

cryptbot

C2

cede03.info

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\afa7b150f54cbc139f9586b16594bec4_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\afa7b150f54cbc139f9586b16594bec4_JaffaCakes118.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    PID:416

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\JylprYZa\Files\_Info.txt
    Filesize

    1KB

    MD5

    c2ac2f1fb07e1dddeeab3482f7221403

    SHA1

    8fcb0ae51e5d6c39bd82fed2d7ef5fdbefebbe76

    SHA256

    ef0819adf9adbac1a4fcfc77390ca58ecf9d0cd9f59c9c41496cc2cfc13c569b

    SHA512

    8f64362897af11038336875dce32c2ba2f910823cd30a47f144491c3b854d42b492738c40f272b6df882e48fa1c816cd2b006b515d3ee86cb9f69b1015fac40f

    Download Submit

  • C:\ProgramData\JylprYZa\Files\_Info.txt
    Filesize

    8KB

    MD5

    3281fde8ab8cc7fd838e0a06f0f118de

    SHA1

    00d6effb46ba68e94ca8979e2e1753f9cfa3dbfd

    SHA256

    528ddebc488db3b64601aaaa436a2acd790e0f254ff49ad642459f1c176f40e5

    SHA512

    ce470ce46b54c2dbc5127aa622dce39a39af5819b44cb30eae00dd717554dad3b8d29a0a086087e3cce2c4a00b8f012ba43e7f0370f5fcb02d04c8f346611b57

    Download Submit

  • C:\ProgramData\JylprYZa\RWlPqCSlSz.zip
    Filesize

    46KB

    MD5

    4c80e3ddbe12224f91701e554b3c2cf3

    SHA1

    02eeef934ed60e974a665359adaf89645055ac97

    SHA256

    80a2e60ba36eadea24a6369a6e3e6b239972aaf211b2ed4ae34e423d7783adc7

    SHA512

    ec4ee45156c231ad50564c8f1179b60b1fc27a7417816cdf29e289787e65fc0c95452c24ee5cfeb5e375027de008790041a47c43b12bcc0db833d1fe65a5194e

    Download Submit

  • memory/416-142-0x0000000000510000-0x0000000000A64000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/416-144-0x0000000000510000-0x0000000000A64000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/416-8-0x0000000005420000-0x0000000005421000-memory.dmp

    Filesize

    4KB

    Download

  • memory/416-15-0x0000000000510000-0x0000000000A64000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/416-16-0x0000000000510000-0x0000000000A64000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/416-19-0x0000000000510000-0x0000000000A64000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/416-20-0x0000000000510000-0x0000000000A64000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/416-10-0x00000000053E0000-0x00000000053E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/416-12-0x0000000000511000-0x0000000000570000-memory.dmp

    Filesize

    380KB

    Download

  • memory/416-135-0x0000000000510000-0x0000000000A64000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/416-141-0x0000000000510000-0x0000000000A64000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/416-0-0x0000000000510000-0x0000000000A64000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/416-143-0x0000000000510000-0x0000000000A64000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/416-9-0x0000000005440000-0x0000000005441000-memory.dmp

    Filesize

    4KB

    Download

  • memory/416-147-0x0000000000510000-0x0000000000A64000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/416-1-0x00000000772B4000-0x00000000772B6000-memory.dmp

    Filesize

    8KB

    Download

  • memory/416-149-0x0000000000510000-0x0000000000A64000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/416-151-0x0000000000510000-0x0000000000A64000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/416-153-0x0000000000510000-0x0000000000A64000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/416-155-0x0000000000510000-0x0000000000A64000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/416-156-0x0000000000510000-0x0000000000A64000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/416-158-0x0000000000510000-0x0000000000A64000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/416-160-0x0000000000510000-0x0000000000A64000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/416-162-0x0000000000510000-0x0000000000A64000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/416-163-0x0000000000510000-0x0000000000A64000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/416-165-0x0000000000510000-0x0000000000A64000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/416-167-0x0000000000510000-0x0000000000A64000-memory.dmp

    Filesize

    5.3MB

    Download