growtopia | aa9976401edd918f45dd444db8bab87e26ec05678f0ff49a1b15c51695238ac0

Analysis

max time kernel
122s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
24-08-2024 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be088f9cb37894571ffabe46e800b085_JaffaCakes118.exe
Size

14KB
MD5

be088f9cb37894571ffabe46e800b085
SHA1

a6cced4ece759fc31c641c08170e195a25c356ae
SHA256

aa9976401edd918f45dd444db8bab87e26ec05678f0ff49a1b15c51695238ac0
SHA512

257ade2f3f03ad27cdfd8e6cf7085d8ab3151f08fee487e22ecdc7f691b861f1dd204bbc04556917a7e6e064187a6336ff1bd10c290093996231bc34f7eb1f02
SSDEEP

384:TpmJRTSf71qz1SdZd5z2/0/R0YEcP7DML7hXnESb:1mJRTSf71qz1SdZd5ie0s6l

Score

10^/10

growtopia discovery stealer

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
123456seven

Signatures

Growtopia
Growtopa is an opensource modular stealer written in C#.
stealer growtopia

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	icanhazip.com
5	icanhazip.com

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	be088f9cb37894571ffabe46e800b085_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2076	be088f9cb37894571ffabe46e800b085_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\be088f9cb37894571ffabe46e800b085_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\be088f9cb37894571ffabe46e800b085_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2076-0-0x0000000073FAE000-0x0000000073FAF000-memory.dmp

Filesize
4KB

Download
memory/2076-1-0x0000000000800000-0x000000000080A000-memory.dmp

Filesize
40KB

Download
memory/2076-2-0x0000000073FA0000-0x000000007468E000-memory.dmp

Filesize
6.9MB

Download
memory/2076-3-0x0000000073FA0000-0x000000007468E000-memory.dmp

Filesize
6.9MB

Download