Overview

overview

10

Static

static

3

c1f5116801...18.exe

windows7-x64

10

c1f5116801...18.exe

windows10-2004-x64

10

$PLUGINSDI...ia.dll

windows7-x64

3

$PLUGINSDI...ia.dll

windows10-2004-x64

3

Sharing

Copy URL Twitter E-mail

General

  • Target

    c1f511680161b3fab745486102e8381e_JaffaCakes118

  • Size

    4.3MB

  • Sample

    240826-a91xaaxclj

  • MD5

    c1f511680161b3fab745486102e8381e

  • SHA1

    bd8e304e2ac452e7df955d5d10905524f47c026a

  • SHA256

    ec78d43e9300ebc56eb4354a9b698fc6eba40c77ca8231f440668b4a2c7b8be0

  • SHA512

    3e0d42a09d1175e883fd2cc89076e7194d2032ad2a29917f74ece0ec4e2942dc1108c6bbf7c113b8f95151a7fbabc80ca2cf319f1c92b48e6a70ed7730cd90d7

  • SSDEEP

    98304:vKVUJmFYJZ2pzdrGx4jONHhe/o3WqVAnq49r:vKVU8FYizxGxhHTmqVAnqyr

Score
10/10
cryptbotcredential_accessdiscoveryevasionspywarestealer

Malware Config

Extracted

Family

cryptbot

C2

bibinene03.top

moraass05.top

Targets

    • Target

      c1f511680161b3fab745486102e8381e_JaffaCakes118

    • Size

      4.3MB

    • MD5

      c1f511680161b3fab745486102e8381e

    • SHA1

      bd8e304e2ac452e7df955d5d10905524f47c026a

    • SHA256

      ec78d43e9300ebc56eb4354a9b698fc6eba40c77ca8231f440668b4a2c7b8be0

    • SHA512

      3e0d42a09d1175e883fd2cc89076e7194d2032ad2a29917f74ece0ec4e2942dc1108c6bbf7c113b8f95151a7fbabc80ca2cf319f1c92b48e6a70ed7730cd90d7

    • SSDEEP

      98304:vKVUJmFYJZ2pzdrGx4jONHhe/o3WqVAnq49r:vKVU8FYizxGxhHTmqVAnqyr

    Score
    10/10
    cryptbotcredential_accessdiscoveryevasionspywarestealer

    • CryptBot

      A C++ stealer distributed widely in bundle with other software.

      spywarestealercryptbot

    • CryptBot payload

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/Sibuia.dll

    • Size

      524KB

    • MD5

      6a3c3c97e92a5949f88311e80268bbb5

    • SHA1

      48c11e3f694b468479bc2c978749d27b5d03faa2

    • SHA256

      7938db73242aafbe80915e4ca886d38be9b7e872b93bdae1e8ee6cf4a005b7d9

    • SHA512

      6141886a889825ccdfa59a419f7670a34ef240c4f90a83bc17223c415f2fbd983280e98e67485710e449746b5bf3284907537bef6ab698a48954dd4910ddf693

    • SSDEEP

      12288:yFlW+6yL4qXm3e39uB9dk6M6g89vYyw7UwogmySQk9GS168q:y/L6yL44oAP7LD7UvCaGSlq

    Score
    3/10
    discovery
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks