Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

d0d341d2d2...18.exe

windows7-x64

10

d0d341d2d2...18.exe

windows10-2004-x64

10

$PLUGINSDI...ia.dll

windows7-x64

3

$PLUGINSDI...ia.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    07/09/2024, 01:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d0d341d2d2f0f61a4c403b88085e3576_JaffaCakes118.exe

  • Size

    4.2MB

  • MD5

    d0d341d2d2f0f61a4c403b88085e3576

  • SHA1

    bf8c04ebd83d850cfafce00c49b0ea2646acedee

  • SHA256

    cef1d3f10fdb50df41e0dcb5c77e45c4587adb76747259ce893ceabb863d9994

  • SHA512

    b35c7ccd2d7df90efe8457cfcfb8a13353216bb83c9900cdf64916e2956f0852d0272216679b10cd669db44db15c5fef0a6427bf3a2752cb585626144b0df95c

  • SSDEEP

    49152:zOdVHtDhAcN9W4L0bXIOyyB85hOTm8z3th24azqaNBJkLy0vq3dsJ8zYNawVG9aE:CXNucUnyJ09h24azvFYyeU7kREDBZ

Score
10/10
cryptbotcredential_accessdiscoveryevasionspywarestealer

Malware Config

Extracted

Family

cryptbot

C2

bibinene03.top

moraass05.top

Signatures

  • CryptBot

    CryptBot is a C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • CryptBot payload 15 IoCs
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 7 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d0d341d2d2f0f61a4c403b88085e3576_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d0d341d2d2f0f61a4c403b88085e3576_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2696
    • C:\Users\Admin\AppData\Local\Temp\sib9BF3.tmp\0\5.exe
      "C:\Users\Admin\AppData\Local\Temp\sib9BF3.tmp\0\5.exe" /s
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Loads dropped DLL
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      PID:2284

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\4NzBdkY1VnkD\VadiTOEcUuJVo.zip
    Filesize

    44KB

    MD5

    eafeccc1518c42eaedb554c6caf5d357

    SHA1

    b80133b8e3b7265a2c692508c2718ef614f52626

    SHA256

    bfacd373f32b7b23aedba31ba3a5a28eb32f741024b68d4ecc7dd024a32876ff

    SHA512

    33af3d29b2b0c1df2db82ac94d72e49a822777013a4f289436ee1c303fb021c837677202e3ced0442e1df8fefecad390bb0f100837116f99ecc9014985be2a61

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\4NzBdkY1VnkD\_Files\_Information.txt
    Filesize

    660B

    MD5

    4c9fd3cf9dc208939cd8e87fbcbed540

    SHA1

    5493ade276be772227d751c04f5d48fbf98b876c

    SHA256

    646c6fbfb93bb006cd8ea1d22a0d14a5aac0ca92e0b3cec023f8a21b33ca1ac5

    SHA512

    c36af62aab8a475632dc2610f66839e23a565d876c8e5e580b37e28c9b6205b32e3745e5df6c5e8ecac46d960b2678aa0259e49bc5b0c2d1ba0d40eb0672bd22

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\4NzBdkY1VnkD\_Files\_Information.txt
    Filesize

    1KB

    MD5

    d0a3430a6abbdff5980d2482cf71d4ba

    SHA1

    928fc2fa1123ddbb80ff608076bffe36ea1356e1

    SHA256

    8b1058fe9621c5789d53d0f7f8ef5432b615426f678ff4d69eea97ede494fe52

    SHA512

    046573edb17b4e72cf03cec520a1fa0931bec45d894f330cd1bc3c2a5354d16b63f73d634eda563e412edd2670b4e1b56a9791ed86caa4cf76dec10146cf3ea6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\4NzBdkY1VnkD\_Files\_Information.txt
    Filesize

    8KB

    MD5

    4e8c303fd5fd227c7ac38a7be8fd18d5

    SHA1

    47af922c6c0b10b0777a54f14969d615cb2d6d99

    SHA256

    430ccb43b40c085b31aed137f000f90675e152f62b153a6b688dbb7bdd1ac305

    SHA512

    d82a4e7fc64e586294785f766e8bd5df8d354da1a9f08923a8d782f66148ddd0a81e83d119185e3398d3ee89adbd7bcedb6a3a2a3f4a70a044909a416880d95a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\4NzBdkY1VnkD\_Files\_Screen_Desktop.jpeg
    Filesize

    51KB

    MD5

    46a7607aad8533e71cde83d520f98604

    SHA1

    538333941f11c6e702d8b70b15354a9371e33558

    SHA256

    4cbbf633b57f1e5e4aba5aad447946bb44f98be3fa5713aba8b2e3a8411edc8c

    SHA512

    f64c27c88497042faeb726c322effceeeba2841b549330a3ace484d7a8bfe86886e0fc04f7c59c0844188dcab7c7bcb09bf5c3af07570d4423b98122ea34acbf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\4NzBdkY1VnkD\files_\system_info.txt
    Filesize

    682B

    MD5

    8179fe5508ce092cbec05217185e490b

    SHA1

    d9abeb4b703cec8f49c0e2b4dd7c9e8386cdd728

    SHA256

    a98cabaf677f9c092d20bda1a2ba25ed3a4260ae4ee0bd5f3bfc0bb3eda6e974

    SHA512

    0c92428e1ead291f41922a111cc5162e610e929e8c24ebed481be6d4e944f8ac12d3282ea9ddf5798ebacebb118f21acc080dcd18382a43ceae4522701b680d5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\4NzBdkY1VnkD\files_\system_info.txt
    Filesize

    1KB

    MD5

    4631f8ce00eb05a9c51521c30a5fa87a

    SHA1

    d2fc7a6fad0eab4741a5047e37b1aa3ebf96ffec

    SHA256

    f9c03425fe96fae95b5be4a8b8b8a457c2818af47f3c7c7ac7bed24fdd388821

    SHA512

    794073f31de51741a95eb900307a30909e6e1ccb5c1562e192b9bbd4ec1d18bf2b7d68ad3d4a6e4533ba1873cb25f327a2339b639d6f754a7833152a5341e0cb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\4NzBdkY1VnkD\files_\system_info.txt
    Filesize

    8KB

    MD5

    e90c52d7bf83beec4921e5c3edec0c4b

    SHA1

    31ca3c74fcaf90bb4cc27dccdde705f64e830b99

    SHA256

    8a03f5375d49cfcbd6e00df451eb04b401461c28d2a28f7a88594dcf597b0bd4

    SHA512

    548edcf006fd011220f74677e3ad798a958ed516125a7369e267272c2eb07878b32607e22e7c740bd9a5032efe10450d3da0bfa1bcc692b6471b744066a56a3a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsd9B56.tmp\Sibuia.dll
    Filesize

    524KB

    MD5

    6a3c3c97e92a5949f88311e80268bbb5

    SHA1

    48c11e3f694b468479bc2c978749d27b5d03faa2

    SHA256

    7938db73242aafbe80915e4ca886d38be9b7e872b93bdae1e8ee6cf4a005b7d9

    SHA512

    6141886a889825ccdfa59a419f7670a34ef240c4f90a83bc17223c415f2fbd983280e98e67485710e449746b5bf3284907537bef6ab698a48954dd4910ddf693

    Download Submit

  • \Users\Admin\AppData\Local\Temp\sib9BF3.tmp\0\5.exe
    Filesize

    2.3MB

    MD5

    08caa80b61ee95e610a26d52820e3efd

    SHA1

    2dd92ecd34ada8962201929310e278346264b6b0

    SHA256

    8d5eb7cd6f951771498f4b92d148d6e1401631765996be53d9fd773589bcf2a0

    SHA512

    65dbc03fcb2762465f8e4448220915e85257a4d370cb14382c45e719cfa3cc2913bc0580b28d69f0ad380e5cf3a9afbcac207d59f3253e5ec6124b2495f69bdc

    Download Submit

  • \Users\Admin\AppData\Local\Temp\sib9BF3.tmp\SibClr.dll
    Filesize

    51KB

    MD5

    5ea6d2ffeb1be3fc0571961d0c4c2b5f

    SHA1

    902dfe9ae735c83fb0cb46b3e110bbf2aa80209e

    SHA256

    508336b6a7c3226738e74f6ce969e828da904ad9f7610b9112f883a316ee9222

    SHA512

    e81657087f451a37f06a07bf84175117fdaf75d5d8b84cbdc49497fcf88f96e259074518ea3037680d27c9eaeebd7a8df496297593fead88d7edea202a572585

    Download Submit

  • memory/2284-263-0x0000000001290000-0x00000000017D2000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/2284-255-0x0000000001290000-0x00000000017D2000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/2284-31-0x00000000009B0000-0x0000000000EF2000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/2284-35-0x0000000001291000-0x00000000012EC000-memory.dmp

    Filesize

    364KB

    Download

  • memory/2284-34-0x0000000077BC0000-0x0000000077BC2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2284-285-0x0000000001290000-0x00000000017D2000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/2284-283-0x0000000001290000-0x00000000017D2000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/2284-281-0x0000000001290000-0x00000000017D2000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/2284-33-0x00000000009B0000-0x0000000000EF2000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/2284-27-0x0000000001290000-0x00000000017D2000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/2284-279-0x0000000001290000-0x00000000017D2000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/2284-276-0x0000000001290000-0x00000000017D2000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/2284-274-0x0000000001290000-0x00000000017D2000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/2284-272-0x0000000001290000-0x00000000017D2000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/2284-269-0x0000000001290000-0x00000000017D2000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/2284-32-0x00000000009B0000-0x0000000000EF2000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/2284-256-0x0000000001290000-0x00000000017D2000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/2284-258-0x0000000001290000-0x00000000017D2000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/2284-260-0x0000000001290000-0x00000000017D2000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/2284-267-0x0000000001290000-0x00000000017D2000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/2284-265-0x0000000001290000-0x00000000017D2000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/2696-18-0x0000000074500000-0x0000000074BEE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2696-10-0x000000007450E000-0x000000007450F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2696-254-0x000000001D080000-0x000000001D5C2000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/2696-252-0x0000000074500000-0x0000000074BEE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2696-251-0x000000007450E000-0x000000007450F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2696-24-0x000000001D080000-0x000000001D5C2000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/2696-14-0x0000000002930000-0x0000000002942000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2696-15-0x000000000EC60000-0x000000000ED1A000-memory.dmp

    Filesize

    744KB

    Download

  • memory/2696-16-0x0000000074500000-0x0000000074BEE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2696-17-0x0000000074500000-0x0000000074BEE000-memory.dmp

    Filesize

    6.9MB

    Download