Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
20/09/2024, 09:27
General
-
Target
ed4c7afb6f5313c21dff7d5e82cd336d_JaffaCakes118.exe
-
Size
1.6MB
-
MD5
ed4c7afb6f5313c21dff7d5e82cd336d
-
SHA1
89bf720908032564dc214f96f443b6cfe7ed9852
-
SHA256
fecbe8e5d8910afd9f194e553de108b17085fa3e3ce5bf4986833359b538852a
-
SHA512
5288b3fde5500a9b7def97e0eae3be41b81db12a28885d516a67c5e63068f0d37aba0924d840523b4339908a4451010726b836610c5ae2a6cdaeda37900c8ba6
-
SSDEEP
24576:fMB6KAGPVTCwXCjcQg4o68pabOU8R7EnPA8UTkYLCzb7HIQvsbU8C:UBvAoVmOVDb68IzMInIdTkDbfvuE
Malware Config
Signatures
-
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
CryptBot payload 3 IoCs
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Manipulates Digital Signatures 1 TTPs 3 IoCs
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
-
Executes dropped EXE 2 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Deobfuscate/Decode Files or Information 1 TTPs 1 IoCs
Payload decoded via CertUtil.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of WriteProcessMemory 24 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed4c7afb6f5313c21dff7d5e82cd336d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ed4c7afb6f5313c21dff7d5e82cd336d_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c IlzHyPgZ2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Cuori.vssm2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^KUoEBHCMiYpopnQGPhEjiJJyoDQFPEgmqUfcHUUEsBGljdJtStLAwKjqlecXQWWCJJogocZVzZVFrmTSUMMLTOnfHgkEmWOxFrACoxVbtQu$" Hai.eps4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\certutil.execertutil -decode Rivederla.xll r4⤵
- Manipulates Digital Signatures
- Deobfuscate/Decode Files or Information
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Dov.comDov.com r4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Dov.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Dov.com r5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
-
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 304⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Deobfuscate/Decode Files or Information
1Modify Registry
1Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
100KB
MD548fc5df4b5d13cb03b387cfc3330bb7e
SHA17fd1af95c1cdd7905303e5fe48ddf49a52949c19
SHA256fceefb42f8b00ffeb91c4bed145b1535f6c3c6a6877b10ea6a2b02d35862e875
SHA5127f73209b7a09af40e284feecde82008d8cb2856fac88c0c92afb7dfd2e45d83aee3381e9ab44cfbf1af18bf4421071b81b6193394fd9fcb729d0e5ed71e099d7
-
Filesize
921KB
MD578ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
Filesize
888KB
MD50ee61ffe28c99c5c20a79657fd417eb5
SHA1dffc49856cbb46be791f2718bc698d27c301bb6c
SHA2566d27cd28953fb629edf1c5149a4f4ff2fa31f08d097897be9573d5cc79d59dfe
SHA51257c7a2f856546ff736789eba07aeeb2cf5ed9a4b1bf4257f0a25c5906fba3f7ef2218322f95b7a4ad846321835d3981bf654c57a55d1658e4a312d879ea0372d
-
Filesize
921KB
MD523b4013f4e7f7376f60cf5c77c230806
SHA12ea20cce8408590c1f82d933dccafea2a0124a64
SHA256c0bd1e5073ee6d41b2474772465d7bc44f356cebbdb5a7b7adfa93331feb648a
SHA512698a096d389a68e831e4f7b183367962c7dccd9cb9d49d94b0b41712754981c711c9b3e93cacda74783b5d9ae2154395133124e241019ec231a61b27ed8a90ce
-
Filesize
439KB
MD54a90b3241e5b9515dc2cd8ba94f520f2
SHA1b1e47d3d1f31d45b61f3bbc390afc90796f2d132
SHA256420befdcc9129772c24e6f24c5f9bce595fe1b09eb8b774c2cf448007dc15c51
SHA5124406f3bedba2e4ee6482853730bee225b78a9c9f665afb323acc94f83d380cbdb28340c10b696a10a2607acf45c17a0fd4514457818f23eff5e66f78ecf91a50
-
Filesize
317KB
MD5bf68de35909e11b7d601b44f732707f7
SHA1d9bfe81b6f9b2b0743b9a868f2952948acc114f3
SHA2563315dfb5f740dfc50d5807529d5a538274d56d215b8f07289f70f04d14ac2233
SHA512cca962149a855280998d9d137ede3f361d3873857556c60914bcfc908c61ea2fb8faf4e6d7fbef39f8a82d015be9388b3d52e8d0e59bee0092242b22459fe865
-
Filesize
7KB
MD538bb30f40a9693a0de452c9f434ea4f6
SHA1bce091976a400055a5ee3c04ad520e75a3d5aaa0
SHA256d5a1361723b52f9d7c23448d6e1601897ab64ddd14917c5974d273e7ac283406
SHA512e16e22ce1ca9d861dafd9c94d222a5f6021321be5536032c402481e9eb352768cce5815cd805e478c8cda64ebfa4ac33222137f9a574e2b7114da16b20030122
-
Filesize
7KB
MD588e82e650ec4f8f1fedafae754d881f1
SHA19c5ebd0448012f41370d33b161c0ba6a1846830d
SHA256f2265114cb7dee332361252e5b8a1a54bf1bc5cbd735240b43e975a1c1f307ac
SHA512a89823e36b2bf0c02d41765492d2024876bf5e75b4c5104478067db758452f886b7ed40db5d83148444387c3b3a63b0152053c820a1a4a8bbadfb05a5e94e2ba
-
Filesize
52KB
MD570a47a0cf0107538da71b6161139d97d
SHA1b630e2162070961e9ba6e64605ab23d5cb88c451
SHA256006f0e4892b30a0e7c4acf8136d86b2f8f529f20d02a7694e67f6265c8c9fda9
SHA5125c196570dd1896a355649914a93bd841c30a0de18cc7e1e82c6acbafdbe682026527dcb50244e2b05ca4260ae8a7f61b5e857f0c0d5766a737892112fcbbd32c
-
Filesize
1KB
MD52d8085b723e2517082566ddc193a5712
SHA1c54a1619b714cc001f9d3fdbd9b32e318bf78d30
SHA256f95a1f947d442a28e1f99abcc4db66d9fe9a664efa87dcca42dcfad6e8949ad3
SHA512efd017d29678f27ed83726b4f5b8f82bf5a399a65024b7244321a86123a4ff57e63f8aae998a3acfd8ba1281d17d3b26fcdf2d193bf5d4e639494353bbbf5352
-
Filesize
7KB
MD51a33dfc1c7f27db9345965bc29bfaf93
SHA13626998e54c75de5cd5ee8bc7585bc3613ab7d54
SHA256ff114c564952aa258f04ae7db5367af4dd073352fdad08c3b2b2b463f15e1345
SHA5127301975f16a538353278b82251ef730be934683fdbcbeceded9ec1362135c701f827cedcd2c014bf98678bb7d644544cc802fe917ef6791ea54c30497a194ef3
-
Filesize
47KB
MD5fb4ac6a23d1cd464be47088ac7a4d487
SHA19559326d917d9afe7c824f64cad67cfb1270c845
SHA2567fffd2d2b9d1f8fb592e6bb2150671ae38e4162bde9ad1f423944b78c1ed7a1a
SHA512f6cb1b10f28a3ca31b020f2e1a9f1040d4fa18f123581f8bbc55d95717a048070c664310f671fff590d5cf05db5ce96848b391304f4d19e9f7206c6101e163f0
-
Filesize
908KB
-
Filesize
908KB
-
Filesize
908KB
-
Filesize
908KB
-
Filesize
908KB
-
Filesize
908KB
