Extracted

• • Target

    f684fced30a37b2326a512579f5cc27e_JaffaCakes118

  • Size

    4.4MB

  • MD5

    f684fced30a37b2326a512579f5cc27e

  • SHA1

    4ac631356b4383b01037ce5fc626981b2a033993

  • SHA256

    37592e4c0b1ed1f83461dc3c76091a60a76bd527026ee5563bc0ea7da02771f5

  • SHA512

    5092c8373038a8205c18d8f94b0b31249abe3ac4f7e938219513eef9589ab1a47a2decc2753263117282a1e19b5257c6bd9af2c61eccc01ec4c93e9698be9627

  • SSDEEP

    98304:dAUb2mh5bAvwspQqTDLqhr6+JaEPnjFDsHZpenABfal2BWRFHKuTeR9x:dymXbAZ2u8L8E7FI5KABicWRFdT+

  Score

  10^/10

  cryptbotdiscoveryevasionspywarestealer

  • CryptBot

    CryptBot is a C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Blocklisted process makes network request

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2

• • Target

    $PLUGINSDIR/System.dll

  • Size

    11KB

  • MD5

    bf712f32249029466fa86756f5546950

  • SHA1

    75ac4dc4808ac148ddd78f6b89a51afbd4091c2e

  • SHA256

    7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af

  • SHA512

    13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

  • SSDEEP

    192:0N2gQuUwXzioj4KALV2upWzVd7q1QDXEbBZ8KxHdGzyS/Kx:rJoiO8V2upW7vQjS/

  Score

  3^/10

  discovery
  behavioral3behavioral4

• • Target

    $PLUGINSDIR/UAC.dll

  • Size

    14KB

  • MD5

    adb29e6b186daa765dc750128649b63d

  • SHA1

    160cbdc4cb0ac2c142d361df138c537aa7e708c9

  • SHA256

    2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

  • SHA512

    b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

  • SSDEEP

    192:DiF6v2imI36Op/tGZGfWxdyWHD0I53vLl7WVl8e04IpDlPjs:DGVY6ClGoWxXH75T1WVl83lLs

  Score

  3^/10

  discovery
  behavioral5behavioral6

• • Target

    $PLUGINSDIR/UserInfo.dll

  • Size

    4KB

  • MD5

    c7ce0e47c83525983fd2c4c9566b4aad

  • SHA1

    38b7ad7bb32ffae35540fce373b8a671878dc54e

  • SHA256

    6293408a5fa6d0f55f0a4d01528eb5b807ee9447a75a28b5986267475ebcd3ae

  • SHA512

    ee9f23ea5210f418d4c559628bbfb3a0f892440bcd5dc4c1901cb8e510078e4481ea8353b262795076a19055e70b88e08fee5fb7e8f35a6f49022096408df20e

  Score

  3^/10

  discovery
  behavioral7behavioral8

• • Target

    $PLUGINSDIR/nsDialogs.dll

  • Size

    9KB

  • MD5

    4ccc4a742d4423f2f0ed744fd9c81f63

  • SHA1

    704f00a1acc327fd879cf75fc90d0b8f927c36bc

  • SHA256

    416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6

  • SHA512

    790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb

  • SSDEEP

    192:SbEunjqjIcESwFlioU3M0LLF/t8t9pKSfOi:SbESjFCw6oWPFl8jfOi

  Score

  3^/10

  discovery
  behavioral10behavioral9

• • Target

    $PLUGINSDIR/nsExec.dll

  • Size

    6KB

  • MD5

    132e6153717a7f9710dcea4536f364cd

  • SHA1

    e39bc82c7602e6dd0797115c2bd12e872a5fb2ab

  • SHA256

    d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2

  • SHA512

    9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1

  • SSDEEP

    96:M/SspqrIYxLPEQhThvov3TE4/2Sa5P9QFFYzOx4uF3sbSEI5LP39sQvM:M/QUG7lhvov36S5FcUjliSEI5LuQ

  Score

  3^/10

  discovery
  behavioral11behavioral12

• • Target

    $PROGRAMFILES/Ferr/SEDA/TAP-Windows/bin/addtap.bat

  • Size

    114B

  • MD5

    ebb2c28da7de8436995509782ac63c4c

  • SHA1

    7d693538baa80ce6938f0400bdc16f9b035baee9

  • SHA256

    effe5c5c2cf6547a54f987fef6f052a234770b4fcfae277cf6089daa896bcd5f

  • SHA512

    021098b1d9f4b987b85be073bc1a6a7ee3336c88d54770d64fc77b74ca74ec459f89fbd65a6fba3efa4f6da7cc852784e9ea391189831f565d64e65a437fc7f5

  Score

  3^/10

  discovery
  behavioral13behavioral14

• • Target

    $PROGRAMFILES/Ferr/SEDA/TAP-Windows/bin/deltapall.bat

  • Size

    177B

  • MD5

    70850be8dc81d8f8c36da0e754df0a46

  • SHA1

    fe7766e67239e26f6cee866cb9a93341e33f0e4d

  • SHA256

    1be66390df9e302b38553432731a244e65f745d31e6424c88091326fb3ea92d7

  • SHA512

    f15a3ce91ceb663a0369054e06647471591ba54ed40e0f6dd549069a0c4e30aefd590c9a18a90d80d35af4fcd45e49d89a259606cf7ee23fa976c61f88a0066b

  Score

  3^/10

  discovery
  behavioral15behavioral16

• • Target

    $PROGRAMFILES/Ferr/SEDA/TAP-Windows/bin/devcon.exe

  • Size

    80KB

  • MD5

    3904d0698962e09da946046020cbcb17

  • SHA1

    edae098e7e8452ca6c125cf6362dda3f4d78f0ae

  • SHA256

    a51e25acc489948b31b1384e1dc29518d19b421d6bc0ced90587128899275289

  • SHA512

    c24ab680981d8d6db042b52b7b5c5e92078df83650cad798874fc09ce8c8a25462e1b69340083f4bcad20d67068668abcfa8097e549cfa5ad4f1ee6a235d6eea

  • SSDEEP

    1536:MP2K0pa0WfEYp9Y/XQhpgnbP212YCJpDhiF4O7W:MePOYe4bu1epDh8RW

  Score

  1^/10
  behavioral17behavioral18

• • Target

    $PROGRAMFILES/Ferr/SEDA/TAP-Windows/bin/tapinstall.exe

  • Size

    85KB

  • MD5

    bc2eb9be84d65e600bb4baebfc0d6c74

  • SHA1

    dffa04b9399b8742e1536c5942b43df58a42980a

  • SHA256

    5c6aae8c345e5eda7185cabafcf9270ef3d73f198290842654d8916f8321b150

  • SHA512

    ae382b3aac40e17f5daa4d952d85656d29791f857a97de91197c85049e31cef924723875c6616f598696445bea967788c89cfdb7cd35ed772bce3d6a1fd71e7b

  • SSDEEP

    768:AeFpBuMKzLkfKI4hHZv4zS5bhkt4JlX82BSOe9oKSJ2SLD0BEZWk3zoMrrKgp:TBuMN4VFESvkt4nXF4O7WcBvT

  Score

  3^/10

  discovery
  behavioral19behavioral20

• • Target

    $PROGRAMFILES/Ferr/SEDA/TAP-Windows/driver/tap0901.sys

  • Size

    22KB

  • MD5

    f49967c396969b71c3a72537db03a68b

  • SHA1

    f59d3a5d2afd85fbb9fb36f1411c767be2bf96cf

  • SHA256

    3b1ff5252012d6e8a7dd6e4621ec43812510dca1a25a9a2e07288800f445dd41

  • SHA512

    cda4269b5a13e573469b3e3a75432117079c65279e06322519af704a80862e43bceb4cc9d6352dd19db00bb10d10f64b02eee6c5dc29f56fa5f99c89823a62e3

  • SSDEEP

    384:NumNz7O8/AvUAvm/wMWJ4pdsfH1aJhjJvjiissrisprwEYBu:QmNxAYB9zKal75pwZBu

  Score

  1^/10
  behavioral21behavioral22

• • Target

    Setup.exe

  • Size

    2.2MB

  • MD5

    5eb17e5dffb7b83860fd650aa83d287a

  • SHA1

    a94f2e71df2d64c2a183355c04660c485c7bd35b

  • SHA256

    7fedad524e84d0d632b6cbf7ce6203531ef113894a0f78539ba41752c955e287

  • SHA512

    8aced1ecc6936e91a1332aafedac23b630a86a107bddfb7e1bc6553cefe7ed2b26b869f0043f02fe28476044c742212c80d03f45324df43c7d5f2e47c7f95069

  • SSDEEP

    49152:RuVVoL/ZQ5oKxqtzDg5t0F6bEM/VcJLY7N6uNr0sJRCFhKqhQNY/f9sZfi/ZqAv:Rzy+PIt1Es+LY7guNginN+f4fi/ZqAv

  Score

  10^/10

  cryptbotdiscoveryevasionspywarestealer

  • CryptBot

    CryptBot is a C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral23behavioral24

• • Target

    Setupres.exe

  • Size

    2.1MB

  • MD5

    6b3ee749de5e30937bc579153bb6fad9

  • SHA1

    2930bd698db16026e5b2bb746fd87d52089c5521

  • SHA256

    ec341ae659732f47c47ac51e26f79d248cd7f45bb29d439536d92a20b5fae131

  • SHA512

    21b8a2b45ddb16883374bc7a2c2f407b7b6eab6e043c2f4995d5bce795c9e8fffae06ba776a0a0e918a00a4e8ea43cc894b23076d475579c3bb47247c145d659

  • SSDEEP

    49152:GirL1eDAURsO5pYeMnFOfyywlMh3eAPZJwLWQj0StQ:PeDAOzYPFEyll8LPXgVtQ

  Score

  9^/10

  discoveryevasion

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral25behavioral26

• • Target

    ipras.vbs

  • Size

    126B

  • MD5

    b802ff9244875f69db2fae0f78e92b10

  • SHA1

    49385a89cd575894a29fbda969b99cc1f5cf8076

  • SHA256

    a1b0cb16fb2ecd66fccf156024404801ad694056e8a596326c1b27b57d8eabe8

  • SHA512

    609856415a7ae2b3e260f945f1c8a8d2a28884c202d37181bea948708918f24b42ae03f17dba1520fddc91b2f7a182b0b8f885f33ea6f81bb3ee4c72e4e9350e

  Score

  8^/10

  • Blocklisted process makes network request

  • Legitimate hosting services abused for malware hosting/C2

  behavioral27behavioral28

• • Target

    ssleay32.dll

  • Size

    370KB

  • MD5

    50a26f0247c1321fd19c0981337fbde8

  • SHA1

    9cdd51843bd7694da571e0a6cd7350aa494f9ac3

  • SHA256

    24235653e41540567bca708e0d5ef02034f88940eeedcd480167a00dd1250656

  • SHA512

    440cf92524e21e9dc1d92f45a8fbd566f0eeec597e0f52a235847879bdd4806ac219b592aaec9976620082b2d8d5690d432e1a45b0df035b18404453530855d9

  • SSDEEP

    6144:AlvshwnbLc7xRpLIOmvsD4gZAEMM06I5sF51L103WiV8JV+OPG/JVNr5qNRyZtrA:Al0LuEMM06IGF5UmiqJpPOp/cVmXEfcc

  Score

  3^/10

  discovery
  behavioral29behavioral30