Overview

overview

10

Static

static

3

f7d357ad02...18.exe

windows7-x64

10

f7d357ad02...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    26-09-2024 07:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f7d357ad02e19287fbfdd8fc138a3662_JaffaCakes118.exe

  • Size

    2.0MB

  • MD5

    f7d357ad02e19287fbfdd8fc138a3662

  • SHA1

    88ddb3cd546a4751d57fade705264d2b575ff35a

  • SHA256

    848ebc63155b66409cd11733c08ab85b1886009dfa895c7dc56c63079d23125f

  • SHA512

    873a7203e7c4ea6fdde068ab6d38d0355ea68820388bd92c33119082155d36d13f4cbbbc90aab9f1b4c4533e303e1b174b84c5f5bfe65dd2fbe154d13011abd4

  • SSDEEP

    49152:lG2PzG4mPIy8w8HU1fMZBYrKZzjsOA/D0JOssWpl:vPK4mPGw8HUVWBYrK1jOQ8Wp

Score
10/10
cryptbotdiscoveryevasionspywarestealer

Malware Config

Extracted

Family

cryptbot

C2

bibinene01.top

moraass05.top

Signatures

  • CryptBot

    CryptBot is a C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • CryptBot payload 15 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f7d357ad02e19287fbfdd8fc138a3662_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\f7d357ad02e19287fbfdd8fc138a3662_JaffaCakes118.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    PID:2756

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\PZs4wRp\ZNF3ttu0Hwr.zip
    Filesize

    38KB

    MD5

    9f35f78f0ec8a69db22dc53e83a2c939

    SHA1

    bc1664542affb7d48ef62c7de5c0a4402a3856a2

    SHA256

    662c80264a817cbd1db995d85e7c84f465f26735af574941fa41502be4d390f3

    SHA512

    92455e365d727d5dd1b21a1428fed1cc20c0cefb4fcc8cf9f5b0e323922981dc7f3cb08bbbddc74fee6471a2d44b24c7ca1da1e42b707834ea5d36cc7fda2b43

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\PZs4wRp\_Files\_Information.txt
    Filesize

    722B

    MD5

    f6e8d312543f14ef66b4c54d1af62db3

    SHA1

    57e56691b3c8a771a7a37c5040e05af33e25d62b

    SHA256

    ff6addd597e228eac9b7486b8983b7226425879839b56958dd53655653d8f966

    SHA512

    e15b08f78c1a913fbdb7892c1ca1628a2433a80d7d6af360978e226aa290432879ccb5c1e123f3dd4c450117b0977c504fabd6293151070502c7cc298e087343

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\PZs4wRp\_Files\_Information.txt
    Filesize

    8KB

    MD5

    ff953366faf96bde84ecfbaca6a5cdcc

    SHA1

    e945e5d5d36f3494f53b4d5206ac601ce49522e1

    SHA256

    c5dd1b25b75c0bdf41381b78c1bed18e273ef14868d089600a086cb1ad8ec95c

    SHA512

    98f5e3b717e14488bc5d6bf5eeae38ae7a540fea79aa4d502ea0e51e1e0028fb5dea36bd6d42b200169238be8f87a97b9737020e39078e444aae576b50717287

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\PZs4wRp\_Files\_Screen_Desktop.jpeg
    Filesize

    45KB

    MD5

    6f17fc0964cd5086065b98b5cd541e1d

    SHA1

    6e04c46c548b5f3a742abd9199790cbaf8c89978

    SHA256

    a14fd8f23ad8a57feb10969322d8619fa335a753f150f0be2fd8b2664e3ab912

    SHA512

    182f79406cf3f86f357ef62b513bbb5beb70b13059ec0965758c50daa351867dcb7df4ef1621f6e1dd22f4d165685469f8e889087461d44fdcaf82b231235d71

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\PZs4wRp\files_\system_info.txt
    Filesize

    8KB

    MD5

    7e2a4943b99db67f48fb5db3562f5c74

    SHA1

    8e0d48229dd2912075bcc3f6c5c8c0e64285bd6e

    SHA256

    78702c658e8217142dd28fa78276a974ca4fbbf17af15388a2cc553a9f6a0ff5

    SHA512

    5063e558cce75a16bce1492838fa3eeeb2e5bf42d78750622977c017c0ce5189976a972c9062d5df96d6cefd2b268910ba9a7338b59ed8579611723736f09c2c

    Download Submit

  • memory/2756-228-0x0000000000F40000-0x0000000001447000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/2756-230-0x0000000000F40000-0x0000000001447000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/2756-5-0x0000000000E50000-0x0000000000E52000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2756-4-0x0000000076F30000-0x0000000076F32000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2756-1-0x0000000001450000-0x0000000001957000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/2756-3-0x0000000001450000-0x0000000001957000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/2756-223-0x0000000000F40000-0x0000000001447000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/2756-224-0x0000000001450000-0x0000000001957000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/2756-226-0x0000000000F40000-0x0000000001447000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/2756-0-0x0000000000F40000-0x0000000001447000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/2756-2-0x0000000001450000-0x0000000001957000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/2756-6-0x0000000000F41000-0x0000000000F9C000-memory.dmp

    Filesize

    364KB

    Download

  • memory/2756-233-0x0000000000F40000-0x0000000001447000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/2756-235-0x0000000000F40000-0x0000000001447000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/2756-237-0x0000000000F40000-0x0000000001447000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/2756-240-0x0000000000F40000-0x0000000001447000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/2756-242-0x0000000000F40000-0x0000000001447000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/2756-245-0x0000000000F40000-0x0000000001447000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/2756-247-0x0000000000F40000-0x0000000001447000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/2756-249-0x0000000000F40000-0x0000000001447000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/2756-252-0x0000000000F40000-0x0000000001447000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/2756-254-0x0000000000F40000-0x0000000001447000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/2756-260-0x0000000000F40000-0x0000000001447000-memory.dmp

    Filesize

    5.0MB

    Download