Overview

overview

10

Static

static

3

fadc761864...18.exe

windows7-x64

10

fadc761864...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-09-2024 20:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fadc761864c9f8819b963a0bdc893357_JaffaCakes118.exe

  • Size

    4.3MB

  • MD5

    fadc761864c9f8819b963a0bdc893357

  • SHA1

    ee8643450535ba5a0ddfe80076241fa0ba10fc53

  • SHA256

    08ef6479ea772726db377eb7251bf448877d3c1867242865def381222c5149a8

  • SHA512

    712631c50fe0cf61278d194eb30d10f8940b9068dd906d8b3d9cc14b7639123cb8e4dc4bddd9e9ef768c86b0cda066b7886a3961cf9c0bdf69e96a58d985171e

  • SSDEEP

    98304:fhEgSFNWFMdWzbWnw1pxFIlVpyOjE6MYTh7KQsRhIxk9:fyBTw1p4onQsfIxk

Score
10/10
cryptbotdiscoveryevasionspywarestealer

Malware Config

Extracted

Family

cryptbot

C2

nife01.info

Signatures

  • CryptBot

    CryptBot is a C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Blocklisted process makes network request 2 IoCs
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of FindShellTrayWindow 12 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fadc761864c9f8819b963a0bdc893357_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fadc761864c9f8819b963a0bdc893357_JaffaCakes118.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:5024
    • C:\ProgramData\Unicodek\Unius.exe
      C:\ProgramData\Unicodek\Unius.exe
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      PID:4732
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\ProgramData\ipras.vbs"
      2⤵
      • Blocklisted process makes network request
      • System Location Discovery: System Language Discovery
      PID:3724

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\FcfaSOJjRQYcy\172773668.txt
    Filesize

    148B

    MD5

    c672c5ffd1a94b729484cc279d2a8a93

    SHA1

    3e3ce8ad41d3ffe36d461a21ded8fead5d11e88b

    SHA256

    087e2c68049f6d81393d62c9fbca232111ec9e0411f5cc9ab1e718475581eaea

    SHA512

    969821c1ea8ae7b400e0e603326a3eb76ad22c21572a12b34e50f97f174f53456e937872c1a5980f7401d702c56c00ec0c5fa4d9cdc38b7d2c6200037f12aae3

    Download Submit

  • C:\ProgramData\FcfaSOJjRQYcy\6v2TFOYfbmXgi.zip
    Filesize

    45KB

    MD5

    d78a39592b8a27ecff5559f11b9f961b

    SHA1

    98394d7b81bf26a3781d0ab31cb7dcb12ce5ae3c

    SHA256

    22b39b9d168c921950d7b41910d8bf3331db7bc8a57d711d27b58ce60ff69711

    SHA512

    b9cf9dea7cc3c52c305c6225f26bc6701913aef913220f39a57ab1b7fe3b624035d4cec38cb86f3d53fb1c5ace424eb97dd500df905932d2cad15bf70740e5d5

    Download Submit

  • C:\ProgramData\FcfaSOJjRQYcy\Files\Browsers\_FilePasswords.txt
    Filesize

    3B

    MD5

    ecaa88f7fa0bf610a5a26cf545dcd3aa

    SHA1

    57218c316b6921e2cd61027a2387edc31a2d9471

    SHA256

    f1945cd6c19e56b3c1c78943ef5ec18116907a4ca1efc40a57d48ab1db7adfc5

    SHA512

    37c783b80b1d458b89e712c2dfe2777050eff0aefc9f6d8beedee77807d9aeb2e27d14815cf4f0229b1d36c186bb5f2b5ef55e632b108cc41e9fb964c39b42a5

    Download Submit

  • C:\ProgramData\FcfaSOJjRQYcy\Files\_Info.txt
    Filesize

    7KB

    MD5

    f97d210535994bc0b49a7a78b5ee1af9

    SHA1

    f4cf46c06988d93d69e4bd7bded82c00dfa6707d

    SHA256

    270874cb942f129390931c96f54d6486e430111ef3b2df42e9b85fe647753638

    SHA512

    8723c3afee60f6f2fa2f15419c4c6c4cd04fe6287da6ff6f97085429f083ecaf31fc7b64501331f491132dee299b4871bc95b4ce82ae1ce23fffbc95888f5af8

    Download Submit

  • C:\ProgramData\Unicodek\Unius.exe
    Filesize

    2.2MB

    MD5

    da4cba039da84811abbe2d7b73efa488

    SHA1

    5eaabd7ed6d1552dcdec225ecd7d8a8d4e7c43b2

    SHA256

    f852161c46e2b5edd38cd552562afc7a5d14435d1a6a373a87ca18df2ebc76c6

    SHA512

    8d2569fed7a67e54938b665359ab7476c24369fe8f95b3fbad51c0ef787300131db3340d4ff712f857473807da975980a38e1ce303bd48bf41b4ec4086e6ffa5

    Download Submit

  • C:\ProgramData\ipras.vbs
    Filesize

    126B

    MD5

    c6362e3c5585f24a9e9a2712c00c52ff

    SHA1

    9259b9609313386f004328d2c306820eae01a587

    SHA256

    184ca5b2737175e0828f3546d483778c95e23720f1375deac0090c2fe415e208

    SHA512

    59ac94fdb6f41d6dc5cbea1855897759f35032ac922b936a0b39a21b6aafb0c862c5d419afa31c0b81f106f2ce06b2909cdb5fb713534fbe36202c5a4fedfeaa

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12
    Filesize

    1KB

    MD5

    7fb5fa1534dcf77f2125b2403b30a0ee

    SHA1

    365d96812a69ac0a4611ea4b70a3f306576cc3ea

    SHA256

    33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f

    SHA512

    a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8
    Filesize

    436B

    MD5

    971c514f84bba0785f80aa1c23edfd79

    SHA1

    732acea710a87530c6b08ecdf32a110d254a54c8

    SHA256

    f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

    SHA512

    43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
    Filesize

    174B

    MD5

    100e4c22d5b8191130e1e8d9610f2333

    SHA1

    724e759526bc81954787aa0665f48ee46597ea4c

    SHA256

    895a89e85ea333990a9dd738d76c15de429b5eaa1c7cc4b016bebc6fd52bd0b4

    SHA512

    8bcc1c1d54ed6e2df7bbeb410783f1e8db5081848944fbed8d7147f53cd33b167c63956350937ec3da944799008b308d2aef41cd43596cc61db7460ce0542c84

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
    Filesize

    170B

    MD5

    3bc524d8b1304db474b248103141cf11

    SHA1

    d600e300fd98729a379492751c87cec51c8c23ef

    SHA256

    48a0a5abe6fa15071d47a9f080b7c937888ff235b5680f1a990dbe36c1d13c9b

    SHA512

    192df59f7f0cd3771951b970e96ca82b9fd9a217a5b6de58e19df10e62390358ecc21d846703c84fe7040ff578ce1edad9aa79109dabdf8c3ae697eab977c950

    Download Submit

  • memory/4732-22-0x00000000005B0000-0x0000000000B09000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/4732-342-0x00000000005B0000-0x0000000000B09000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/4732-397-0x00000000005B0000-0x0000000000B09000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/4732-393-0x00000000005B0000-0x0000000000B09000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/4732-389-0x00000000005B0000-0x0000000000B09000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/4732-385-0x00000000005B0000-0x0000000000B09000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/4732-381-0x00000000005B0000-0x0000000000B09000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/4732-377-0x00000000005B0000-0x0000000000B09000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/4732-373-0x00000000005B0000-0x0000000000B09000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/4732-369-0x00000000005B0000-0x0000000000B09000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/4732-365-0x00000000005B0000-0x0000000000B09000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/4732-360-0x00000000005B0000-0x0000000000B09000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/4732-356-0x00000000005B0000-0x0000000000B09000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/4732-353-0x00000000005B0000-0x0000000000B09000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/4732-147-0x00000000005B1000-0x0000000000613000-memory.dmp

    Filesize

    392KB

    Download

  • memory/4732-146-0x00000000052A0000-0x00000000052A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4732-145-0x0000000005300000-0x0000000005301000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4732-144-0x00000000052F0000-0x00000000052F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4732-140-0x00000000052E0000-0x00000000052E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4732-349-0x00000000005B0000-0x0000000000B09000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/4732-148-0x00000000005B0000-0x0000000000B09000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/4732-346-0x00000000005B0000-0x0000000000B09000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/4732-153-0x00000000005B0000-0x0000000000B09000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/4732-343-0x00000000005B0000-0x0000000000B09000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/4732-344-0x00000000005B0000-0x0000000000B09000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/4732-281-0x00000000005B0000-0x0000000000B09000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/4732-340-0x00000000005B0000-0x0000000000B09000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/5024-362-0x0000000000400000-0x0000000000B4D000-memory.dmp

    Filesize

    7.3MB

    Download

  • memory/5024-3-0x000000000A210000-0x000000000A211000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5024-357-0x0000000000400000-0x0000000000B4D000-memory.dmp

    Filesize

    7.3MB

    Download

  • memory/5024-27-0x0000000000400000-0x0000000000B4D000-memory.dmp

    Filesize

    7.3MB

    Download

  • memory/5024-6-0x000000000A2A0000-0x000000000A2A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5024-11-0x0000000000400000-0x0000000000B4D000-memory.dmp

    Filesize

    7.3MB

    Download

  • memory/5024-5-0x000000000A2C0000-0x000000000A2C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5024-8-0x000000000A280000-0x000000000A281000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5024-345-0x0000000000400000-0x0000000000B4D000-memory.dmp

    Filesize

    7.3MB

    Download

  • memory/5024-150-0x0000000000400000-0x0000000000B4D000-memory.dmp

    Filesize

    7.3MB

    Download

  • memory/5024-1-0x0000000077A44000-0x0000000077A46000-memory.dmp

    Filesize

    8KB

    Download

  • memory/5024-138-0x0000000000400000-0x0000000000B4D000-memory.dmp

    Filesize

    7.3MB

    Download

  • memory/5024-350-0x0000000000400000-0x0000000000B4D000-memory.dmp

    Filesize

    7.3MB

    Download

  • memory/5024-137-0x0000000000400000-0x0000000000B4D000-memory.dmp

    Filesize

    7.3MB

    Download

  • memory/5024-354-0x0000000000400000-0x0000000000B4D000-memory.dmp

    Filesize

    7.3MB

    Download

  • memory/5024-9-0x0000000000401000-0x000000000045D000-memory.dmp

    Filesize

    368KB

    Download

  • memory/5024-4-0x000000000A2B0000-0x000000000A2B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5024-7-0x000000000A260000-0x000000000A261000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5024-2-0x000000000A290000-0x000000000A291000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5024-23-0x0000000000400000-0x0000000000B4D000-memory.dmp

    Filesize

    7.3MB

    Download

  • memory/5024-366-0x0000000000400000-0x0000000000B4D000-memory.dmp

    Filesize

    7.3MB

    Download

  • memory/5024-0-0x0000000000400000-0x0000000000B4D000-memory.dmp

    Filesize

    7.3MB

    Download

  • memory/5024-370-0x0000000000400000-0x0000000000B4D000-memory.dmp

    Filesize

    7.3MB

    Download

  • memory/5024-21-0x0000000000400000-0x0000000000B4D000-memory.dmp

    Filesize

    7.3MB

    Download

  • memory/5024-374-0x0000000000400000-0x0000000000B4D000-memory.dmp

    Filesize

    7.3MB

    Download

  • memory/5024-10-0x0000000000400000-0x0000000000B4D000-memory.dmp

    Filesize

    7.3MB

    Download

  • memory/5024-378-0x0000000000400000-0x0000000000B4D000-memory.dmp

    Filesize

    7.3MB

    Download

  • memory/5024-17-0x0000000000400000-0x0000000000B4D000-memory.dmp

    Filesize

    7.3MB

    Download

  • memory/5024-383-0x0000000000400000-0x0000000000B4D000-memory.dmp

    Filesize

    7.3MB

    Download

  • memory/5024-15-0x0000000000400000-0x0000000000B4D000-memory.dmp

    Filesize

    7.3MB

    Download

  • memory/5024-387-0x0000000000400000-0x0000000000B4D000-memory.dmp

    Filesize

    7.3MB

    Download

  • memory/5024-14-0x0000000000400000-0x0000000000B4D000-memory.dmp

    Filesize

    7.3MB

    Download

  • memory/5024-391-0x0000000000400000-0x0000000000B4D000-memory.dmp

    Filesize

    7.3MB

    Download

  • memory/5024-13-0x0000000000400000-0x0000000000B4D000-memory.dmp

    Filesize

    7.3MB

    Download

  • memory/5024-394-0x0000000000400000-0x0000000000B4D000-memory.dmp

    Filesize

    7.3MB

    Download

  • memory/5024-12-0x0000000000400000-0x0000000000B4D000-memory.dmp

    Filesize

    7.3MB

    Download