Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
28-09-2024 18:25
General
-
Target
fce34b7c245a178aa22b455b2a05c09a_JaffaCakes118.exe
-
Size
4.2MB
-
MD5
fce34b7c245a178aa22b455b2a05c09a
-
SHA1
f02262ddfe1ca17807d1fd274a0c854a76b515b5
-
SHA256
181b4cf28d0bb74fe05b2d1b7a267e8b2d5bf68d0c8a6e1a63b1605d8961f4f1
-
SHA512
d7be7635dd0fdd84d5128aa03dd11d2bb8b3a43ff1894ffb0d6be0836caa2a42955046a02aebb63a9be168575ad6282744a3489d4f273d4853c3ea68430b7fdd
-
SSDEEP
98304:vhyHcgzsj1WTf2VuX9j0Z6T3cQwZnmRcX:vhyBhYC+Q3cpZmU
Malware Config
Extracted
cryptbot
bibinene01.top
moraass05.top
Signatures
-
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
-
CryptBot payload 15 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 1 IoCs
-
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 7 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\fce34b7c245a178aa22b455b2a05c09a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fce34b7c245a178aa22b455b2a05c09a_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\sib5063.tmp\0\d3.exe"C:\Users\Admin\AppData\Local\Temp\sib5063.tmp\0\d3.exe" /s2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD51966c58435da8e675ae29247f928536a
SHA198bdb3bc595d087861d53aac075761e440396a71
SHA256ac204b27ce2cce2946e5124edf33a346c6a07d8ef2582b99202ad17d3a14a0f9
SHA512d12dc63f68d44aa7e38e359abb0c21edfa8a9978f66cfb2e2aa91374a45e7a68c5d1e9ecb7667f882b859da53918aa4473c10068750788e2782083d39164e006
-
Filesize
47KB
MD593b6a6fd3b8e432bd4d79e0f7bc9e6be
SHA14a7a016612c66beb190a4e24adb10b25d7a9783f
SHA25630eb55bf1f80f4784b28a033a850782418a8afadc3d93597497437aec06f1723
SHA512d77e9d23d951e81233067d05ca1ab00bf6d11f98e78af1ab17f0a94641d67a59aaf1a6647316a93636a1af2e63ae58e8db2bed3d8890e43d3addc56e1faf22b8
-
Filesize
8KB
MD519df2efc50cc8596adc57654e1c647a9
SHA16ecf75648b594a38e16c53d255c89850d10ec699
SHA256dc6a6660df349f20f95757d722a7ecbe6a5a1c54bfeee43bc58d4d3b4fbe5680
SHA512106d6067ac97d7d71de7c6c057170f9a77a29830342400999b2eceea304d376828f3bbcc73939fd4ea4356d35403ed6fb4b2316d65a6bdb6af474ef635bf2d6c
-
Filesize
40KB
MD53fef6fc5870ee38f19ac89ee5359d5c8
SHA1e6941d60f2a65106194f07f38849118fc01a0c71
SHA2564c770dbec90061dcd87e346dabf5d759ae5b605d679d358133461897e66506a9
SHA512113ed585125f55ad87ab83c8a64555e0281f841f00dd18371626abf5bdb19aa482c113672a2d247505332430469b1aae5b56af3202eed4f09af059c7bd8d3c74
-
Filesize
524KB
MD56a3c3c97e92a5949f88311e80268bbb5
SHA148c11e3f694b468479bc2c978749d27b5d03faa2
SHA2567938db73242aafbe80915e4ca886d38be9b7e872b93bdae1e8ee6cf4a005b7d9
SHA5126141886a889825ccdfa59a419f7670a34ef240c4f90a83bc17223c415f2fbd983280e98e67485710e449746b5bf3284907537bef6ab698a48954dd4910ddf693
-
Filesize
2.0MB
MD55679098942a9c1dcc31af77ebf48c70d
SHA162f0b999c5afc8df86b4f436c2b0e4d6c26d8fde
SHA2568b62f2ef1863eb1a526ff2f68c4031a39f92f4fe1a481e9212d483c3b468f08a
SHA51240b452061b1120e41cf18c06627d3501006eed1dd4f9904e770c56ccd6662faa66ee14cd7a8a0237262249fe7d00f9aeb8721e909bb410e10bd22800a2cffa3c
-
Filesize
51KB
MD55ea6d2ffeb1be3fc0571961d0c4c2b5f
SHA1902dfe9ae735c83fb0cb46b3e110bbf2aa80209e
SHA256508336b6a7c3226738e74f6ce969e828da904ad9f7610b9112f883a316ee9222
SHA512e81657087f451a37f06a07bf84175117fdaf75d5d8b84cbdc49497fcf88f96e259074518ea3037680d27c9eaeebd7a8df496297593fead88d7edea202a572585
-
Filesize
5.0MB
-
Filesize
5.0MB
-
Filesize
5.0MB
-
Filesize
5.0MB
-
Filesize
1.7MB
-
Filesize
5.0MB
-
Filesize
5.0MB
-
Filesize
5.0MB
-
Filesize
5.0MB
-
Filesize
5.0MB
-
Filesize
5.0MB
-
Filesize
5.0MB
-
Filesize
5.0MB
-
Filesize
5.0MB
-
Filesize
5.0MB
-
Filesize
5.0MB
-
Filesize
5.0MB
-
Filesize
5.0MB
-
Filesize
5.0MB
-
Filesize
5.0MB
-
Filesize
5.0MB
-
Filesize
5.0MB
-
Filesize
1.7MB
-
Filesize
72KB
-
Filesize
5.0MB
-
Filesize
744KB
-
Filesize
5.0MB
