Overview

overview

10

Static

static

7

246e2208e8...18.exe

windows7-x64

10

246e2208e8...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-10-2024 19:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    246e2208e8ddec77e2af5c023912596b_JaffaCakes118.exe

  • Size

    2.6MB

  • MD5

    246e2208e8ddec77e2af5c023912596b

  • SHA1

    27502502a4937e6c842e6363c956424a8dd11ce2

  • SHA256

    93baef5c568d34947823fa1be790b7f580631e8724ee0203de9038c1366b8c57

  • SHA512

    89180fc082ad885b9509a955d696082ce791a9fd26fc033474ff8bb656a4076ef4ca41062d35b153917c08aede06b82cbfb8a0cd5ebe45fa29709cbfd5dd29c7

  • SSDEEP

    49152:8XK+wzmmfoCIUgdAqWvXrkapi9oUKjSUhl88BHR3GccQQPITsUW:T3PIUgdtQXrkapi2jhzdHRWcTQQT6

Score
10/10
cryptbotdiscoveryevasionspywarestealerthemidatrojan

Malware Config

Extracted

Family

cryptbot

C2

pacbry45.top

mortiq04.top
Attributes
  • payload_url

    http://zukicv06.top/download.php?file=lv.exe

Signatures

  • CryptBot

    CryptBot is a C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 20 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\246e2208e8ddec77e2af5c023912596b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\246e2208e8ddec77e2af5c023912596b_JaffaCakes118.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    PID:1800

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\vPuiDNmBHb\_Files\_Information.txt
    Filesize

    1KB

    MD5

    7e56c5ce913fabcc722b7dccb4c2d58d

    SHA1

    69a3648a9a305173a8d7ee3cdd700cf60e6b94f9

    SHA256

    f990cc2893d4c186f13772a22ff4662b576f2140ed520b2a6dab646e27df9130

    SHA512

    07fd6e97e1c52e44031100ec0bb74348ad3e615b12b02db593e6476f5ad2c4f3e74356f3765b7e4d67a25b1a1067d4b5e66216866e4f0450c03d04723e2433f8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\vPuiDNmBHb\_Files\_Information.txt
    Filesize

    4KB

    MD5

    dff5092b47016aac572bf7058ca31836

    SHA1

    5b603c95a142f4dd6cab88480426f31df45ae749

    SHA256

    34715666a93c5d78cd5bb0be9517be01c3e9cc2a0b43f2eea6137dd5836b8b47

    SHA512

    8ac099a7447434da73842d6bb96b5985122b6f335e2805ab8fd60ee1f4b4a6a55b48139a333a8bcc796f56f10300d1aaa2855befe0d0c39f580407ade70796dd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\vPuiDNmBHb\_Files\_Screen_Desktop.jpeg
    Filesize

    54KB

    MD5

    d82f71eaed80ada8d11cf68c151f41cb

    SHA1

    19f14cb59b86e4950db2432f93798070b6de2577

    SHA256

    ea95b28100bc0833b82d38572f9b3a50020d46e7e5389c635d5010c185559b61

    SHA512

    4d7d9f563dd038532340347aea6be0f2456c6b0a2651fa9af1f81ef58b12b4b5a2fd2d23f45832147ab7bca7fdd0852dab25efb79f5041e62c143cf9b990fd92

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\vPuiDNmBHb\nCyLMcYjqqs.zip
    Filesize

    49KB

    MD5

    36a4982c08d47299255b524fdc66220c

    SHA1

    49c22c07ae35bd8e9729564e3db0cb3cd6ca7c20

    SHA256

    5795b354035fe2119abef7f311a77891c24618669d09856489a5560706e3b2ab

    SHA512

    8b15fbe62b4d60ebd93f0a2226b1405f8f780d3229394e50aab737978abe06a2b5f2a272d0ccbc726c66263d20c39eb3acefece054033e4806a55a5ba8c41aed

    Download Submit

  • memory/1800-4-0x0000000000A10000-0x00000000010F2000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1800-133-0x0000000000A10000-0x00000000010F2000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1800-0-0x0000000000A10000-0x00000000010F2000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1800-5-0x0000000000A10000-0x00000000010F2000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1800-3-0x0000000000A10000-0x00000000010F2000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1800-2-0x0000000000A10000-0x00000000010F2000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1800-117-0x0000000000A10000-0x00000000010F2000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1800-124-0x0000000000A10000-0x00000000010F2000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1800-1-0x0000000077C64000-0x0000000077C66000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1800-127-0x0000000000A10000-0x00000000010F2000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1800-130-0x0000000000A10000-0x00000000010F2000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1800-6-0x0000000000A10000-0x00000000010F2000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1800-136-0x0000000000A10000-0x00000000010F2000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1800-140-0x0000000000A10000-0x00000000010F2000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1800-143-0x0000000000A10000-0x00000000010F2000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1800-146-0x0000000000A10000-0x00000000010F2000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1800-149-0x0000000000A10000-0x00000000010F2000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1800-152-0x0000000000A10000-0x00000000010F2000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1800-155-0x0000000000A10000-0x00000000010F2000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1800-158-0x0000000000A10000-0x00000000010F2000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1800-160-0x0000000000A10000-0x00000000010F2000-memory.dmp

    Filesize

    6.9MB

    Download