Overview

overview

10

Static

static

3

54efb1309d...18.exe

windows7-x64

10

54efb1309d...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18-10-2024 02:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    54efb1309d76e87c2185b576e3783247_JaffaCakes118.exe

  • Size

    662KB

  • MD5

    54efb1309d76e87c2185b576e3783247

  • SHA1

    9111f54d035c70780a1decc4d808356cf1857940

  • SHA256

    5de12d55a698805ec98ada5964711f226fd1d4a424daf7062f178dbf52702cd5

  • SHA512

    e3be1ec27f080280b826429d0457c1560d2f6dc33b20e0af349a8d6b03ef6836c3df4bc5808f813d572fe7b0b7c694920931176fe45add7250fa6e823c943a3e

  • SSDEEP

    12288:KzxWqgM8Yi/u5J3noTJDA8pTW8AawUb6nQHQ+5FChY9Cpi+oAg/Dt/zqH/iTQ:S0RM87HMF8VwUbJ/C7CL/DRuHSQ

Score
10/10
cryptbotdiscoveryspywarestealer

Malware Config

Extracted

Family

cryptbot

C2

lysayu42.top

morbyn04.top
Attributes
  • payload_url

    http://damhlu05.top/download.php?file=lv.exe

Signatures

  • CryptBot

    CryptBot is a C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • CryptBot payload 6 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of FindShellTrayWindow 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\54efb1309d76e87c2185b576e3783247_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\54efb1309d76e87c2185b576e3783247_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Suspicious use of FindShellTrayWindow
    PID:1940

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\fdRSf3ovM\_Files\_Information.txt
    Filesize

    8KB

    MD5

    a74b246561f344d69acb30038fcdf7c6

    SHA1

    27d5f682ce307f4db48d02a942151afb1268e6d2

    SHA256

    b885d9280d074f9dfff4deb1b1e74d53c79242422d0b95645f78892769375fb9

    SHA512

    5e1856b473f4119ddd7c6d93f0d5ef217432f8e875a2ea1033de8c4212c9dccec395411111a76ced371ea2775c8e126d23550752d7b27142ccb701c5fe30654b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\fdRSf3ovM\_Files\_Screen_Desktop.jpeg
    Filesize

    47KB

    MD5

    63a13068d93b5a1bc44f86cd9fbd7e18

    SHA1

    9fa473a42d8af554d8c33ef1f75d29fdac944d7d

    SHA256

    b8539ab069bf8a07d1d9daa925905409fa93ff551eb6c5d1f8d10b26cb1066e4

    SHA512

    e59591e6f59a1eb5bcc11597be1a316ec29f25334de24a79dc42c015847925d40c75c1bf832dac6d6937208b3d9ae50658cc9103117bbebec9ab9b0f513b2c43

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\fdRSf3ovM\files_\system_info.txt
    Filesize

    8KB

    MD5

    2e107dce900d4e6a26f9ba971d5b839d

    SHA1

    76832edbb147b943beea2e0516bcde2623e864c7

    SHA256

    12b493f5537f68a5e295b74171a61d298a8b9f9c7dd2e3103c4d544125ebdfd2

    SHA512

    e5a3da851f46b8b5063ee9cd2a8922cbbdbb5b2bb03a42d3c54e7f8175b1cc9e2ff9f3c2636c2796d8fe5457c257adfdfae6c55fbf2f564542a9f8d27b1e2006

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\fdRSf3ovM\nbdcoeRjtznOj.zip
    Filesize

    40KB

    MD5

    1b8f4a79a805340824559b998fca020c

    SHA1

    8ce50151425de0d70319ad9cb93d06dca03bab83

    SHA256

    811769385c0f5067cfb1dc6d40ef7a78c134c2d1a8bf016a14936d5d973aacd6

    SHA512

    946458502fb4b51791d3fd12f9352db77b15763118d543edcdd4a5ff4cd8f09c25f2a92c2fc116ae139fb3b216945e5de9aaad8f375713ea06765f8517640cd3

    Download Submit

  • memory/1940-2-0x00000000002E0000-0x0000000000380000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1940-1-0x0000000000A10000-0x0000000000B10000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1940-3-0x0000000000400000-0x00000000004A3000-memory.dmp

    Filesize

    652KB

    Download

  • memory/1940-4-0x0000000000400000-0x000000000095B000-memory.dmp

    Filesize

    5.4MB

    Download

  • memory/1940-221-0x0000000000A10000-0x0000000000B10000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1940-222-0x00000000002E0000-0x0000000000380000-memory.dmp

    Filesize

    640KB

    Download

  • memory/1940-225-0x0000000000400000-0x00000000004A3000-memory.dmp

    Filesize

    652KB

    Download

  • memory/1940-224-0x0000000000400000-0x000000000095B000-memory.dmp

    Filesize

    5.4MB

    Download