Overview

overview

10

Static

static

7

5827ebac03...18.exe

windows7-x64

10

5827ebac03...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-10-2024 15:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5827ebac03c822af895a1c0b45fbe4ef_JaffaCakes118.exe

  • Size

    2.8MB

  • MD5

    5827ebac03c822af895a1c0b45fbe4ef

  • SHA1

    db3380a13fa112d61ca054ae944a2c5d325264a9

  • SHA256

    4218d74bd7fa7d4e9bd195faded956c30867041a2bc762ebe629e26008bfd5ac

  • SHA512

    01b75fb198199bb43b7005e2c9116678cf7a62c027629e9ab6ed2a599e3a3febec44e40850fd9c3bccb51453b95175678e38f0f35942135f7a0680bd68f13f51

  • SSDEEP

    49152:wB1AgCR97+twAWTbi5x6Gu5kYc+6J0l+DZVEq2axRb58rX0:wsgu97yw4g57nm9XEFKY

Score
10/10
cryptbotdiscoveryevasionspywarestealerthemidatrojan

Malware Config

Extracted

Family

cryptbot

C2

pacbry45.top

mortiq04.top
Attributes
  • payload_url

    http://zukicv06.top/download.php?file=lv.exe

Signatures

  • CryptBot

    CryptBot is a C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 21 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5827ebac03c822af895a1c0b45fbe4ef_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\5827ebac03c822af895a1c0b45fbe4ef_JaffaCakes118.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    PID:1360

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\wPaPCamjL\FZWtoLcQUSbQbW.zip
    Filesize

    55KB

    MD5

    3c447290e275f1686d60576f254d0598

    SHA1

    907c7655f569bafbdc838793387b629b7de67517

    SHA256

    e2496591894bc3f9e2a211df16aad8bc301f9d07d9a3e885e5c86b09dfb443a1

    SHA512

    d7d2e5b9a3e9ee1f5bbee744b993d5293c5400baf4802bfd6ce3b300c0f62f2ffb036ac0b916d34120901973c3a1ee5e959eb6bf259cf182ba651bf9d1f605d0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\wPaPCamjL\_Files\_Information.txt
    Filesize

    5KB

    MD5

    feb20136b2c01266312bbe64ad64c704

    SHA1

    23026fbc37cf62f1929d08e3ac2faf63e55047a5

    SHA256

    62981b1ab7570d6dcf88d67c6160fa5d71537cf87c8ba33ebd8600ff765ae21c

    SHA512

    ae88d9796cad3934fd8a526736d6b90d8a3861017872390aafeaffe39de49398e26f8396455fa8fa9cb3fec2fb4c6f751adb3124e80d0825fa566ad9e0ece574

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\wPaPCamjL\_Files\_Screen_Desktop.jpeg
    Filesize

    60KB

    MD5

    8ad44a4af2a95545c35ab0fad3a1e53d

    SHA1

    74dd42f0129c3d4ea121a022f85ceed0b1bf80bc

    SHA256

    ca6ac27853891a19617c7fb039bb829f760e909b180fc0ab05ceaef223c96e25

    SHA512

    905f0c7811419c622d823a6e0154939418738bc49f1e56ce5aa67903b4f426861fabc4339c6bbdf26827a4a8c853acdb473f0795d39ad953bd5af978e9667b69

    Download Submit

  • memory/1360-6-0x0000000000D80000-0x00000000014C1000-memory.dmp

    Filesize

    7.3MB

    Download

  • memory/1360-130-0x0000000000D80000-0x00000000014C1000-memory.dmp

    Filesize

    7.3MB

    Download

  • memory/1360-4-0x0000000000D80000-0x00000000014C1000-memory.dmp

    Filesize

    7.3MB

    Download

  • memory/1360-0-0x0000000000D80000-0x00000000014C1000-memory.dmp

    Filesize

    7.3MB

    Download

  • memory/1360-2-0x0000000000D80000-0x00000000014C1000-memory.dmp

    Filesize

    7.3MB

    Download

  • memory/1360-3-0x0000000000D80000-0x00000000014C1000-memory.dmp

    Filesize

    7.3MB

    Download

  • memory/1360-118-0x0000000000D80000-0x00000000014C1000-memory.dmp

    Filesize

    7.3MB

    Download

  • memory/1360-117-0x0000000000D80000-0x00000000014C1000-memory.dmp

    Filesize

    7.3MB

    Download

  • memory/1360-124-0x0000000000D80000-0x00000000014C1000-memory.dmp

    Filesize

    7.3MB

    Download

  • memory/1360-1-0x0000000077444000-0x0000000077446000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1360-127-0x0000000000D80000-0x00000000014C1000-memory.dmp

    Filesize

    7.3MB

    Download

  • memory/1360-5-0x0000000000D80000-0x00000000014C1000-memory.dmp

    Filesize

    7.3MB

    Download

  • memory/1360-134-0x0000000000D80000-0x00000000014C1000-memory.dmp

    Filesize

    7.3MB

    Download

  • memory/1360-137-0x0000000000D80000-0x00000000014C1000-memory.dmp

    Filesize

    7.3MB

    Download

  • memory/1360-141-0x0000000000D80000-0x00000000014C1000-memory.dmp

    Filesize

    7.3MB

    Download

  • memory/1360-143-0x0000000000D80000-0x00000000014C1000-memory.dmp

    Filesize

    7.3MB

    Download

  • memory/1360-147-0x0000000000D80000-0x00000000014C1000-memory.dmp

    Filesize

    7.3MB

    Download

  • memory/1360-150-0x0000000000D80000-0x00000000014C1000-memory.dmp

    Filesize

    7.3MB

    Download

  • memory/1360-153-0x0000000000D80000-0x00000000014C1000-memory.dmp

    Filesize

    7.3MB

    Download

  • memory/1360-155-0x0000000000D80000-0x00000000014C1000-memory.dmp

    Filesize

    7.3MB

    Download

  • memory/1360-159-0x0000000000D80000-0x00000000014C1000-memory.dmp

    Filesize

    7.3MB

    Download

  • memory/1360-163-0x0000000000D80000-0x00000000014C1000-memory.dmp

    Filesize

    7.3MB

    Download