Overview

overview

10

Static

static

1

65ee316a2b...18.exe

windows7-x64

10

65ee316a2b...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    21-10-2024 07:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    65ee316a2bf447f5b8d9b9202741aaf0_JaffaCakes118.exe

  • Size

    977KB

  • MD5

    65ee316a2bf447f5b8d9b9202741aaf0

  • SHA1

    d231b371e6a7def22b68a3eea9bbce65c6df807c

  • SHA256

    b3c8a5ac1a6ec0090d47b5c92b153505ae7dc45541b826dc26104321b4b1acb5

  • SHA512

    14eebe6875c48d4662d3a3f3a30ecd7278952fef265a1291fab83b462b5ad04b8e438a8c7722cdeeec711256cf089756719af2178c4efd9eb090aa5c3a3d11fb

  • SSDEEP

    24576:htzNGaLv/OMyROGRNSQ/SEdgfp9tmHywc+qrn:PzgGvGPOG3PgLtmSL+m

Score
10/10
cryptbotdiscoverypersistencespywarestealer

Malware Config

Signatures

  • CryptBot

    CryptBot is a C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\65ee316a2bf447f5b8d9b9202741aaf0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\65ee316a2bf447f5b8d9b9202741aaf0_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2208
    • C:\Windows\SysWOW64\dllhost.exe
      dllhost.exe
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1504
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c cmd < Ingannaste.csv
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2152
      • C:\Windows\SysWOW64\cmd.exe
        cmd
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2132
        • C:\Windows\SysWOW64\findstr.exe
          findstr /V /R "^xEnQvhvTRxzjeevqkckuiiCkNbKORUyPRQVatfkfnjwAyOoOetjLAvuheheYDHwXfExjurWVlWIUuwuYfVMNHxgcJIdRjjMRkt$" Pie.csv
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2780
        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Talismani.exe.com
          Talismani.exe.com A
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:2776
          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Talismani.exe.com
            C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Talismani.exe.com A
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Checks processor information in registry
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:2136
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\NmDjqBLU & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Talismani.exe.com"
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1168
              • C:\Windows\SysWOW64\timeout.exe
                timeout 4
                7⤵
                • System Location Discovery: System Language Discovery
                • Delays execution with timeout.exe
                PID:3012
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:3048

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Declinante.csv
    Filesize

    1.1MB

    MD5

    3109ef25620ebfeceeb3c7030e72873a

    SHA1

    6179abc0b85f72399042b11a896bf5a78b8161b5

    SHA256

    29b7b4534ff0589c76a7c1704de5e0787a7412898464fa0560d94c6e9f8c3962

    SHA512

    22f0f9b8d308feed7c786c539856cb2c6ae2dda08e3c9874df68f79861ccb517e87d3b4e3409ce17a8706862ea85341362a3470a0a34ffb1fb5bb166276a8b3e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ingannaste.csv
    Filesize

    478B

    MD5

    0828b2a143d24ff624ae6fb601d0f160

    SHA1

    96d3a0166afd7dc6c9ded43d8007650441892a58

    SHA256

    5c75de4d2d54dc79b774d06e5c500a26cb84da1bbbf13c5cf21cfabbe9724a32

    SHA512

    b69a4a9d7ff7f5f529c3eda0a154bfe82a5a8b054126e216060f0dd87fe71868f6077fa68f42d5ef3cab8c440f91c8b94071d756d792c2ec4d7fc7d1bdcda757

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pie.csv
    Filesize

    872KB

    MD5

    e1dfd628ee581746f7573507e5574c81

    SHA1

    390c3b5b376a96068005148d9fe930ef1861dcdc

    SHA256

    ec63d6c224e609176b69524c52ab8637ea488a096c509ee7ad27f5063001085f

    SHA512

    164f97935379e7f89dcf0e40bfeaadf9bd61eecebbb569d4d281b4bab3ade46e603c38404352e175f4f4f40e732d68829ce5d219b60a013f558e7d523dc5a296

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\Talismani.exe.com
    Filesize

    872KB

    MD5

    c56b5f0201a3b3de53e561fe76912bfd

    SHA1

    2a4062e10a5de813f5688221dbeb3f3ff33eb417

    SHA256

    237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

    SHA512

    195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

    Download Submit

  • memory/2136-23-0x0000000004050000-0x0000000004099000-memory.dmp

    Filesize

    292KB

    Download

  • memory/2136-22-0x0000000004050000-0x0000000004099000-memory.dmp

    Filesize

    292KB

    Download

  • memory/2136-21-0x0000000004050000-0x0000000004099000-memory.dmp

    Filesize

    292KB

    Download

  • memory/2136-24-0x0000000004050000-0x0000000004099000-memory.dmp

    Filesize

    292KB

    Download

  • memory/2136-26-0x0000000004050000-0x0000000004099000-memory.dmp

    Filesize

    292KB

    Download

  • memory/2136-25-0x0000000004050000-0x0000000004099000-memory.dmp

    Filesize

    292KB

    Download