Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/11/2024, 12:07

General

  • Target

    a1d4a00d40b743474b8139546ece110f_JaffaCakes118.exe

  • Size

    2.6MB

  • MD5

    a1d4a00d40b743474b8139546ece110f

  • SHA1

    4e7e2c7b17c2fb290d27d837009c8f05c079ac74

  • SHA256

    2d14d5c3e92a152eb6e898425aa454627767ded243e565447ce0754b5281e25e

  • SHA512

    81b85aada6fad8ceae78bac6bdca57fab4015348e16bbd36736e92299fa0ad0eb19cbcde1b82ceb1824bad6188b30157ed3c1a1f61f864d5c52b69665936a581

  • SSDEEP

    49152:EE6+kYEl1ijHWDT6pdyxroQlIsa29TRLXkTtDdv69IVV6fZJMQZuuCVR5l2cQZp:Eyql1LDeGroeIsFhRLXkJd3VyClRBl2R

Malware Config

Extracted

Family

cryptbot

C2

pacbwn41.top

mortiq04.top

Attributes
  • payload_url

    http://zukicv06.top/download.php?file=lv.exe

Signatures

  • CryptBot

    CryptBot is a C++ stealer distributed widely in bundle with other software.

  • Cryptbot family
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Themida packer 19 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a1d4a00d40b743474b8139546ece110f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a1d4a00d40b743474b8139546ece110f_JaffaCakes118.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    PID:4036

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MxCafVBQbox\_Files\_Files\UnprotectSkip.txt

    Filesize

    600KB

    MD5

    0a879f01493fa4362ab1651668f500fc

    SHA1

    e0816fb6cf276f81993d976390abb26b70a1afdc

    SHA256

    cdcb04f55558cefc5450581e70f510d181029595bf74b61c5abfde07ed60abf5

    SHA512

    eaf6c53382b3f34b61133655b703c4281e6ae685df1e9bf1e30000718dcb0c88bad8b400b76fffa9bd02f393273f84d8d73c726f6ef74cc00a8e4e3fcc243ac0

  • C:\Users\Admin\AppData\Local\Temp\MxCafVBQbox\_Files\_Information.txt

    Filesize

    1KB

    MD5

    8553b0e11ad4bed405280fc12337145f

    SHA1

    ded7ef0b69f03d35c2c06cd7a30307c6ae2d6c67

    SHA256

    017fff0db6742e251fa7db068c7a4d01aaf0a7b1605ac90a1d0f073ac9c6cb60

    SHA512

    80c85ba64dee71fbb79d2d919612f0994843d163fbc5e4fb0109a9c6abe276848fcfaa536506bd100912aee32464f8198168f13f63c3964765087b31deb6a9c9

  • C:\Users\Admin\AppData\Local\Temp\MxCafVBQbox\_Files\_Information.txt

    Filesize

    1KB

    MD5

    67a1166bccf35e45cc136aac140dc8a7

    SHA1

    c3ff3b26e1d0558519ae67ec6d3bfd3fae7f7bc0

    SHA256

    b0189af98fde506f41a067a7d7963063684f22e0e310d5b4543d06328e65564e

    SHA512

    6bb8f0b392dde58a87eb280a3520feef3b8623d4732db6ea1a6cd2e0373248b1b27b40f60dc8cdc7a9ef70829d9ba003bb9470b7e6fc39180e1418ac385af88f

  • C:\Users\Admin\AppData\Local\Temp\MxCafVBQbox\_Files\_Information.txt

    Filesize

    4KB

    MD5

    d4b165c9565dec91e13b8d3650065d0a

    SHA1

    978dfe7de660280079afc69baddc82facf176604

    SHA256

    7f8498263200b81d6e6028721466d4e75072b5abde94c211d7a72680e84e6fb2

    SHA512

    d5c0a17b445367d924e6ca13af6abe055de1c8a99813728ce96752b30c45369c40ea96418673bd707cbcff860c4043f45e8dbd83ab9ade12d86a08ee69e77fdb

  • C:\Users\Admin\AppData\Local\Temp\MxCafVBQbox\_Files\_Screen_Desktop.jpeg

    Filesize

    53KB

    MD5

    3e7c53f1d9627ca141430baa1f0dab7b

    SHA1

    a891decafc1563e62fcb2aa11faa388979eedb73

    SHA256

    8feb6415fc72db95f753f2932495f56bae0cec81dd94a5526e7b09a0fbe3d5b0

    SHA512

    568ab18d37f81f3871a7904bf9fc3c5354635c4be0c3042035198711e0e0ef091cf845f8c0464f155999fef085155ed92184708ba16240f11b3844b6f8dde9dc

  • C:\Users\Admin\AppData\Local\Temp\MxCafVBQbox\rsTTjDErFswSB.zip

    Filesize

    649KB

    MD5

    b455b45c79e105d57b4d69fcfc3b4956

    SHA1

    7f2796a5b31425c14afb60f8e6dc276ad2501727

    SHA256

    9b79fa029f3302465b007fec4f917c1e75c050dfcd216140b1e4fb12f92b5273

    SHA512

    b017034486de62981d1c12fba4658a4249c79061f910fb70ae1b85ac823347a65734c64fbf04653fd65069ac4ba29f856c1572cd4708cf13b94485a9173996bf

  • memory/4036-128-0x0000000000CF0000-0x00000000013D4000-memory.dmp

    Filesize

    6.9MB

  • memory/4036-134-0x0000000000CF0000-0x00000000013D4000-memory.dmp

    Filesize

    6.9MB

  • memory/4036-5-0x0000000000CF0000-0x00000000013D4000-memory.dmp

    Filesize

    6.9MB

  • memory/4036-4-0x0000000000CF0000-0x00000000013D4000-memory.dmp

    Filesize

    6.9MB

  • memory/4036-120-0x0000000000CF0000-0x00000000013D4000-memory.dmp

    Filesize

    6.9MB

  • memory/4036-2-0x0000000000CF0000-0x00000000013D4000-memory.dmp

    Filesize

    6.9MB

  • memory/4036-0-0x0000000000CF0000-0x00000000013D4000-memory.dmp

    Filesize

    6.9MB

  • memory/4036-1-0x0000000077C44000-0x0000000077C46000-memory.dmp

    Filesize

    8KB

  • memory/4036-131-0x0000000000CF0000-0x00000000013D4000-memory.dmp

    Filesize

    6.9MB

  • memory/4036-3-0x0000000000CF0000-0x00000000013D4000-memory.dmp

    Filesize

    6.9MB

  • memory/4036-137-0x0000000000CF0000-0x00000000013D4000-memory.dmp

    Filesize

    6.9MB

  • memory/4036-140-0x0000000000CF0000-0x00000000013D4000-memory.dmp

    Filesize

    6.9MB

  • memory/4036-142-0x0000000000CF0000-0x00000000013D4000-memory.dmp

    Filesize

    6.9MB

  • memory/4036-145-0x0000000000CF0000-0x00000000013D4000-memory.dmp

    Filesize

    6.9MB

  • memory/4036-148-0x0000000000CF0000-0x00000000013D4000-memory.dmp

    Filesize

    6.9MB

  • memory/4036-150-0x0000000000CF0000-0x00000000013D4000-memory.dmp

    Filesize

    6.9MB

  • memory/4036-153-0x0000000000CF0000-0x00000000013D4000-memory.dmp

    Filesize

    6.9MB

  • memory/4036-156-0x0000000000CF0000-0x00000000013D4000-memory.dmp

    Filesize

    6.9MB

  • memory/4036-160-0x0000000000CF0000-0x00000000013D4000-memory.dmp

    Filesize

    6.9MB

  • memory/4036-163-0x0000000000CF0000-0x00000000013D4000-memory.dmp

    Filesize

    6.9MB