Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26/11/2024, 12:07
Behavioral task
behavioral1
Sample
a1d4a00d40b743474b8139546ece110f_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
a1d4a00d40b743474b8139546ece110f_JaffaCakes118.exe
-
Size
2.6MB
-
MD5
a1d4a00d40b743474b8139546ece110f
-
SHA1
4e7e2c7b17c2fb290d27d837009c8f05c079ac74
-
SHA256
2d14d5c3e92a152eb6e898425aa454627767ded243e565447ce0754b5281e25e
-
SHA512
81b85aada6fad8ceae78bac6bdca57fab4015348e16bbd36736e92299fa0ad0eb19cbcde1b82ceb1824bad6188b30157ed3c1a1f61f864d5c52b69665936a581
-
SSDEEP
49152:EE6+kYEl1ijHWDT6pdyxroQlIsa29TRLXkTtDdv69IVV6fZJMQZuuCVR5l2cQZp:Eyql1LDeGroeIsFhRLXkJd3VyClRBl2R
Malware Config
Extracted
cryptbot
pacbwn41.top
mortiq04.top
-
payload_url
http://zukicv06.top/download.php?file=lv.exe
Signatures
-
Cryptbot family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ a1d4a00d40b743474b8139546ece110f_JaffaCakes118.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion a1d4a00d40b743474b8139546ece110f_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion a1d4a00d40b743474b8139546ece110f_JaffaCakes118.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/4036-0-0x0000000000CF0000-0x00000000013D4000-memory.dmp themida behavioral2/memory/4036-2-0x0000000000CF0000-0x00000000013D4000-memory.dmp themida behavioral2/memory/4036-4-0x0000000000CF0000-0x00000000013D4000-memory.dmp themida behavioral2/memory/4036-5-0x0000000000CF0000-0x00000000013D4000-memory.dmp themida behavioral2/memory/4036-3-0x0000000000CF0000-0x00000000013D4000-memory.dmp themida behavioral2/memory/4036-120-0x0000000000CF0000-0x00000000013D4000-memory.dmp themida behavioral2/memory/4036-128-0x0000000000CF0000-0x00000000013D4000-memory.dmp themida behavioral2/memory/4036-131-0x0000000000CF0000-0x00000000013D4000-memory.dmp themida behavioral2/memory/4036-134-0x0000000000CF0000-0x00000000013D4000-memory.dmp themida behavioral2/memory/4036-137-0x0000000000CF0000-0x00000000013D4000-memory.dmp themida behavioral2/memory/4036-140-0x0000000000CF0000-0x00000000013D4000-memory.dmp themida behavioral2/memory/4036-142-0x0000000000CF0000-0x00000000013D4000-memory.dmp themida behavioral2/memory/4036-145-0x0000000000CF0000-0x00000000013D4000-memory.dmp themida behavioral2/memory/4036-148-0x0000000000CF0000-0x00000000013D4000-memory.dmp themida behavioral2/memory/4036-150-0x0000000000CF0000-0x00000000013D4000-memory.dmp themida behavioral2/memory/4036-153-0x0000000000CF0000-0x00000000013D4000-memory.dmp themida behavioral2/memory/4036-156-0x0000000000CF0000-0x00000000013D4000-memory.dmp themida behavioral2/memory/4036-160-0x0000000000CF0000-0x00000000013D4000-memory.dmp themida behavioral2/memory/4036-163-0x0000000000CF0000-0x00000000013D4000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA a1d4a00d40b743474b8139546ece110f_JaffaCakes118.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 4036 a1d4a00d40b743474b8139546ece110f_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a1d4a00d40b743474b8139546ece110f_JaffaCakes118.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 a1d4a00d40b743474b8139546ece110f_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString a1d4a00d40b743474b8139546ece110f_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4036 a1d4a00d40b743474b8139546ece110f_JaffaCakes118.exe 4036 a1d4a00d40b743474b8139546ece110f_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1d4a00d40b743474b8139546ece110f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a1d4a00d40b743474b8139546ece110f_JaffaCakes118.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4036
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
600KB
MD50a879f01493fa4362ab1651668f500fc
SHA1e0816fb6cf276f81993d976390abb26b70a1afdc
SHA256cdcb04f55558cefc5450581e70f510d181029595bf74b61c5abfde07ed60abf5
SHA512eaf6c53382b3f34b61133655b703c4281e6ae685df1e9bf1e30000718dcb0c88bad8b400b76fffa9bd02f393273f84d8d73c726f6ef74cc00a8e4e3fcc243ac0
-
Filesize
1KB
MD58553b0e11ad4bed405280fc12337145f
SHA1ded7ef0b69f03d35c2c06cd7a30307c6ae2d6c67
SHA256017fff0db6742e251fa7db068c7a4d01aaf0a7b1605ac90a1d0f073ac9c6cb60
SHA51280c85ba64dee71fbb79d2d919612f0994843d163fbc5e4fb0109a9c6abe276848fcfaa536506bd100912aee32464f8198168f13f63c3964765087b31deb6a9c9
-
Filesize
1KB
MD567a1166bccf35e45cc136aac140dc8a7
SHA1c3ff3b26e1d0558519ae67ec6d3bfd3fae7f7bc0
SHA256b0189af98fde506f41a067a7d7963063684f22e0e310d5b4543d06328e65564e
SHA5126bb8f0b392dde58a87eb280a3520feef3b8623d4732db6ea1a6cd2e0373248b1b27b40f60dc8cdc7a9ef70829d9ba003bb9470b7e6fc39180e1418ac385af88f
-
Filesize
4KB
MD5d4b165c9565dec91e13b8d3650065d0a
SHA1978dfe7de660280079afc69baddc82facf176604
SHA2567f8498263200b81d6e6028721466d4e75072b5abde94c211d7a72680e84e6fb2
SHA512d5c0a17b445367d924e6ca13af6abe055de1c8a99813728ce96752b30c45369c40ea96418673bd707cbcff860c4043f45e8dbd83ab9ade12d86a08ee69e77fdb
-
Filesize
53KB
MD53e7c53f1d9627ca141430baa1f0dab7b
SHA1a891decafc1563e62fcb2aa11faa388979eedb73
SHA2568feb6415fc72db95f753f2932495f56bae0cec81dd94a5526e7b09a0fbe3d5b0
SHA512568ab18d37f81f3871a7904bf9fc3c5354635c4be0c3042035198711e0e0ef091cf845f8c0464f155999fef085155ed92184708ba16240f11b3844b6f8dde9dc
-
Filesize
649KB
MD5b455b45c79e105d57b4d69fcfc3b4956
SHA17f2796a5b31425c14afb60f8e6dc276ad2501727
SHA2569b79fa029f3302465b007fec4f917c1e75c050dfcd216140b1e4fb12f92b5273
SHA512b017034486de62981d1c12fba4658a4249c79061f910fb70ae1b85ac823347a65734c64fbf04653fd65069ac4ba29f856c1572cd4708cf13b94485a9173996bf