growtopia | 4839de6c2774ef432d84630f204abe3b6505721a7aa1875bc523b10c1857e14d

General

Target

aa77429a62c8f4a59bdc82c5258c9123_JaffaCakes118.exe
Size

71KB
MD5

aa77429a62c8f4a59bdc82c5258c9123
SHA1

eb1508f0a2e3a5d86cb348e1760d86073d879255
SHA256

4839de6c2774ef432d84630f204abe3b6505721a7aa1875bc523b10c1857e14d
SHA512

1dfbedb0b43361d2daca1e2eb35930bac2b9945f640fd54a5bb9b026b9ba1f22959041170dd968daa58cdfff27f911e6048237db6b870941152bf4cccf78eadb
SSDEEP

1536:9syCnOnVDIiC0WqhOVqijqLGwXjwN7cxtWuf4kImOJI4kcIr:yjnOJIiJWqhMqSwX0N7cx9zOI4kc

Score

10^/10

growtopia discovery stealer

Malware Config

Extracted

Family

growtopia

C2

https://discord.com/api/webhooks/875342035450732574/VfRKUe0abDxr5_1cWoOMyQRCf1ABdhs1NhJZUSLZnx8ZgnVye6IKnRT5s7fVjsUbsi_X

Attributes

payload_url
https://cdn.discordapp.com/attachments/751900698802782343/751901202178113729/bdb1cfc204098a6920a413c3c5ddfb36.png

Signatures

Growtopia
Growtopa is an opensource modular stealer written in C#.
stealer growtopia
Growtopia family
growtopia

Suspicious use of SetThreadContext 1 IoCs

Processes:

aa77429a62c8f4a59bdc82c5258c9123_JaffaCakes118.exe

description	pid	Process	procid_target
PID 1620 set thread context of 2964	1620	aa77429a62c8f4a59bdc82c5258c9123_JaffaCakes118.exe	32

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
2608	2964	WerFault.exe	32

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

aa77429a62c8f4a59bdc82c5258c9123_JaffaCakes118.exeRegAsm.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aa77429a62c8f4a59bdc82c5258c9123_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

aa77429a62c8f4a59bdc82c5258c9123_JaffaCakes118.exe

pid	Process
1620	aa77429a62c8f4a59bdc82c5258c9123_JaffaCakes118.exe
1620	aa77429a62c8f4a59bdc82c5258c9123_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

aa77429a62c8f4a59bdc82c5258c9123_JaffaCakes118.exe

description	pid	Process
Token: SeDebugPrivilege	1620	aa77429a62c8f4a59bdc82c5258c9123_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

aa77429a62c8f4a59bdc82c5258c9123_JaffaCakes118.exeRegAsm.exe

description	pid	Process	procid_target
PID 1620 wrote to memory of 2780	1620	aa77429a62c8f4a59bdc82c5258c9123_JaffaCakes118.exe	31
PID 1620 wrote to memory of 2780	1620	aa77429a62c8f4a59bdc82c5258c9123_JaffaCakes118.exe	31
PID 1620 wrote to memory of 2780	1620	aa77429a62c8f4a59bdc82c5258c9123_JaffaCakes118.exe	31
PID 1620 wrote to memory of 2780	1620	aa77429a62c8f4a59bdc82c5258c9123_JaffaCakes118.exe	31
PID 1620 wrote to memory of 2780	1620	aa77429a62c8f4a59bdc82c5258c9123_JaffaCakes118.exe	31
PID 1620 wrote to memory of 2780	1620	aa77429a62c8f4a59bdc82c5258c9123_JaffaCakes118.exe	31
PID 1620 wrote to memory of 2780	1620	aa77429a62c8f4a59bdc82c5258c9123_JaffaCakes118.exe	31
PID 1620 wrote to memory of 2964	1620	aa77429a62c8f4a59bdc82c5258c9123_JaffaCakes118.exe	32
PID 1620 wrote to memory of 2964	1620	aa77429a62c8f4a59bdc82c5258c9123_JaffaCakes118.exe	32
PID 1620 wrote to memory of 2964	1620	aa77429a62c8f4a59bdc82c5258c9123_JaffaCakes118.exe	32
PID 1620 wrote to memory of 2964	1620	aa77429a62c8f4a59bdc82c5258c9123_JaffaCakes118.exe	32
PID 1620 wrote to memory of 2964	1620	aa77429a62c8f4a59bdc82c5258c9123_JaffaCakes118.exe	32
PID 1620 wrote to memory of 2964	1620	aa77429a62c8f4a59bdc82c5258c9123_JaffaCakes118.exe	32
PID 1620 wrote to memory of 2964	1620	aa77429a62c8f4a59bdc82c5258c9123_JaffaCakes118.exe	32
PID 1620 wrote to memory of 2964	1620	aa77429a62c8f4a59bdc82c5258c9123_JaffaCakes118.exe	32
PID 1620 wrote to memory of 2964	1620	aa77429a62c8f4a59bdc82c5258c9123_JaffaCakes118.exe	32
PID 1620 wrote to memory of 2964	1620	aa77429a62c8f4a59bdc82c5258c9123_JaffaCakes118.exe	32
PID 1620 wrote to memory of 2964	1620	aa77429a62c8f4a59bdc82c5258c9123_JaffaCakes118.exe	32
PID 1620 wrote to memory of 2964	1620	aa77429a62c8f4a59bdc82c5258c9123_JaffaCakes118.exe	32
PID 2964 wrote to memory of 2608	2964	RegAsm.exe	34
PID 2964 wrote to memory of 2608	2964	RegAsm.exe	34
PID 2964 wrote to memory of 2608	2964	RegAsm.exe	34
PID 2964 wrote to memory of 2608	2964	RegAsm.exe	34

C:\Users\Admin\AppData\Local\Temp\aa77429a62c8f4a59bdc82c5258c9123_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\aa77429a62c8f4a59bdc82c5258c9123_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:2780
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 856
    3⤵
    - Program crash
    PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1620-0-0x0000000073F1E000-0x0000000073F1F000-memory.dmp

Filesize
4KB

Download
memory/1620-1-0x0000000001160000-0x0000000001176000-memory.dmp

Filesize
88KB

Download
memory/1620-2-0x0000000073F10000-0x00000000745FE000-memory.dmp

Filesize
6.9MB

Download
memory/1620-3-0x0000000073F10000-0x00000000745FE000-memory.dmp

Filesize
6.9MB

Download
memory/1620-4-0x00000000003A0000-0x00000000003AE000-memory.dmp

Filesize
56KB

Download
memory/1620-17-0x0000000073F10000-0x00000000745FE000-memory.dmp

Filesize
6.9MB

Download
memory/2964-12-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2964-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2964-9-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2964-8-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2964-7-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2964-16-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2964-14-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2964-5-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads