Overview

overview

10

Static

static

1

ac1eec7ed2...18.exe

windows7-x64

10

ac1eec7ed2...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    28-11-2024 11:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ac1eec7ed21f24d15b47eeb754f40ebe_JaffaCakes118.exe

  • Size

    964KB

  • MD5

    ac1eec7ed21f24d15b47eeb754f40ebe

  • SHA1

    4ddfcf906a754c96d92c63dfc8fbf65bac8271fe

  • SHA256

    501c0162355dee7aef140c1d26e3424e4e3fce34fca4776fb74f89e450c726e8

  • SHA512

    dbb1bc5a028651eb567f5f9b5635f37fd02efa8aa8548ed2f21a3b03e73534ab7ad16bea67eea71bb2636f238fb74497401d8aaeba82545acfb0425cfaff7777

  • SSDEEP

    24576:ZwiC/zGeGGIJk6u2Ir7Y/qV4BsjPsW0IYTIH9ASRrn:ZwicIJ8Q/daTsCYTw

Score
10/10
cryptbotdiscoverypersistencespywarestealer

Malware Config

Signatures

  • CryptBot

    CryptBot is a C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • Cryptbot family
    cryptbot
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ac1eec7ed21f24d15b47eeb754f40ebe_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ac1eec7ed21f24d15b47eeb754f40ebe_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2404
    • C:\Windows\SysWOW64\dllhost.exe
      dllhost.exe
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2576
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c cmd < Ricordate.vsdm
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2084
      • C:\Windows\SysWOW64\cmd.exe
        cmd
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2108
        • C:\Windows\SysWOW64\findstr.exe
          findstr /V /R "^QWHLUKuiiDFIhiRyCPjdFJNtltqqpnGWMhmyxpaEILzHfdHrBCugXdnupCAQJyYJWIWqHMLavIIUfyPTvXmHa$" Illusione.vsdm
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2240
        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Suoi.exe.com
          Suoi.exe.com V
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:2124
          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Suoi.exe.com
            C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Suoi.exe.com V
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Checks processor information in registry
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:2868
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\tKQstyUwFr & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Suoi.exe.com"
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2824
              • C:\Windows\SysWOW64\timeout.exe
                timeout 4
                7⤵
                • System Location Discovery: System Language Discovery
                • Delays execution with timeout.exe
                PID:2644
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2772

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Illusione.vsdm
    Filesize

    872KB

    MD5

    109f787615bbe467bc1e4fe223c64cd5

    SHA1

    ce3aacc8542a180c49f81910c67bdd410f1a9aa5

    SHA256

    e73d322be366b7d0ef65f202fce5744a2bb66e7dfeb4845c75612c064a2dfb45

    SHA512

    2409e35db56292fcb511d366cfa0bc8c27aa46f9c44562be76cbbb9d74bc4a1f9fe1117a5baa2927b47eedf3dbfb7b2af6f95cf663e92b4e51a9fed7216b0d9d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ricordate.vsdm
    Filesize

    369B

    MD5

    fde57daa71c28252665c4b580ff34c5c

    SHA1

    499743b480a84e323da62545b15c37d5b40af210

    SHA256

    bd21fc1f1de4e42951bebd3df3605fb59791934916b48334b79076b331803b25

    SHA512

    5af3f7056fd234f6806202da8d829841c6d6ffe023c003d2e97ed731b730d0b71c064c159a4a8f3106f31840167d9829c346ede593cd8945c20ebaf0a645a426

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sul.vsdm
    Filesize

    1.1MB

    MD5

    ebd410b00fb7f35dd4085899c639aead

    SHA1

    f02331585123a2c0cd6c636912281d6657b8e58c

    SHA256

    fb8fd58158d33e6f1781fef18f0c15657db81ee3d9b177ef816720cbd797f214

    SHA512

    fe4c195c3df38f2cae2b033696dd9e72bc4af6230002d3f9ea3cf31a593a3c6d3c944704d432c7c2744c77c4fb48f36da6a09e0aa4a3e8c609481cd0e853d8dc

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\Suoi.exe.com
    Filesize

    872KB

    MD5

    c56b5f0201a3b3de53e561fe76912bfd

    SHA1

    2a4062e10a5de813f5688221dbeb3f3ff33eb417

    SHA256

    237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

    SHA512

    195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

    Download Submit

  • memory/2868-21-0x0000000003F30000-0x0000000003F79000-memory.dmp

    Filesize

    292KB

    Download

  • memory/2868-23-0x0000000003F30000-0x0000000003F79000-memory.dmp

    Filesize

    292KB

    Download

  • memory/2868-22-0x0000000003F30000-0x0000000003F79000-memory.dmp

    Filesize

    292KB

    Download

  • memory/2868-25-0x0000000003F30000-0x0000000003F79000-memory.dmp

    Filesize

    292KB

    Download

  • memory/2868-24-0x0000000003F30000-0x0000000003F79000-memory.dmp

    Filesize

    292KB

    Download

  • memory/2868-26-0x0000000003F30000-0x0000000003F79000-memory.dmp

    Filesize

    292KB

    Download