Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02-12-2024 17:31
Static task
static1
Behavioral task
behavioral1
Sample
b9603bc9734cc8f5a19cea4c717970ab_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
b9603bc9734cc8f5a19cea4c717970ab_JaffaCakes118.exe
-
Size
602KB
-
MD5
b9603bc9734cc8f5a19cea4c717970ab
-
SHA1
33675c412f39535a1e39c4d4d900ff5b224aed9e
-
SHA256
ee868c21339f7b0d6c1fcbe27769b583d3a17b11dc5f39862defef456a4a8df5
-
SHA512
25bc956decaada8d3d0ed1739644c56dc2f2272904334c6638b4e6fa0312eb58de474e46328059430e6e0b06788d87422dbf667ac22eed7e0dee836eadcffdff
-
SSDEEP
12288:3uBqDLOHBcaqQOftyYMRxFP0/6ySMyQlA/P5391ak5mT6iq3ekVhtG9C5Gxaq:iqD9aqQOLMrqXSwaHNGzZq3eko9H1
Malware Config
Extracted
cryptbot
lysvay12.top
moroer01.top
-
payload_url
http://damuxa01.top/download.php?file=lv.exe
Signatures
-
CryptBot payload 6 IoCs
resource yara_rule behavioral1/memory/2936-2-0x0000000000310000-0x00000000003B0000-memory.dmp family_cryptbot behavioral1/memory/2936-3-0x0000000000400000-0x00000000004A3000-memory.dmp family_cryptbot behavioral1/memory/2936-4-0x0000000000400000-0x0000000002CCC000-memory.dmp family_cryptbot behavioral1/memory/2936-222-0x0000000000310000-0x00000000003B0000-memory.dmp family_cryptbot behavioral1/memory/2936-225-0x0000000000400000-0x00000000004A3000-memory.dmp family_cryptbot behavioral1/memory/2936-224-0x0000000000400000-0x0000000002CCC000-memory.dmp family_cryptbot -
Cryptbot family
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b9603bc9734cc8f5a19cea4c717970ab_JaffaCakes118.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 b9603bc9734cc8f5a19cea4c717970ab_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString b9603bc9734cc8f5a19cea4c717970ab_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2936 b9603bc9734cc8f5a19cea4c717970ab_JaffaCakes118.exe 2936 b9603bc9734cc8f5a19cea4c717970ab_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b9603bc9734cc8f5a19cea4c717970ab_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b9603bc9734cc8f5a19cea4c717970ab_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:2936
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
24KB
MD5abd31e2c0348ac13238f309a43bec4d0
SHA18c2409ef77099a9941c827eecadda31b891ee9f0
SHA2562ee26e446c97b606241942d81f44db55ecd880d67e115826fa4296c3d2221dc2
SHA512de9c0bf91c03cd9e75fbd0f215020189a8340ea4b75763cd042996559712db50fb440eb32b279ed84492c41f61fee909dd5e924f619e27ab0892bf90ed1df3df
-
Filesize
1KB
MD5e44b82a9da2da9b566936332caae48e7
SHA196c2b84eb7a9a48b720eb93ff2f30525c7a32738
SHA25693fbf8cc4791d89e2d1aa941eee7eda5861c1f8cb1f1ad1ccb8af35750825206
SHA5122d2a77187e810b53f679ac271d1035069664bdcf4e8a65db313bc214dab3fc07b298f998ea1dea30565702fd10baab9862e82a24f2863dac17734e89127d588c
-
Filesize
3KB
MD5927d5439e3ab426099210dc305ee8eea
SHA1373e52982f742db522f964bc691a32f7bb136d4d
SHA256767b06a8f8a7be1f7383c152b0e9ca77fd794a58110c85e71c49a446db40b0a3
SHA51298dde77f8028f7cc39b8341adb3fb2a0efb9e5aa9974fb7d3995bbdc502cba862f569b17c9cc6009183d5421af9ab3d6988f14018e4e5b7be44ededa42ffdb48
-
Filesize
3KB
MD59911e7073ceb66da4de22e0d5f355e49
SHA19276a27b56933f7e80ffc4e61d15d3fdf36f04d7
SHA256dcaf4889ffcbe5765a0cfb590474f8ee1157da8fe8abe0ee3a7d345e766487d6
SHA51231318fb0ecf21936dee4f9115ab8288e0c8c61e68a2591ceedce36991be99660a94ed39648e547be52aac7ea341970d98d36a920b1e997106fd86267d0c185ca
-
Filesize
4KB
MD579a87ffb2279f7f432fe3fde913bed52
SHA115ce148185e396724a318cdc8abd895fb0a26bc2
SHA256de279794e63ef7c4beac5a43749175cb8b6f9de60828e2bed88dbd99a32d1633
SHA51275e420c5d1feda7817fa5d6a8d8125ba7730eabf703bd6eda5ed661823ea812b763bc76d7cc4078bd7c332c19ee52b7b03cf6e7125a74ea228fd8f35c9b30ce4
-
Filesize
32KB
MD5cdb2fc068da8847157295561ee1d1761
SHA105f584c7e50b9131450316c8620ca6c33424549d
SHA2568fc6ba192cbc2d67c225c648ca479c5644122d268ccc0e894cb8bccf185aebc5
SHA51299b8de0d7d88da00bd682908556d6c6623aea7a6a32f619b31f2bcc75259ee1ed569dbfacf8a99265074b8783dc426aa8f97685744f37ae2c1ca78b6b27e8c82
-
Filesize
1KB
MD585d6db2d0284e8df17ff8e7b89d47754
SHA135eb1306a1ef495ba3de08a3b2dd2aebe072ddef
SHA256fd533b650402217be265e708605a3fe2250d66495d2e048a5925996e2750b2da
SHA512c6108554b34c9c1d032d78a29a9e7bcf73110ab5112b8358b3a3056b02349bdae03ee5c76be6440b7c8c8c17bb1b62bbdec0ef1d46be8c641203a5a5164f2f2e
-
Filesize
3KB
MD539c3615140d7f0d502fd3cf16c734210
SHA144d361e91165a9b0f9bec06b8bf6f5e480f3c14a
SHA256dbb30fab89f878906dc413e9ffffec8eee2123e6c543d2102e60b900b81ee800
SHA5123f24ed4b0d1afd781a5c62198d6e9948701f74debf180828bdca5604a44e04df281b9e05fa3ed96668ca1637e5f51a3e1e52cbbe3b532509a4809a658458a444
-
Filesize
3KB
MD540e5c07a0d0bda5db1cf49ca56b1ca7c
SHA1008433311c59a265ad0c45e59a44c76aa622154e
SHA256ff8dd6dc26cca6367ba1dffbf403a19ead70f6aff2fa314d811fb500f3b14c1b
SHA51271b701c1dcb8b5da673dd425e1fec182f22e32754005fcf25ec4ee7365416f29f96ead2e31857c3f2adf4253367bbfece188807f0963c65524118db8c3e68235
-
Filesize
4KB
MD5a9ce4c35f15689467c1e8e4ee1f71c54
SHA1102335a3d70d4653c8c336aeb45159c51f594078
SHA25673f58b13229dd8c35eaf9f12d70cc4e7ebd74f541ef52b96a4d17f8538cd1a3b
SHA5121067f9cba9493737b9a38a3ce109314fbbb4411a130ce046d6b812187eb03db442ac294ef7f41db9b4bc2020a01d0ad577e659dd0d693e04988f54825a7b8feb