Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

b9d0201d96...18.exe

windows7-x64

10

b9d0201d96...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    114s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/12/2024, 19:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b9d0201d96bf236e37d58605857b6879_JaffaCakes118.exe

  • Size

    555KB

  • MD5

    b9d0201d96bf236e37d58605857b6879

  • SHA1

    3733174095b7b94f73d2f866f03503ed19477ad9

  • SHA256

    a916a084fce6071fb264808dccdf11e97ab1eb67b804634e2d98411aef86dcad

  • SHA512

    6f3f3f47ab022f108d9939fedf1fa36386ec6e8426ebd370390c9a8918b5d8b1de0b97e6b388f0b78dfff2640ebce5d7b5991222f8a91c7ef733a7bd2b53d092

  • SSDEEP

    12288:3DWzZctGgmU79XFj/Zr1oF9UhkSYOpxHB7ZkyfRmQKys1RIY:aWUgmIRBx7xHB7ZRf2ysIY

Score
10/10
cryptbotdiscoveryspywarestealer

Malware Config

Extracted

Family

cryptbot

C2

haipuo52.top

morbaq05.top
Attributes
  • payload_url

    http://zelveu07.top/download.php?file=lv.exe

Signatures

  • CryptBot

    CryptBot is a C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • CryptBot payload 5 IoCs
  • Cryptbot family
    cryptbot
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b9d0201d96bf236e37d58605857b6879_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b9d0201d96bf236e37d58605857b6879_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:4616
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\cjz6vbo & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\b9d0201d96bf236e37d58605857b6879_JaffaCakes118.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3236
      • C:\Windows\SysWOW64\timeout.exe
        timeout 2
        3⤵
        • System Location Discovery: System Language Discovery
        • Delays execution with timeout.exe
        PID:5116
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4616 -s 1864
      2⤵
      • Program crash
      PID:2028
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4616 -ip 4616
    1⤵
      PID:4624

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\cjz6vbo\2XoafAPMYr7.zip
      Filesize

      44KB

      MD5

      d4befcf8b1b3331a606da2253e778a70

      SHA1

      8d9f240500a828c9c987e4d473d1dc503c119461

      SHA256

      0c9562025c576313d572fbf660cf26182b0d3e1408ff7058fad7432b76b97608

      SHA512

      e3bf3dee72cdefc98996932f6becf14a226bd27eaa1211389821e7e9f7ca4d6e36db6dc474998112de3fcec448bb5404be350d13c006e6e7af0102461ba142ba

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\cjz6vbo\QWIFES~1.ZIP
      Filesize

      44KB

      MD5

      8c1b8d2a49934946e0dc5747a2dc45cf

      SHA1

      3b2df2bdc9fa97353b055f7d44db7448b4c160ca

      SHA256

      b84316bfcc7cd396c5d2e3406b868edfa3642246eea2d0b03cb77a0390d7e1f8

      SHA512

      50cdb320db37674893e77cddd996cc8570d6b664dcb2ca44c0f83fbde0d8be2fb981add3f1769d080dbff21fbd7ffcebcb3c608f045f80bc87e61da1607947cc

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\cjz6vbo\_Files\_INFOR~1.TXT
      Filesize

      7KB

      MD5

      43f1099b29678075fa46be36e542ede8

      SHA1

      c8017bef3113668f256fd5d0302af0a60b6e2fb3

      SHA256

      f9ae18552c4abc064f517ca1d5cef2033b2fbc2d5b3a0c8954c5dda8164ff29e

      SHA512

      8700d4316aa5c6c32e27ce5e3344d1d210d5f26a0924872cb0a6206ca9593a9914e9af397c123413bd99020409e60e9e5488dff3f3148dfb5a9931feee8dc24b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\cjz6vbo\_Files\_Information.txt
      Filesize

      1KB

      MD5

      345035e72aa1e3cdae706064ff980b08

      SHA1

      d70bd2e03a87cea45887152416a60326a591523c

      SHA256

      b83136b7fd217cf40b2de9be71a14197e145ed423e0d36b7d26479ea723feed4

      SHA512

      80d9dffa2e40c45cf52fe22164bdb038da82fc2e4a8458518e512c530c812a497db6c6cb87f5f8619aa7ebe9708452bcb2e48ee0eab97d8e144489bbbdfd374d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\cjz6vbo\_Files\_Information.txt
      Filesize

      5KB

      MD5

      1f12cafe0ae9de8c291f26ed4325d61c

      SHA1

      dfd2f95ffc59a1e40b09fb9faca7623b52bed9e0

      SHA256

      7d5958f55d886978f528bed029fe22bfa6847e5b48aca74f41b0514c9e306d94

      SHA512

      58e7e5824b17b9678f5c3356e908c7482ccdf6ee138781430142a7e213e380999120f28bfd3590297d7bcb47ded84f4afbefc03ee1d950f909185fa5f197e8c1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\cjz6vbo\_Files\_Screen_Desktop.jpeg
      Filesize

      50KB

      MD5

      02d8fec6da872ea7080dd5714dd8778c

      SHA1

      75a0c05414edac9ab279028528ab2a105479542c

      SHA256

      474f5777de012dadffb48f25ec2c3873573a45e3cb9f747c3bd11eed5bd92aa6

      SHA512

      de9d151e2e4a928a2f04113c5e24088de6051f4db475652e0ed255b47a7274c9e9bb37fe93c88830e73bda73aa3159d78cffeeaaa382d43a10e8a8a73c0c60c0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\cjz6vbo\files_\SYSTEM~1.TXT
      Filesize

      7KB

      MD5

      b93d7d2f7cd70f6ce02ee4036c912584

      SHA1

      de0d8bafb62e67eb72598dceed6faa6b279c1598

      SHA256

      24a67feada78c158a149c25c30a30f6e0abb233ca5b9608b4b1a59ed2e392916

      SHA512

      3ae562d87b392b577ec1e01686bcd92c7888dfb079031d9dddc78c77bb54e064f9991272eaa06c197074f8d9fc67ff165712cbf93c60fa607bd9a5e2258b5426

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\cjz6vbo\files_\system_info.txt
      Filesize

      1KB

      MD5

      8f45e6e0700ea20e5827b4117de46fc4

      SHA1

      2dd873a3dbafa50efdb65480a108c1e3ab923099

      SHA256

      2f6e720788fc91beabfa30d7b18bfe9c1d53d7907c45eeb29947755c827be376

      SHA512

      9a9b97a5001495cfeeee7c7ee0cf12fd9da8a038f65ddbdba35673417f510d48fe698396680dfd0ec0e7d6c8994a6ac4388f6bca1aa3e64ee6431625af9701c8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\cjz6vbo\files_\system_info.txt
      Filesize

      5KB

      MD5

      142ff4363de5a8cbc9ba53c4a6d8fe4c

      SHA1

      9e549a26cff930332f0dc4598a93e1046a6127c8

      SHA256

      939a64631efcdd841dae0c05270220c8297f8d015dff0b4ad4462bdde032b5e0

      SHA512

      fc5d218fc7c50f283d63f13b9d25040db275646cead3680f5f195477c4d84682f3940ba0ebe9302d90bc5565edd9b179a549eeb4e57f981958dbc7bc9d9c684c

      Download Submit

    • memory/4616-217-0x0000000002DF0000-0x0000000002EF0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/4616-219-0x0000000004A60000-0x0000000004B00000-memory.dmp

      Filesize

      640KB

      Download

    • memory/4616-218-0x0000000000400000-0x0000000002CC2000-memory.dmp

      Filesize

      40.8MB

      Download

    • memory/4616-221-0x0000000000400000-0x00000000004A3000-memory.dmp

      Filesize

      652KB

      Download

    • memory/4616-1-0x0000000002DF0000-0x0000000002EF0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/4616-3-0x0000000000400000-0x00000000004A3000-memory.dmp

      Filesize

      652KB

      Download

    • memory/4616-2-0x0000000004A60000-0x0000000004B00000-memory.dmp

      Filesize

      640KB

      Download