Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23-12-2024 21:03
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_76c74d2a50b94ab04b20a428d73503f41f9750d40ed5825087ac828a1b7d8a09.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_76c74d2a50b94ab04b20a428d73503f41f9750d40ed5825087ac828a1b7d8a09.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_76c74d2a50b94ab04b20a428d73503f41f9750d40ed5825087ac828a1b7d8a09.exe
-
Size
404KB
-
MD5
51ea626694e3b7e8ca40d6cd36730b62
-
SHA1
7db3674b4878364f5710436533c2e6ea63a68178
-
SHA256
76c74d2a50b94ab04b20a428d73503f41f9750d40ed5825087ac828a1b7d8a09
-
SHA512
6a978ef984c96346a2de60a6d7f160e18d4f93180b0ee463025c9fe1b19c39f4b0b1a420a2b12ac5b695823f04d36fe434f614953d82f438ca633e01cb31f163
-
SSDEEP
6144:GL+/x0wNWY9QjIO0SIOZYcQJnLhhz0PT2lSCJoQI/6NtvncMy:GLYxKXr5Izc+Lhhz0PT2ICJosNtvn
Malware Config
Extracted
cryptbot
unic15m.top
unic15e.top
Signatures
-
Cryptbot family
-
Deletes itself 1 IoCs
pid Process 2560 cmd.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_76c74d2a50b94ab04b20a428d73503f41f9750d40ed5825087ac828a1b7d8a09.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 JaffaCakes118_76c74d2a50b94ab04b20a428d73503f41f9750d40ed5825087ac828a1b7d8a09.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString JaffaCakes118_76c74d2a50b94ab04b20a428d73503f41f9750d40ed5825087ac828a1b7d8a09.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2164 timeout.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2900 wrote to memory of 2560 2900 JaffaCakes118_76c74d2a50b94ab04b20a428d73503f41f9750d40ed5825087ac828a1b7d8a09.exe 28 PID 2900 wrote to memory of 2560 2900 JaffaCakes118_76c74d2a50b94ab04b20a428d73503f41f9750d40ed5825087ac828a1b7d8a09.exe 28 PID 2900 wrote to memory of 2560 2900 JaffaCakes118_76c74d2a50b94ab04b20a428d73503f41f9750d40ed5825087ac828a1b7d8a09.exe 28 PID 2900 wrote to memory of 2560 2900 JaffaCakes118_76c74d2a50b94ab04b20a428d73503f41f9750d40ed5825087ac828a1b7d8a09.exe 28 PID 2560 wrote to memory of 2164 2560 cmd.exe 30 PID 2560 wrote to memory of 2164 2560 cmd.exe 30 PID 2560 wrote to memory of 2164 2560 cmd.exe 30 PID 2560 wrote to memory of 2164 2560 cmd.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_76c74d2a50b94ab04b20a428d73503f41f9750d40ed5825087ac828a1b7d8a09.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_76c74d2a50b94ab04b20a428d73503f41f9750d40ed5825087ac828a1b7d8a09.exe"1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\ryDxsKNEICQn & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_76c74d2a50b94ab04b20a428d73503f41f9750d40ed5825087ac828a1b7d8a09.exe"2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\timeout.exetimeout 43⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2164
-
-