Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 21:03
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_76c74d2a50b94ab04b20a428d73503f41f9750d40ed5825087ac828a1b7d8a09.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_76c74d2a50b94ab04b20a428d73503f41f9750d40ed5825087ac828a1b7d8a09.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_76c74d2a50b94ab04b20a428d73503f41f9750d40ed5825087ac828a1b7d8a09.exe
-
Size
404KB
-
MD5
51ea626694e3b7e8ca40d6cd36730b62
-
SHA1
7db3674b4878364f5710436533c2e6ea63a68178
-
SHA256
76c74d2a50b94ab04b20a428d73503f41f9750d40ed5825087ac828a1b7d8a09
-
SHA512
6a978ef984c96346a2de60a6d7f160e18d4f93180b0ee463025c9fe1b19c39f4b0b1a420a2b12ac5b695823f04d36fe434f614953d82f438ca633e01cb31f163
-
SSDEEP
6144:GL+/x0wNWY9QjIO0SIOZYcQJnLhhz0PT2lSCJoQI/6NtvncMy:GLYxKXr5Izc+Lhhz0PT2ICJosNtvn
Malware Config
Extracted
cryptbot
unic15m.top
unic15e.top
Signatures
-
Cryptbot family
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_76c74d2a50b94ab04b20a428d73503f41f9750d40ed5825087ac828a1b7d8a09.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 JaffaCakes118_76c74d2a50b94ab04b20a428d73503f41f9750d40ed5825087ac828a1b7d8a09.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString JaffaCakes118_76c74d2a50b94ab04b20a428d73503f41f9750d40ed5825087ac828a1b7d8a09.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_76c74d2a50b94ab04b20a428d73503f41f9750d40ed5825087ac828a1b7d8a09.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_76c74d2a50b94ab04b20a428d73503f41f9750d40ed5825087ac828a1b7d8a09.exe"1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:4240
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
49KB
MD5299b81c907c60b048b1f8ba6814c36f8
SHA1eaae31ebd0954037409fb8c81bfa48bda643098f
SHA256ad40ced5af6939df52f4acb0e2d75982d31c234e5c5defdfa546b7dfd9236264
SHA512bafe04e2d5ef3cbd5a58bf1f825aba03ec930a9e899b8fa90d2a0418df66dd4e362e0243dda27e8e2092303c8690b784f389fab92bcf51fb680523d00ceeb384
-
Filesize
3KB
MD5c1ce24e74198cd8788ee63791b92e805
SHA162fc2620badb6593983746b8069834c81f439fa6
SHA2561f5b67bd268985d49314a8ac727861b3f6f54cf22e3648767284e29c7b30cf29
SHA51256ef2c027a0e2a06bb1e6b72e6f57b852d214c0482021238425234ba31e88215bee9858854575438aa51102b30c75383e15a22c4079ce66e60e16dfb6ae274b8
-
Filesize
5KB
MD50fd932c5c207c62b83c3a04ef2d51dc1
SHA1d400fe2728ddf350b2929eaa1c5cf5b67bc9db95
SHA2567b34ee07f96a89f48549dfdb31ef83242147d3b546984e020e9f4c169e4030cd
SHA512a45d3c47902c9cbd2896f1b14ecc7a33c077b3559b8ca16481edd1d65baa45f80ddc1767e3c11ca5a391ce9169782cb2713d0cbe6174081832f1c5bc452c42c7
-
Filesize
54KB
MD5ad8960e859c11611e07fde50fcbdadfd
SHA1673b52e957383841481cf4b4e41e5e96cb535ac9
SHA2564407ada6c4b36cec9aaa2e17963e35aa1e0e55405190c48c636fc2587a5590d7
SHA512c5996d58a2a35cd0e378a50aa0117d457db8e949aa7497b611659177866ac53f926e445a30d1cac61d5ac538a7e8d4d7c39507552a54b6dcd81ee1ae2c43d12c