General

  • Target

    JaffaCakes118_6c551a1172a33d11b974f02a5e5489f851fcf1899e877c7e59abd2f650526c19

  • Size

    204.2MB

  • Sample

    241224-1exjgsyjbl

  • MD5

    516868e969099c727bdb926e11da6fb2

  • SHA1

    9bb50affde93017d1d87dcd5acab77f92d1101c5

  • SHA256

    6c551a1172a33d11b974f02a5e5489f851fcf1899e877c7e59abd2f650526c19

  • SHA512

    81c9d53ef842200e1c196ceae01b856f0c405c6e2b2c8180c530493e78e0d31a3d685b20df756c175ac86da67fba3d076e45c00439ab74fe8f47d22f3252da83

  • SSDEEP

    3145728:7h5UTMbY3OlOnQLdQBkB5B9ZsiyQfnBwYrSmH8qGHBI3myt3S:7hOTMbYNQLVbZF9f1rSRhHuWyt3S

Malware Config

Extracted

Family

cryptbot

C2

nkoopw11.top

moraass08.top

Targets

    • Target

      0caa6fb680e981e7d3353f19f830903c9e6438ecb14ddaa237ce747619d7d4c6

    • Size

      513KB

    • MD5

      888ddaf3d1539e84e9b6de38263fbbe5

    • SHA1

      03a207de60e69dd6b7d293d4d3ec9d7b6c29a197

    • SHA256

      0caa6fb680e981e7d3353f19f830903c9e6438ecb14ddaa237ce747619d7d4c6

    • SHA512

      ba311147160b50edab59a0472bf01c175e6251371c8a0dc4a7b0e0e4bbd83ebcbbb9616f7066c564344a7ca6e636718adbe612618747bf0b00718c9a973c3903

    • SSDEEP

      6144:G2/Bn4odwxr8E9XNgShcpR9qNYShcHUaW9KN4ShcHUa8/:xtZqxox/vUauvUaK

    Score
    10/10
    • Modifies WinLogon for persistence

    • Drops file in System32 directory

    • Target

      165ec181ff15e423abd3aa500bea857faf12fa34b4d53618028bd7a69af2eb71

    • Size

      1.9MB

    • MD5

      1609f54906b28c1017f73c13d07ce375

    • SHA1

      f7c1e2edd6235874dd8a4794fcbae1702135a7c5

    • SHA256

      165ec181ff15e423abd3aa500bea857faf12fa34b4d53618028bd7a69af2eb71

    • SHA512

      00f7fcb43e7aa1b38c2eef46b1f6f14c43b9d421762082ca4cdc953dc7a370f26d31935b2e1871fd691ebd872ab5bb5619e44e6a7b035d692586fcb50a3f7c06

    • SSDEEP

      49152:WU5roLZO7fpmE5MkncNqqep0j1RM/9J25ZQzWeWU8b:9J+OEE5MkcN9S0j1kCQzWh

    Score
    9/10
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      19f1fcac5e8dbd1d8ff78a295a3a16b533defb40a414dd360a6f75ca5101ac22

    • Size

      3.8MB

    • MD5

      159d99d1c7dabfcbb864fb263e03bb87

    • SHA1

      30bd2880c9af88eab81f9a18c13d18d2d2f55afc

    • SHA256

      19f1fcac5e8dbd1d8ff78a295a3a16b533defb40a414dd360a6f75ca5101ac22

    • SHA512

      40571a4b0a9a2ef2b9c49151521bd8f5cbc105367ba9f6d34c6eee692d05aecd08ec5b40b4ba8289000c403a16258e36a91497157562a9cd343f86f9ec4f87f1

    • SSDEEP

      98304:QPfulv3wyIb50YFX0oTMVxtCyPb8tTUCC49JGKc/cyyZitU7ioI:GWlv3eb5xFX0RVGZtM4rjc/cGtb/

    Score
    3/10
    • Target

      1a3642fa7da48a4950a11c6346c5fa1b3a61eff52c076603b1c4d005406cfede

    • Size

      4.3MB

    • MD5

      7b65065d72848703e2aa7a8788e182f8

    • SHA1

      939281d92b016157bc32a36876a957fa141dcce3

    • SHA256

      1a3642fa7da48a4950a11c6346c5fa1b3a61eff52c076603b1c4d005406cfede

    • SHA512

      cba2b883a103adaf2060138ee58f2e1a98520dca5e55b979584c49e42cf36af5915d5b95c7a00cee04766f9808a9dede3ad31d730f8f9873f44809855e3c30a3

    • SSDEEP

      98304:TNdyDF7++aTkQE/v3+zaAZqgv8uQwr50etXoy6FB/S:TNdyDF7OpNqgvLQWtYlm

    • CryptBot

      CryptBot is a C++ stealer distributed widely in bundle with other software.

    • CryptBot payload

    • Cryptbot family

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Blocklisted process makes network request

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      $PLUGINSDIR/Sibuia.dll

    • Size

      524KB

    • MD5

      6a3c3c97e92a5949f88311e80268bbb5

    • SHA1

      48c11e3f694b468479bc2c978749d27b5d03faa2

    • SHA256

      7938db73242aafbe80915e4ca886d38be9b7e872b93bdae1e8ee6cf4a005b7d9

    • SHA512

      6141886a889825ccdfa59a419f7670a34ef240c4f90a83bc17223c415f2fbd983280e98e67485710e449746b5bf3284907537bef6ab698a48954dd4910ddf693

    • SSDEEP

      12288:yFlW+6yL4qXm3e39uB9dk6M6g89vYyw7UwogmySQk9GS168q:y/L6yL44oAP7LD7UvCaGSlq

    Score
    3/10
    • Target

      1d6d8960e8999bed25a88c4b9c8ad5f92f5314f2b50a012bcc7a6873ddcba25d

    • Size

      1.9MB

    • MD5

      68f146252671d1b383a8dd88400461c2

    • SHA1

      882571d799c61fb29b3dac4d713bc7c06f92f9f4

    • SHA256

      1d6d8960e8999bed25a88c4b9c8ad5f92f5314f2b50a012bcc7a6873ddcba25d

    • SHA512

      8b99e603acdda4b8383fa3d553e71431b9addbc1ff5c195664530e18346fad7692254e60a739252bb53366f07f10aa9c2a65e078a4ec733be028dfaac7e7deef

    • SSDEEP

      24576:fxXigZimec8JgCUfO4gdY2eBs0dQAnlqDopCkuSl9x8Kk39ELyhS+1J:ZXigZimecM+2eB3djYoX5Lu4yh

    Score
    9/10
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      213f46a61158000136d67452f6c638949db7a60674ed2af8379f6bbe7acb49fc

    • Size

      1.8MB

    • MD5

      37f95f0c742f9bb6c5f6d1b49a9f1e92

    • SHA1

      92d17b64c02a1ae01b49cda80a21042505d1eb3d

    • SHA256

      213f46a61158000136d67452f6c638949db7a60674ed2af8379f6bbe7acb49fc

    • SHA512

      c6ea684e9f53b46d86519c7920048ca5fbd07a42b7b372cbff33b590d5f4bcb0acda1104379503d403d1931bdd333ec74a571fb97f54abc7bf7cbc978c8a06ad

    • SSDEEP

      49152:89ka7Y5GeMaEWHXH/PAle3WPop58s48wvgveCK:8uHLqWX/ole3a5XYU

    Score
    9/10
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      284c9bd06ae67203244ed420c798188c7d0846938b21ba970ce64318452d6947

    • Size

      1.9MB

    • MD5

      a2db656c0369a9762ff24827848e8ea2

    • SHA1

      a88a7d679bb6e30467ffbed426c65a0c32074a3a

    • SHA256

      284c9bd06ae67203244ed420c798188c7d0846938b21ba970ce64318452d6947

    • SHA512

      c6c1c5619948566fa090a51bac8c91b8e6411d108b1fe2e246a4c8bf60face16d4bfca37e8950486cef843518eefb47cf2159ead8b331723cecc8d5179bfc32b

    • SSDEEP

      49152:DaDwJ/+V6pyXM1+0X2emluVTOSyvytABty8k2Chr78lPEEI:mkJ/Vpyi2vlIg6txCI

    Score
    9/10
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      2b08cbe646e4941556c400c8a9f4f2a073514d0ef919a88612696907f560aed4

    • Size

      1.9MB

    • MD5

      cc181563a24cc07810b1f6b583dd9293

    • SHA1

      729ed392cea5df30cf5f85a3b89361aac541b418

    • SHA256

      2b08cbe646e4941556c400c8a9f4f2a073514d0ef919a88612696907f560aed4

    • SHA512

      eeb7e7cbd6db581326bf4627947ae1c4610c8f6fb5e5ef2b41173c7dd44c87995c12480c19bc164504c33ede7fb286900b32f4c24d0d97c1c139d7a88417097e

    • SSDEEP

      49152:x+xKhFZYxAV5UTkqhs7KDOYRM75m406S7Ua/L/nobOE:0cmsUTHsWSbh06Wz7

    Score
    9/10
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      2c44be72321c29c1c20f09fb5c78ed59b76a74926f5581a77b13c6fafb502076

    • Size

      9KB

    • MD5

      ce0d45f37184b93d6c6f9d32f08560a0

    • SHA1

      cbb10ea66958db8abfd3eeed8ae921a56fd4e0b5

    • SHA256

      2c44be72321c29c1c20f09fb5c78ed59b76a74926f5581a77b13c6fafb502076

    • SHA512

      91f5cddd4c88d831bedea49b458334d53d77cad93840781fddb7ab1136dc448edf9f7d2f26469df9bb8bf63ac290fec14a31f9a9a40eece2d6450db734d4fca4

    • SSDEEP

      192:sTMu/Yzvh5NezZz293VQUmrNsTEBbNGyX1:xeYF5NeYFQUmhsoBbUyX

    Score
    6/10
    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      2e1deb95bfe713cf40cbb21b3821a83bb1d3cdda412ce78456e3e31741034cf0

    • Size

      1.8MB

    • MD5

      5cb0d38498c5fc6e34ae337ffc19b2f6

    • SHA1

      49d1633f21e953e11bc3dc29040277ca47804c13

    • SHA256

      2e1deb95bfe713cf40cbb21b3821a83bb1d3cdda412ce78456e3e31741034cf0

    • SHA512

      85ad630c54dda9bd0e7c1132c13d2680c62ead849b1d9fb42fee252e0b030ca935080a933887931ae45574c7e2d9210d6bfc101f8d510e27700461e1cc22ffdc

    • SSDEEP

      49152:kHCHLHKv0YABOgP+9q1VVIq/cCrJJeKg:kHCrq8EgP+9Y5nJo

    Score
    9/10
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      2f7a2890d38eeb574b1c357854c137c1403dfc0db6410a8e0186339da862c52b

    • Size

      4.5MB

    • MD5

      c20351b808023b220b948a520e5eb163

    • SHA1

      6db7728a2ed6406b6d83761df9676e66f6895878

    • SHA256

      2f7a2890d38eeb574b1c357854c137c1403dfc0db6410a8e0186339da862c52b

    • SHA512

      939433491c7df9f0fbe8017ac66f5b45b4011d4e3ae2d27fc1718751b9f14d5b1d04020ed4c2ee176be39d1145ec1c4584d6c0d54549bedf7fffdbfe7e20a390

    • SSDEEP

      98304:9XIs5hfSlpR2IT76rtzgaE1BTW977XYg64asgvUA9A4eFEEsLlX5Z6zyavLqi:9XIUfSlpZT76rave77XSf9AF9g+yS

    • CryptBot

      CryptBot is a C++ stealer distributed widely in bundle with other software.

    • CryptBot payload

    • Cryptbot family

    • Blocklisted process makes network request

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      bf712f32249029466fa86756f5546950

    • SHA1

      75ac4dc4808ac148ddd78f6b89a51afbd4091c2e

    • SHA256

      7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af

    • SHA512

      13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

    • SSDEEP

      192:0N2gQuUwXzioj4KALV2upWzVd7q1QDXEbBZ8KxHdGzyS/Kx:rJoiO8V2upW7vQjS/

    Score
    3/10
    • Target

      $PLUGINSDIR/UAC.dll

    • Size

      14KB

    • MD5

      adb29e6b186daa765dc750128649b63d

    • SHA1

      160cbdc4cb0ac2c142d361df138c537aa7e708c9

    • SHA256

      2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

    • SHA512

      b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

    • SSDEEP

      192:DiF6v2imI36Op/tGZGfWxdyWHD0I53vLl7WVl8e04IpDlPjs:DGVY6ClGoWxXH75T1WVl83lLs

    Score
    3/10
    • Target

      $PLUGINSDIR/UserInfo.dll

    • Size

      4KB

    • MD5

      c7ce0e47c83525983fd2c4c9566b4aad

    • SHA1

      38b7ad7bb32ffae35540fce373b8a671878dc54e

    • SHA256

      6293408a5fa6d0f55f0a4d01528eb5b807ee9447a75a28b5986267475ebcd3ae

    • SHA512

      ee9f23ea5210f418d4c559628bbfb3a0f892440bcd5dc4c1901cb8e510078e4481ea8353b262795076a19055e70b88e08fee5fb7e8f35a6f49022096408df20e

    Score
    3/10
    • Target

      $PLUGINSDIR/nsDialogs.dll

    • Size

      9KB

    • MD5

      4ccc4a742d4423f2f0ed744fd9c81f63

    • SHA1

      704f00a1acc327fd879cf75fc90d0b8f927c36bc

    • SHA256

      416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6

    • SHA512

      790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb

    • SSDEEP

      192:SbEunjqjIcESwFlioU3M0LLF/t8t9pKSfOi:SbESjFCw6oWPFl8jfOi

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks

static1

upxfakeavspywareminerfakeavxmrig
Score
10/10

behavioral1

persistence
Score
10/10

behavioral2

discoverypersistence
Score
10/10

behavioral3

discoveryevasion
Score
9/10

behavioral4

discoveryevasion
Score
9/10

behavioral5

discovery
Score
3/10

behavioral6

discovery
Score
3/10

behavioral7

cryptbotdiscoveryevasionspywarestealer
Score
10/10

behavioral8

cryptbotdiscoveryevasionspywarestealer
Score
10/10

behavioral9

discovery
Score
3/10

behavioral10

discovery
Score
3/10

behavioral11

discoveryevasion
Score
9/10

behavioral12

discoveryevasion
Score
9/10

behavioral13

discoveryevasion
Score
9/10

behavioral14

discoveryevasion
Score
9/10

behavioral15

discoveryevasion
Score
9/10

behavioral16

discoveryevasion
Score
9/10

behavioral17

discoveryevasion
Score
9/10

behavioral18

discoveryevasion
Score
9/10

behavioral19

Score
6/10

behavioral20

Score
6/10

behavioral21

discoveryevasion
Score
9/10

behavioral22

discoveryevasion
Score
9/10

behavioral23

cryptbotdiscoveryspywarestealer
Score
10/10

behavioral24

cryptbotdiscoveryspywarestealer
Score
10/10

behavioral25

discovery
Score
3/10

behavioral26

discovery
Score
3/10

behavioral27

discovery
Score
3/10

behavioral28

discovery
Score
3/10

behavioral29

discovery
Score
3/10

behavioral30

discovery
Score
3/10

behavioral31

discovery
Score
3/10

behavioral32

discovery
Score
3/10