General

  • Target

    JaffaCakes118_f9d1611e9c76704829a006ca1a15c810063c0c68f2c9466cfafe583de36c4a0e

  • Size

    1.7MB

  • Sample

    241224-sf1njazqdq

  • MD5

    3c5798fe337421e0c6f7ca3d0954c55a

  • SHA1

    11e5557b97f7c1f3871a1812c0d41687fa45384f

  • SHA256

    f9d1611e9c76704829a006ca1a15c810063c0c68f2c9466cfafe583de36c4a0e

  • SHA512

    9f89783d796bfe2834cea51ecd7802d7fc511abb0396067f8bc4b66072a9d8c7ff47a87a0260ed52a581e9a3079a79afa6a4194c0a26be7670308964b8198891

  • SSDEEP

    49152:kRl2iBtH0jluEX1DZIrHUbywSCWjQzhkBc6MUKR:UrUjYElDZILUbfSCWUzhlDX

Malware Config

Targets

    • Target

      32_64_ver_1_bit.bin

    • Size

      1.8MB

    • MD5

      cf79a81627e7b71ca9bdd33ba812b7a0

    • SHA1

      26c35564bde9adcc2c56d062fce809ee2b4ee82d

    • SHA256

      607d4323ec499f3d2d39f10ce3e539442c2c8959be41afe20d6a2a68b5406f8b

    • SHA512

      79b1a6429432e4b4860f3226cf892c14a77cc8c9b55b8d4990c43af8a4d9f8ef09dfa6a43e2f05671ea4dc20625ccd1a1d3507c227a49f35ef74df892fba9342

    • SSDEEP

      49152:P5+hFYPN3BwAALqBZ3mpkPGx6pMYLI1i+3gj:P5aFYtBHb5JPG0pMCMC

    • CryptBot

      CryptBot is a C++ stealer distributed widely in bundle with other software.

    • CryptBot payload

    • Cryptbot family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Enterprise v15

Tasks