Overview

overview

10

Static

static

10

JaffaCakes...03.exe

windows7-x64

10

JaffaCakes...03.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-01-2025 16:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_af382cfb9632dde6f7de3f2d0a76e103.exe

  • Size

    426KB

  • MD5

    af382cfb9632dde6f7de3f2d0a76e103

  • SHA1

    2ace18dcd993145b4367dbb13cc1b5e99c3eeaf0

  • SHA256

    44d150b890d0d9440e430d47f2b5aeb2c6b5148bbe8cfabf83dcb4f89abdef2e

  • SHA512

    4987935c732c974760b0de0d54bdef75ce0a75cf88d698e3014b974828f2d370576aa7dd79ac661f14141fd36b41e844f581a9808ea2f6eabfbc3ab5b7fba0cf

  • SSDEEP

    6144:tYvr7D1PE/3BcL9l5bUsgFxvJqBIeAZtvHLPKKzAI17JY0H+kK1e:tGPD549FRaSkT1e

Score
10/10
growtopiadiscoveryevasionexecutionpersistencespywarestealertrojan

Malware Config

Signatures

  • Growtopia

    Growtopa is an opensource modular stealer written in C#.

    stealergrowtopia
  • Growtopia family
    growtopia
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 7 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_af382cfb9632dde6f7de3f2d0a76e103.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_af382cfb9632dde6f7de3f2d0a76e103.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4924
    • C:\Users\Admin\AppData\Local\Temp\Exafarm Loader.exe
      "C:\Users\Admin\AppData\Local\Temp\Exafarm Loader.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4136
      • C:\Windows\SYSTEM32\cmd.exe
        cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\UAC.bat"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2260
        • C:\Windows\system32\reg.exe
          REG ADD "HKCU\SOFTWARE\Classes\ms-settings\shell\open\command" /t REG_SZ /d "C:\windows\system32\cmd.exe /c REG ADD HKLM\software\microsoft\windows\currentversion\policies\system /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f" /f
          4⤵
          • Modifies registry class
          PID:4784
        • C:\Windows\system32\reg.exe
          REG ADD "hkcu\software\classes\ms-settings\shell\open\command" /v DelegateExecute /t REG_SZ /d " " /f
          4⤵
          • Modifies registry class
          PID:1952
        • C:\Windows\system32\fodhelper.exe
          fodhelper.exe
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4528
          • C:\windows\system32\cmd.exe
            "C:\windows\system32\cmd.exe" /c REG ADD HKLM\software\microsoft\windows\currentversion\policies\system /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2688
            • C:\Windows\system32\reg.exe
              REG ADD HKLM\software\microsoft\windows\currentversion\policies\system /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
              6⤵
              • UAC bypass
              • Modifies registry key
              PID:3208
      • C:\Windows\SYSTEM32\cmd.exe
        cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\DC.exe" /D
        3⤵
          PID:1416
        • C:\Windows\SYSTEM32\cmd.exe
          cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MAC.bat"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4932
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell get-NetAdapter
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2308
        • C:\Windows\SYSTEM32\cmd.exe
          cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\GenReg.exe" [29549]--[140496283]--[14774,14774c,14774w,14774wc]--[105372212,105372212c]
          3⤵
            PID:384
          • C:\Windows\SYSTEM32\cmd.exe
            cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\WBPVBat.bat"
            3⤵
              PID:4236
            • C:\Windows\SYSTEM32\cmd.exe
              cmd.exe /c Powershell.exe -NoProfile -ExecutionPolicy unrestricted -file "C:\Users\Admin\AppData\Local\Temp\ZBRecoveredFolder\RecoverFiles.ps1"
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:2652
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                Powershell.exe -NoProfile -ExecutionPolicy unrestricted -file "C:\Users\Admin\AppData\Local\Temp\ZBRecoveredFolder\RecoverFiles.ps1"
                4⤵
                • Enumerates connected drives
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:3088
            • C:\Windows\SYSTEM32\cmd.exe
              cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ScanPC.bat"
              3⤵
                PID:3720
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 1872
                3⤵
                • Program crash
                PID:5048
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4136 -ip 4136
            1⤵
              PID:632

            Network

            MITRE ATT&CK Enterprise v15

            Reconnaissance

            Resource Development

            Initial Access

            Execution

            Command and Scripting Interpreter

            1
            T1059

            PowerShell

            1
            T1059.001

            Persistence

            Boot or Logon Autostart Execution

            1
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Privilege Escalation

            Abuse Elevation Control Mechanism

            1
            T1548

            Bypass User Account Control

            1
            T1548.002

            Boot or Logon Autostart Execution

            1
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Defense Evasion

            Abuse Elevation Control Mechanism

            1
            T1548

            Bypass User Account Control

            1
            T1548.002

            Impair Defenses

            1
            T1562

            Disable or Modify Tools

            1
            T1562.001

            Modify Registry

            3
            T1112

            Credential Access

            Credentials from Password Stores

            1
            T1555

            Credentials from Web Browsers

            1
            T1555.003

            Unsecured Credentials

            1
            T1552

            Credentials In Files

            1
            T1552.001

            Discovery

            Peripheral Device Discovery

            1
            T1120

            Query Registry

            2
            T1012

            System Information Discovery

            3
            T1082

            System Location Discovery

            1
            T1614

            System Language Discovery

            1
            T1614.001

            Lateral Movement

            Collection

            Data from Local System

            1
            T1005

            Command and Control

            Exfiltration

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
              Filesize

              3KB

              MD5

              661739d384d9dfd807a089721202900b

              SHA1

              5b2c5d6a7122b4ce849dc98e79a7713038feac55

              SHA256

              70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

              SHA512

              81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              1KB

              MD5

              f3b2f7c8e9b3057a4342efce5cb1f648

              SHA1

              cbcab1b48cd397259c504d2c915c5c30ea877b06

              SHA256

              2c3dc036ac8d51e14510a0a6bba650d29e55c394b3b564a5f762c2fc1ebc3693

              SHA512

              f627a062084919835cdfadcaa06849d6a636e4b2f6a24317c29e78183c02b4e2ffa9cf0911f627efc2143514695a1b3e70141866f61c722039721182cd5fb142

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\Exafarm Loader.exe
              Filesize

              151KB

              MD5

              a5649742d25bd68b1db70b70b3012d50

              SHA1

              469f0f58b70db096c8e0ecc30252d26fe274ff76

              SHA256

              f2adef7d44afd81ae29ff66853f7db11c5959d22439cd623291638dc657fca38

              SHA512

              b5db014aab517a28959562bde768c375805cdff9a1f241460da849e0637dfafe88d4c7dc9129e7c63b651a3a8bbd6b9721d47c8a53182f1151893f419aac0a71

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\MAC.bat
              Filesize

              42B

              MD5

              56120ea7d97e691243935b98d32f4b65

              SHA1

              f89f6249a946882410de06765ec07e11f2608177

              SHA256

              1d6a29ec8b4f624b3246450c2a34ae1a8b3e35cdc7f3fa86a680e14169e01a67

              SHA512

              4cda70d6283fc48105a64c157c50fbe61bc5c77aa0f28e8c1176943cfdfa4345df77f09573d49ff896830cfc8315547a453a7bcbe68c00dd140b99ead94c8b5b

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\MAC.zb
              Filesize

              369B

              MD5

              51068a07011bf4c17538df72e9c7f208

              SHA1

              4ea0dc2b2f9df54c93577a846c12e595f877d34a

              SHA256

              ba63558eb8033862e7e2f0d40f1bce2aa5d82d49f010e7b8a6403ad65915a6b0

              SHA512

              047f6bc37c833aab0cae4e97377e102e2315618ec6c416456abc1a57ccd2f8e3147bd0b253e873c5cd813771a519077150453af940b1a3cd3ab37ae9c1103658

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\ScanPC.bat
              Filesize

              65B

              MD5

              fe76c9e647f358368eaf4e222e204dc6

              SHA1

              c94ea01f006620f2adedf56a377ad452b30be98a

              SHA256

              46aa77e7b80cab973f35033380be8dd8924bc7a5f43990037359809baf628244

              SHA512

              fd1b4fe5bc64813614a847d9552d4e29a9ec9957f4e7a94176d65298293412213f0255400bf55d188a4a159575d611a072fce999e2253adf0be8f382af977daa

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\UAC.bat
              Filesize

              351B

              MD5

              84e809c3854f97339e11bb74129f69d1

              SHA1

              63e45ca731eeb00cbbd89b8870c1cdeeaf6c8ef0

              SHA256

              c9db5db63e80c488a96460c775e88a7208e6ca278f14128a1267d4d6f3f3187c

              SHA512

              e8d313fc47f247770e3c346c7a9fe13902e80f1e2a37e08a46a7c0a3026cc3939a84a321f90d09b5aa9f6e7aa0dc799d86bc58e417e8bd4e197d5b62d23dacc5

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\WBPVBat.bat
              Filesize

              45B

              MD5

              8f6fe19e0609ab1352a0789cc2f26930

              SHA1

              0e03b9c99795d0edece5b885211d142e21df56bc

              SHA256

              390d8088e112cd92ed0f9be3ac1cc127e6cdf482d0b7546ec869c73d85a6d682

              SHA512

              d4fce506abdb0c25564a99b1d49e067197d61b2fc43fcc7bb063d1fc084cc1591162ae8a3c20c78558bb0543ea892323aacc4d609658ea1593f936f1ff13b17a

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\ZBRecoveredFolder\RecoverFiles.ps1
              Filesize

              253B

              MD5

              c2a812a536121ead50a97e6dca817b19

              SHA1

              d56a1b38c4161f03e01bc95e3d5172c1b54b6143

              SHA256

              e73f61c7505305910b75d1794b43b1d3030034459e2cb0e723d4f3b16384554e

              SHA512

              bab9271abc4e6da9c7c3aba74ec59e98d4325888235d1e364045ddaeef5aec42342ef4683a4541019f7190af160f555d673e9924ab8daf09b8816350b4d2ce46

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uh01g02c.dx4.ps1
              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              Download Submit

            • memory/2308-41-0x000001B7A9D20000-0x000001B7A9D42000-memory.dmp

              Filesize

              136KB

              Download

            • memory/4924-0-0x00007FFD9D8C3000-0x00007FFD9D8C5000-memory.dmp

              Filesize

              8KB

              Download

            • memory/4924-1-0x0000000000CC0000-0x0000000000D30000-memory.dmp

              Filesize

              448KB

              Download