Overview

overview

10

Static

static

7

JaffaCakes...07.exe

windows7-x64

10

JaffaCakes...07.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-01-2025 00:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_807266dee301da1d6f1c741fb3fec907.exe

  • Size

    2.7MB

  • MD5

    807266dee301da1d6f1c741fb3fec907

  • SHA1

    ebb5f041e3adeda0286b366659308774c10d1494

  • SHA256

    ec5813453a4a44c4c2b07238bafecc699bf2679b5962d3d4879a3d667b853d8d

  • SHA512

    764784b63b228794d994d00b7de4a6459353cbe3d065e0f5dd49fd19ac28d3b5b3a460ec94cdc34c8ed6f1608314c442ba35c2250bb661d8d8626774ee345c14

  • SSDEEP

    49152:MNPPzVce7Xp9pbK3oRVZPDEb4jf/fFeIKnGQ+Z+/u4ae8aMSSKtarkgjP2j7:MNDVcebprK4RVZAqXfFeznGgahSLt2Y7

Score
10/10
cryptbotdiscoveryevasionspywarestealerthemidatrojan

Malware Config

Extracted

Family

cryptbot

C2

veotdm61.top

morizu06.top
Attributes
  • payload_url

    http://tynpdi08.top/download.php?file=loungy.exe

Signatures

  • CryptBot

    CryptBot is a C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • Cryptbot family
    cryptbot
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 20 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_807266dee301da1d6f1c741fb3fec907.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_807266dee301da1d6f1c741fb3fec907.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    PID:5008

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\rawMDZuSOu\_Files\_Information.txt
    Filesize

    1KB

    MD5

    83f4b0a5e475304c2d75f415caaf2743

    SHA1

    9dfdddbf1fbe30dd1b266ae2e139204f5dda8871

    SHA256

    86b64becd150a9a42e9aa1c950137864661b8f0c1366d1b16345d57b3e8f5967

    SHA512

    b4d069bccf8ec956ef5a138d497f19ad88ef1f26b734d4cfd3aaf1b0b8b7ae3f0d983e0a188262c5452a45eebf45d78c9ecb9de7edc9c86a93cb72f7f3e6604d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\rawMDZuSOu\_Files\_Information.txt
    Filesize

    2KB

    MD5

    7d246a4205ad556dfea70175e3a68d9e

    SHA1

    457c3d41b073f9a3f9a749a30171bbf361e421fb

    SHA256

    4efd942f63309ae9218daea95849230696629dbcc39a2a1693925302abd84cd0

    SHA512

    8a55004b4cd904f0b3fb16a0235280b476472284ac69a2777849402f7abb04d080f23372d2c063fbff56f5cf53c9eea450753c46327819a7ccafc885a7458fc4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\rawMDZuSOu\_Files\_Information.txt
    Filesize

    4KB

    MD5

    9903f43597801323677c816f81de6fbb

    SHA1

    07eab7743ddc07a2f44a30ecc9568f9e2613f4d3

    SHA256

    3e51dea6ce3cf22911f3063ea7d523456b42ea853bb279ffd62bc86a7af1951f

    SHA512

    4a3643ccc1d499c6e418d62c44c2030da900dde0494e46201ab60572b1126219007c5290224ac9757a0f3810cce33a7d59d621bafc74ccd5d5875b2e6743c0e6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\rawMDZuSOu\_Files\_Screen_Desktop.jpeg
    Filesize

    58KB

    MD5

    5802c28c9ded230635f2b3946a5f6092

    SHA1

    043704436ef0cab209b9d2c1daa98f1471dee67b

    SHA256

    03a5f760acc90779ee4dfb4ead3d6476596fd329448526e914a8e34577cced59

    SHA512

    f5efa4f48d8515e01e33d42be42caf2679e97a1d56c38cdd808d76a38ae33d85dc34c36c57ee441fdabb8796e53b77d669a8b35ee396f5b7ba05aeca9839dd3b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\rawMDZuSOu\aKhjrngWFQgo.zip
    Filesize

    53KB

    MD5

    fe00d4228c41841c5e14050bea29aac6

    SHA1

    0fddc06b6215675ebbbdc99d09e9f3450455efd5

    SHA256

    118825ffc536ad06e9918882888f1889a1c1fee1c1656ba144e98c94af350f79

    SHA512

    3193377dd09281ab6d2d0d4188ddcb077f2006e7f479f6a1e300357fcecc27dd07fd1650a078a0e5c31903abcfb42e72132f9c1903b95f6314656dda75436f58

    Download Submit

  • memory/5008-130-0x0000000000460000-0x0000000000B4E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/5008-1-0x0000000077254000-0x0000000077256000-memory.dmp

    Filesize

    8KB

    Download

  • memory/5008-5-0x0000000000460000-0x0000000000B4E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/5008-137-0x0000000000460000-0x0000000000B4E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/5008-133-0x0000000000460000-0x0000000000B4E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/5008-120-0x0000000000460000-0x0000000000B4E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/5008-121-0x0000000000460000-0x0000000000B4E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/5008-0-0x0000000000460000-0x0000000000B4E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/5008-125-0x0000000000460000-0x0000000000B4E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/5008-127-0x0000000000460000-0x0000000000B4E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/5008-3-0x0000000000460000-0x0000000000B4E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/5008-4-0x0000000000460000-0x0000000000B4E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/5008-2-0x0000000000460000-0x0000000000B4E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/5008-139-0x0000000000460000-0x0000000000B4E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/5008-142-0x0000000000460000-0x0000000000B4E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/5008-144-0x0000000000460000-0x0000000000B4E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/5008-147-0x0000000000460000-0x0000000000B4E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/5008-150-0x0000000000460000-0x0000000000B4E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/5008-153-0x0000000000460000-0x0000000000B4E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/5008-157-0x0000000000460000-0x0000000000B4E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/5008-160-0x0000000000460000-0x0000000000B4E000-memory.dmp

    Filesize

    6.9MB

    Download