Analysis

  • max time kernel
    117s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    10-01-2025 23:07

General

  • Target

    JaffaCakes118_f0b05b2333d9f421e29ea1c9d0ba0260.exe

  • Size

    7.5MB

  • MD5

    f0b05b2333d9f421e29ea1c9d0ba0260

  • SHA1

    aa657e8ee8f4fa0e68bb15f980344dfd8e9561df

  • SHA256

    ebaa5af691e844929d2cad60baf36b118db3fc4b0616ce8b9585838aaf4c34b6

  • SHA512

    66db04869cd2d704c6da6958a708cb3aa17fc70eff9f8be98fe269e6ddac1015347cbc1c10d2bcda52bc1cf31ae42e49085561d817c32e29d7e575b4ce945875

  • SSDEEP

    196608:pOWD5akOJ3Vekcb2tOaD3c5izrT8uKYRpA6mUcy4Jn:s05AV2AFDM5iPfAB/t

Malware Config

Extracted

Family

cryptbot

C2

veocou63.top

morizu06.top

Attributes
  • payload_url

    http://tynpdi08.top/download.php?file=loungy.exe

Signatures

  • Babadeda

    Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.

  • Babadeda Crypter 1 IoCs
  • Babadeda family
  • CryptBot

    CryptBot is a C++ stealer distributed widely in bundle with other software.

  • Cryptbot family
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f0b05b2333d9f421e29ea1c9d0ba0260.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f0b05b2333d9f421e29ea1c9d0ba0260.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2276
    • C:\Windows\SysWOW64\msiexec.exe
      msiexec /i "C:\Users\Admin\AppData\Local\Temp\AdvBackup\AdvBackup.msi" /qn /norestart
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2504
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3024
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 7DFC17D95399F35C29CFF422A5DFF53C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:1052
    • C:\Users\Admin\AppData\Roaming\Chris Long\Advanced Backup\backdata.exe
      "C:\Users\Admin\AppData\Roaming\Chris Long\Advanced Backup\backdata.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2540
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\lcYeQSjKiCgMD & timeout 4 & del /f /q "C:\Users\Admin\AppData\Roaming\Chris Long\Advanced Backup\backdata.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2756
        • C:\Windows\SysWOW64\timeout.exe
          timeout 4
          4⤵
          • System Location Discovery: System Language Discovery
          • Delays execution with timeout.exe
          PID:2784

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\f76e822.rbs

    Filesize

    12KB

    MD5

    fdd9f570d7998b0126e32911372c0c56

    SHA1

    57485a3348f745be24808064d36c4b462c60178a

    SHA256

    3417762e6efaee74089a5aa30a523ec3dce242806ef30c8bc333bae69b0faea4

    SHA512

    e138bdc88868f784fb6b774e3a70a68ae605863c9e3fa705c5524bcdf63ebfdd26b65ec44b9e5859f9bc52270d05ef9b602d4ea693a69b6dc8d175170fabe4b5

  • C:\Users\Admin\AppData\Local\Temp\AdvBackup\AdvBackup.msi

    Filesize

    7.7MB

    MD5

    25ad5262c29d2ea7404bda26ef0188bd

    SHA1

    83f9194b6224defe5827c94c67c2d32808d71919

    SHA256

    a45f49a2506f2353a72a287630f6ce1ab002554c75fc65a19321366bdd29ed0f

    SHA512

    7c990871346fe2e9d18cb4a46cd8f7cec07f1d4d5430362f2c6c60d2cbd34ac3cc61da121e50cba5f3a3a964876e6f4dd34c5a93344daae959e0fe030d532088

  • C:\Users\Admin\AppData\Roaming\Chris Long\Advanced Backup\backdata.exe

    Filesize

    10.2MB

    MD5

    b4f358fb5e2687505a7793a1c3fd30b8

    SHA1

    665fdf0bfece66a4e65684e4a8022ba18ea90b29

    SHA256

    843daace027b06df1ceb220a8dca85099e6249d3cd588f192c19105dfebd9008

    SHA512

    73c875846ec43aa2db3d0d45cedd330e8ae2bc1fe58298a08e6ad9824a5caedb00d670a7d1816ff7c778e4ac0bd6b166107a1b64cc0ff5d5ed50893ded8d9aeb

  • C:\Users\Admin\AppData\Roaming\Chris Long\Advanced Backup\libmetis30.dll

    Filesize

    3.8MB

    MD5

    5a9963267a59111458cc97cffe054699

    SHA1

    233cd89ab6cef194b2aaa9cc17bfb7f3f24e7411

    SHA256

    21b706d416bbdaf6037e8efbfa86cf1eb10fc1834dfa8fdf2386a7f0492246db

    SHA512

    03c7b50185b084e6ccf4c09be1eeff7fc6c254e22e36eb4b8a11e3d6b239f378df1659274fe2341a5a54b8b0043fc44678a2405716c54109391b67925fe5edd8

  • C:\Users\Admin\AppData\Roaming\Chris Long\Advanced Backup\mlg

    Filesize

    559KB

    MD5

    d3cefa732bbfb96d5e9ac98650a85733

    SHA1

    b6a914c0e61d1640b83849ae77d2aa3e0b28604b

    SHA256

    025545351f15a7e62b271453eb5f2e12e13d53bf8b08d466d3e6e62a5c530e81

    SHA512

    fc582f7e19d843b854e75f5f7b39713152c3b1c3d5f599eae46c78d9cfa358a2b81de47dda6c0769f346fed98d7e00cc0a4a46c126a5d2b4b78268ec163fdf4b

  • C:\Windows\Installer\MSIE87B.tmp

    Filesize

    393KB

    MD5

    3d24a2af1fb93f9960a17d6394484802

    SHA1

    ee74a6ceea0853c47e12802961a7a8869f7f0d69

    SHA256

    8d23754e6b8bb933d79861540b50deca42e33ac4c3a6669c99fb368913b66d88

    SHA512

    f6a19d00896a63debb9ee7cdd71a92c0a3089b6f4c44976b9c30d97fcbaacd74a8d56150be518314fac74dd3ebea2001dc3859b0f3e4e467a01721b29f6227ba

  • memory/2540-58-0x0000000000FA0000-0x0000000001A3D000-memory.dmp

    Filesize

    10.6MB

  • memory/2540-64-0x0000000000FA0000-0x0000000001A3D000-memory.dmp

    Filesize

    10.6MB