Overview

overview

10

Static

static

7

JaffaCakes...06.exe

windows7-x64

10

JaffaCakes...06.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-01-2025 16:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_e8abf51b99ff390aad5f8044e88ac806.exe

  • Size

    2.5MB

  • MD5

    e8abf51b99ff390aad5f8044e88ac806

  • SHA1

    0004179b8721abb457d17c6ede713ddb1152640a

  • SHA256

    8a7ab275acf36cb7306f18f953b72f45213904632243a8290d8868008b5f4ae2

  • SHA512

    a01cb76c58a3cd1d96fdb128ea9707e4af163b2531980c1b5b07826fdd2456e1e95fadc31317456eba13d9a4bf74e22f222817e48033194833927bb74a531c87

  • SSDEEP

    49152:okFvNW035OI9Q/RKs2f8I08WWKH9FXBj0EjtCOmHgYxrhebg+b:ooNxJO0Q6E/8WN9j0iDmHgYObVb

Score
10/10
cryptbotdiscoveryevasionspywarestealerthemidatrojan

Malware Config

Extracted

Family

cryptbot

C2

veotyc21.top

morpib02.top
Attributes
  • payload_url

    http://tynoev02.top/download.php?file=lv.exe

Signatures

  • CryptBot

    CryptBot is a C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • Cryptbot family
    cryptbot
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 20 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e8abf51b99ff390aad5f8044e88ac806.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e8abf51b99ff390aad5f8044e88ac806.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    PID:3896

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\LhUlFhItgPrFV\_Files\_Information.txt
    Filesize

    4KB

    MD5

    82f4dea6f516c392f1814a26981344bb

    SHA1

    570de4f06bc135493fe2f6f6096887b834739e95

    SHA256

    a520545189af6285ada709d0755f2a8223f36a3fe4b568ef92a52789699ed8fd

    SHA512

    556f01f1d2c01573d5966f91687a766ba57f66a5d86268c11364bf413709cb1d03b0afc2e501e01129c5a16c14411310755afe148d6fbfa429a0e4e6472049a9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\LhUlFhItgPrFV\_Files\_Screen_Desktop.jpeg
    Filesize

    59KB

    MD5

    625a3242f87ad3dd6cc42da195cf64c1

    SHA1

    3ae01c3d42aeb8cbc7751483de9edc2cbf9059bc

    SHA256

    027aa6e08b9108e063f777a0266b39a57ffd0118fc336ccd0fefb69fe72e1823

    SHA512

    0162d0faf3bd10df9c2b0a1d9720ba47feaf9bdd4b582489c83ea2fa670c446fc229e9b2d9fe9101dcb8a3047f48a79c6d33d930385187eba7363a4840ca861f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\LhUlFhItgPrFV\vYHBkykEgTa.zip
    Filesize

    54KB

    MD5

    b77f8ab8656f6734de34803ad19c0072

    SHA1

    80da0b5fd0ca46f9486cdc398bec7bcf8db7958b

    SHA256

    8da3aaf66d24a8c4d2f33d0561d4a68b2015cf623c1590937c27fef93d9d54af

    SHA512

    6b18ba437b0502d25bcb7118b0cd7b7914796c26c71605f6c0d24fdeae1b072325dfff0b5cdbfa42a559b0319a5df64ac3f6aa1f0cf2b453c708fead6e9df85b

    Download Submit

  • memory/3896-128-0x0000000000C90000-0x000000000131F000-memory.dmp

    Filesize

    6.6MB

    Download

  • memory/3896-134-0x0000000000C90000-0x000000000131F000-memory.dmp

    Filesize

    6.6MB

    Download

  • memory/3896-5-0x0000000000C90000-0x000000000131F000-memory.dmp

    Filesize

    6.6MB

    Download

  • memory/3896-3-0x0000000000C90000-0x000000000131F000-memory.dmp

    Filesize

    6.6MB

    Download

  • memory/3896-2-0x0000000000C90000-0x000000000131F000-memory.dmp

    Filesize

    6.6MB

    Download

  • memory/3896-120-0x0000000000C90000-0x000000000131F000-memory.dmp

    Filesize

    6.6MB

    Download

  • memory/3896-122-0x0000000000C90000-0x000000000131F000-memory.dmp

    Filesize

    6.6MB

    Download

  • memory/3896-1-0x0000000077044000-0x0000000077046000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3896-125-0x0000000000C90000-0x000000000131F000-memory.dmp

    Filesize

    6.6MB

    Download

  • memory/3896-0-0x0000000000C90000-0x000000000131F000-memory.dmp

    Filesize

    6.6MB

    Download

  • memory/3896-131-0x0000000000C90000-0x000000000131F000-memory.dmp

    Filesize

    6.6MB

    Download

  • memory/3896-4-0x0000000000C90000-0x000000000131F000-memory.dmp

    Filesize

    6.6MB

    Download

  • memory/3896-136-0x0000000000C90000-0x000000000131F000-memory.dmp

    Filesize

    6.6MB

    Download

  • memory/3896-139-0x0000000000C90000-0x000000000131F000-memory.dmp

    Filesize

    6.6MB

    Download

  • memory/3896-142-0x0000000000C90000-0x000000000131F000-memory.dmp

    Filesize

    6.6MB

    Download

  • memory/3896-144-0x0000000000C90000-0x000000000131F000-memory.dmp

    Filesize

    6.6MB

    Download

  • memory/3896-147-0x0000000000C90000-0x000000000131F000-memory.dmp

    Filesize

    6.6MB

    Download

  • memory/3896-151-0x0000000000C90000-0x000000000131F000-memory.dmp

    Filesize

    6.6MB

    Download

  • memory/3896-154-0x0000000000C90000-0x000000000131F000-memory.dmp

    Filesize

    6.6MB

    Download

  • memory/3896-157-0x0000000000C90000-0x000000000131F000-memory.dmp

    Filesize

    6.6MB

    Download

  • memory/3896-159-0x0000000000C90000-0x000000000131F000-memory.dmp

    Filesize

    6.6MB

    Download