Analysis
-
max time kernel
178s -
max time network
197s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
11-04-2024 11:18
Static task
static1
Behavioral task
behavioral1
Sample
ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe
-
Size
992KB
-
MD5
ed4d2e0f901bc478be16d3dad0d02792
-
SHA1
7bce6d0d9ae6f72eb4ce37128be889206949cb3e
-
SHA256
959e3ca2579b6be8a11c06763c5a34ec118abc96d869e25bef06319c92da465e
-
SHA512
06ebd3e5039307c1e42eaaa9d449a300d2909c87811483ab737d72e47c1cffc4eba943b71744118d0c87ac129e58e0bb7c1632abc30540436014b2ff36ec25cf
-
SSDEEP
24576:UE0lHcgqgh7/0tgIugNw6GQlGDI/NKZ/Y:UEw8gXYzVtGQVNC/Y
Malware Config
Extracted
azorult
http://195.245.112.115/index.php
Extracted
raccoon
1.7.3
fe25b858c52ebb889260990dc343e5dbcf4a96e4
-
url4cnc
https://telete.in/brikitiki
Extracted
oski
danielmax.ac.ug
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Raccoon Stealer V1 payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1912-28-0x0000000000400000-0x000000000049A000-memory.dmp family_raccoon_v1 behavioral1/memory/1912-43-0x0000000000400000-0x000000000049A000-memory.dmp family_raccoon_v1 behavioral1/memory/1912-50-0x0000000000400000-0x0000000000495000-memory.dmp family_raccoon_v1 behavioral1/memory/1912-52-0x0000000000400000-0x000000000049A000-memory.dmp family_raccoon_v1 -
Executes dropped EXE 4 IoCs
Processes:
GFDyrtucbvfdg.exeDSFnbyhgfrtydfg.exeGFDyrtucbvfdg.exeDSFnbyhgfrtydfg.exepid process 2760 GFDyrtucbvfdg.exe 1712 DSFnbyhgfrtydfg.exe 2444 GFDyrtucbvfdg.exe 2428 DSFnbyhgfrtydfg.exe -
Loads dropped DLL 11 IoCs
Processes:
ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exeGFDyrtucbvfdg.exeDSFnbyhgfrtydfg.exeWerFault.exepid process 3008 ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe 3008 ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe 3008 ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe 3008 ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe 2760 GFDyrtucbvfdg.exe 1712 DSFnbyhgfrtydfg.exe 1080 WerFault.exe 1080 WerFault.exe 1080 WerFault.exe 1080 WerFault.exe 1080 WerFault.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
GFDyrtucbvfdg.exeed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exeDSFnbyhgfrtydfg.exedescription pid process target process PID 2760 set thread context of 2444 2760 GFDyrtucbvfdg.exe GFDyrtucbvfdg.exe PID 3008 set thread context of 1912 3008 ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe PID 1712 set thread context of 2428 1712 DSFnbyhgfrtydfg.exe DSFnbyhgfrtydfg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1080 2428 WerFault.exe DSFnbyhgfrtydfg.exe -
Processes:
ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
GFDyrtucbvfdg.exeed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exeDSFnbyhgfrtydfg.exepid process 2760 GFDyrtucbvfdg.exe 3008 ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe 1712 DSFnbyhgfrtydfg.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exeGFDyrtucbvfdg.exeDSFnbyhgfrtydfg.exepid process 3008 ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe 2760 GFDyrtucbvfdg.exe 1712 DSFnbyhgfrtydfg.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exeGFDyrtucbvfdg.exeDSFnbyhgfrtydfg.exeDSFnbyhgfrtydfg.exedescription pid process target process PID 3008 wrote to memory of 2760 3008 ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe GFDyrtucbvfdg.exe PID 3008 wrote to memory of 2760 3008 ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe GFDyrtucbvfdg.exe PID 3008 wrote to memory of 2760 3008 ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe GFDyrtucbvfdg.exe PID 3008 wrote to memory of 2760 3008 ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe GFDyrtucbvfdg.exe PID 3008 wrote to memory of 1712 3008 ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe DSFnbyhgfrtydfg.exe PID 3008 wrote to memory of 1712 3008 ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe DSFnbyhgfrtydfg.exe PID 3008 wrote to memory of 1712 3008 ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe DSFnbyhgfrtydfg.exe PID 3008 wrote to memory of 1712 3008 ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe DSFnbyhgfrtydfg.exe PID 2760 wrote to memory of 2444 2760 GFDyrtucbvfdg.exe GFDyrtucbvfdg.exe PID 2760 wrote to memory of 2444 2760 GFDyrtucbvfdg.exe GFDyrtucbvfdg.exe PID 2760 wrote to memory of 2444 2760 GFDyrtucbvfdg.exe GFDyrtucbvfdg.exe PID 2760 wrote to memory of 2444 2760 GFDyrtucbvfdg.exe GFDyrtucbvfdg.exe PID 3008 wrote to memory of 1912 3008 ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe PID 3008 wrote to memory of 1912 3008 ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe PID 3008 wrote to memory of 1912 3008 ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe PID 3008 wrote to memory of 1912 3008 ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe PID 2760 wrote to memory of 2444 2760 GFDyrtucbvfdg.exe GFDyrtucbvfdg.exe PID 3008 wrote to memory of 1912 3008 ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe PID 1712 wrote to memory of 2428 1712 DSFnbyhgfrtydfg.exe DSFnbyhgfrtydfg.exe PID 1712 wrote to memory of 2428 1712 DSFnbyhgfrtydfg.exe DSFnbyhgfrtydfg.exe PID 1712 wrote to memory of 2428 1712 DSFnbyhgfrtydfg.exe DSFnbyhgfrtydfg.exe PID 1712 wrote to memory of 2428 1712 DSFnbyhgfrtydfg.exe DSFnbyhgfrtydfg.exe PID 1712 wrote to memory of 2428 1712 DSFnbyhgfrtydfg.exe DSFnbyhgfrtydfg.exe PID 2428 wrote to memory of 1080 2428 DSFnbyhgfrtydfg.exe WerFault.exe PID 2428 wrote to memory of 1080 2428 DSFnbyhgfrtydfg.exe WerFault.exe PID 2428 wrote to memory of 1080 2428 DSFnbyhgfrtydfg.exe WerFault.exe PID 2428 wrote to memory of 1080 2428 DSFnbyhgfrtydfg.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\GFDyrtucbvfdg.exe"C:\ProgramData\GFDyrtucbvfdg.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\GFDyrtucbvfdg.exe"C:\ProgramData\GFDyrtucbvfdg.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe"C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe"C:\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 7804⤵
- Loads dropped DLL
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ed4d2e0f901bc478be16d3dad0d02792_JaffaCakes118.exe"2⤵
- Modifies system certificate store
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\GFDyrtucbvfdg.exeFilesize
204KB
MD5701f6f95d5e205b53b3a74403d46981a
SHA13e614af86675b0de761adb5d2fa271bfb3142b95
SHA25636b216e3219f82031317e03235333638e22d5f93c184e403e2383e322be1e459
SHA512a7f051d91b24c3a42d81507577f8c9c576f6fd68287a56606f1c0dc7c06c7054d325974b3b176ac019815cce5dbb42ff9104e4d1c7f51fee5f9ee9a420c04d15
-
\Users\Admin\AppData\Roaming\DSFnbyhgfrtydfg.exeFilesize
252KB
MD593fffc6736b1dd95a4f4e88734e9d540
SHA1509a9acffd9b9123fff2a3df9a860b829210f80a
SHA25680b57df21ba993430e49e63e47f1afd84ac2f64fe50bb0b19413b2f964c42dd0
SHA512d56d6e46792df1b06449265973e589559ff630ea2bcbcae54ffd0503188477605a63ca4db38f8e5e29d472368902e959f850226cf3ddaa2c0d6ba6ac3b87faed
-
memory/1912-52-0x0000000000400000-0x000000000049A000-memory.dmpFilesize
616KB
-
memory/1912-28-0x0000000000400000-0x000000000049A000-memory.dmpFilesize
616KB
-
memory/1912-50-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/1912-43-0x0000000000400000-0x000000000049A000-memory.dmpFilesize
616KB
-
memory/2428-45-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2428-61-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2428-60-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/2428-51-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/2428-39-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2428-47-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2444-27-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/2444-42-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/2444-48-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/2444-49-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2444-36-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/2444-33-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/2760-15-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/2760-19-0x0000000000240000-0x0000000000248000-memory.dmpFilesize
32KB
-
memory/3008-2-0x0000000000280000-0x0000000000281000-memory.dmpFilesize
4KB