Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
15-06-2024 09:18
Static task
static1
Behavioral task
behavioral1
Sample
adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
adba935c663db2d4c2a53f01434f1e11
-
SHA1
87a24cd1d7cc1985e29ff1bd384c48dbde1b97a0
-
SHA256
362d3fd69c524f00f783eda97ea2229b80573d5cd1e849d3a0d6a17034ebd38a
-
SHA512
db0c45d4b0eb9e91a18cd99e1f921ddd301adbdf9f9a41a585caffc1d5c994c2f18aa1162c06cfe63c3c89f07c13d21c37e78bf64b9aeb42442f9192b369d3bd
-
SSDEEP
24576:BGB08Fkcf4VYMOAcheLwsO7pcdpeewR1fGB08Fk8PviOCNGB08FkFmoz4OXzn:GpkenAJjOlcdMl1cpkOKOCCpkD4OXzn
Malware Config
Extracted
raccoon
236c7f8a01d741b888dc6b6209805e66d41e62ba
-
url4cnc
https://telete.in/brikitiki
Extracted
oski
courtneysdv.ac.ug
Extracted
azorult
http://195.245.112.115/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Raccoon Stealer V1 payload 7 IoCs
Processes:
resource yara_rule behavioral2/memory/2544-36-0x0000000000400000-0x0000000000497000-memory.dmp family_raccoon_v1 behavioral2/memory/2544-35-0x0000000000400000-0x0000000000497000-memory.dmp family_raccoon_v1 behavioral2/memory/2544-40-0x0000000000400000-0x0000000000493000-memory.dmp family_raccoon_v1 behavioral2/memory/2544-39-0x0000000000400000-0x0000000000497000-memory.dmp family_raccoon_v1 behavioral2/memory/2544-37-0x0000000000400000-0x0000000000497000-memory.dmp family_raccoon_v1 behavioral2/memory/2544-54-0x0000000000400000-0x0000000000493000-memory.dmp family_raccoon_v1 behavioral2/memory/2544-57-0x0000000000400000-0x0000000000497000-memory.dmp family_raccoon_v1 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe -
Executes dropped EXE 4 IoCs
Processes:
gJHKfdgvr.exeJHdfbvhyt.exeJHdfbvhyt.exegJHKfdgvr.exepid process 4780 gJHKfdgvr.exe 4512 JHdfbvhyt.exe 3164 JHdfbvhyt.exe 3572 gJHKfdgvr.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
Processes:
adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exeJHdfbvhyt.exegJHKfdgvr.exepid process 2544 adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe 2544 adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe 3164 JHdfbvhyt.exe 3164 JHdfbvhyt.exe 3572 gJHKfdgvr.exe 3572 gJHKfdgvr.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exeJHdfbvhyt.exegJHKfdgvr.exedescription pid process target process PID 2988 set thread context of 2544 2988 adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe PID 4512 set thread context of 3164 4512 JHdfbvhyt.exe JHdfbvhyt.exe PID 4780 set thread context of 3572 4780 gJHKfdgvr.exe gJHKfdgvr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3984 3164 WerFault.exe JHdfbvhyt.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exeJHdfbvhyt.exegJHKfdgvr.exepid process 2988 adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe 4512 JHdfbvhyt.exe 4780 gJHKfdgvr.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exeJHdfbvhyt.exegJHKfdgvr.exepid process 2988 adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe 4512 JHdfbvhyt.exe 4780 gJHKfdgvr.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exeJHdfbvhyt.exegJHKfdgvr.exedescription pid process target process PID 2988 wrote to memory of 4780 2988 adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe gJHKfdgvr.exe PID 2988 wrote to memory of 4780 2988 adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe gJHKfdgvr.exe PID 2988 wrote to memory of 4780 2988 adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe gJHKfdgvr.exe PID 2988 wrote to memory of 4512 2988 adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe JHdfbvhyt.exe PID 2988 wrote to memory of 4512 2988 adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe JHdfbvhyt.exe PID 2988 wrote to memory of 4512 2988 adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe JHdfbvhyt.exe PID 2988 wrote to memory of 2544 2988 adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe PID 2988 wrote to memory of 2544 2988 adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe PID 2988 wrote to memory of 2544 2988 adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe PID 2988 wrote to memory of 2544 2988 adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe PID 4512 wrote to memory of 3164 4512 JHdfbvhyt.exe JHdfbvhyt.exe PID 4512 wrote to memory of 3164 4512 JHdfbvhyt.exe JHdfbvhyt.exe PID 4512 wrote to memory of 3164 4512 JHdfbvhyt.exe JHdfbvhyt.exe PID 4512 wrote to memory of 3164 4512 JHdfbvhyt.exe JHdfbvhyt.exe PID 4780 wrote to memory of 3572 4780 gJHKfdgvr.exe gJHKfdgvr.exe PID 4780 wrote to memory of 3572 4780 gJHKfdgvr.exe gJHKfdgvr.exe PID 4780 wrote to memory of 3572 4780 gJHKfdgvr.exe gJHKfdgvr.exe PID 4780 wrote to memory of 3572 4780 gJHKfdgvr.exe gJHKfdgvr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\gJHKfdgvr.exe"C:\Users\Admin\AppData\Local\Temp\gJHKfdgvr.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\gJHKfdgvr.exe"C:\Users\Admin\AppData\Local\Temp\gJHKfdgvr.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\JHdfbvhyt.exe"C:\Users\Admin\AppData\Local\Temp\JHdfbvhyt.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\JHdfbvhyt.exe"C:\Users\Admin\AppData\Local\Temp\JHdfbvhyt.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 12604⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4216,i,14486271492189381216,15799931579469722648,262144 --variations-seed-version --mojo-platform-channel-handle=4352 /prefetch:81⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3164 -ip 31641⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\JHdfbvhyt.exeFilesize
284KB
MD556b539a18d733e7b287ee1bf95696e1f
SHA16f2dab4c86f138032e50fbc6c255e93c9a693e68
SHA256f1f45014743cac425404602576dc0fcbc1dcd475d12ac8968b81f1e52e6c6651
SHA5129f7166af4b75b0b7889b3f7488ec8bd92901e8d097041293a88c3fe884d84e8e94924f49784f8091662057e4d42fb7040a99840644aafd7b2ec5f9d79d434bf7
-
C:\Users\Admin\AppData\Local\Temp\gJHKfdgvr.exeFilesize
236KB
MD5a980c42338a12435e6274592cb51b982
SHA109620ff8a6f6678e2c3587c97662dde2ce636f67
SHA2566133d331cb33fd7a1d261ce672f333458216b381426985dd9fa34fe3b1943ec7
SHA5127efc42707d45f9326ec467c01f318d93c3798e55b36455fd09ba990bed55430c7331cd4956ee23bcd7af58e72f702325f194a5dc372f72527c1b85bb04f571c3
-
memory/2544-35-0x0000000000400000-0x0000000000497000-memory.dmpFilesize
604KB
-
memory/2544-57-0x0000000000400000-0x0000000000497000-memory.dmpFilesize
604KB
-
memory/2544-54-0x0000000000400000-0x0000000000493000-memory.dmpFilesize
588KB
-
memory/2544-37-0x0000000000400000-0x0000000000497000-memory.dmpFilesize
604KB
-
memory/2544-39-0x0000000000400000-0x0000000000497000-memory.dmpFilesize
604KB
-
memory/2544-36-0x0000000000400000-0x0000000000497000-memory.dmpFilesize
604KB
-
memory/2544-40-0x0000000000400000-0x0000000000493000-memory.dmpFilesize
588KB
-
memory/2988-49-0x0000000002D30000-0x0000000002D37000-memory.dmpFilesize
28KB
-
memory/2988-26-0x0000000002D30000-0x0000000002D37000-memory.dmpFilesize
28KB
-
memory/2988-2-0x00000000776A2000-0x00000000776A3000-memory.dmpFilesize
4KB
-
memory/2988-4-0x00000000007C0000-0x00000000007C1000-memory.dmpFilesize
4KB
-
memory/3164-46-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/3164-68-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/3164-66-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/3164-48-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/3164-43-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/3164-41-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/3572-60-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3572-56-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3572-44-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/3572-61-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/3572-62-0x0000000000430000-0x00000000004F9000-memory.dmpFilesize
804KB
-
memory/3572-63-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3572-53-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3572-51-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/4512-33-0x0000000000620000-0x0000000000627000-memory.dmpFilesize
28KB
-
memory/4512-31-0x0000000000610000-0x0000000000611000-memory.dmpFilesize
4KB
-
memory/4780-32-0x00000000020B0000-0x00000000020B1000-memory.dmpFilesize
4KB
-
memory/4780-34-0x0000000002100000-0x0000000002107000-memory.dmpFilesize
28KB