Analysis
-
max time kernel
146s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
31/03/2024, 08:58 UTC
Static task
static1
Behavioral task
behavioral1
Sample
5249cba6e9ad2cc38bb1dd7fa259e854_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5249cba6e9ad2cc38bb1dd7fa259e854_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
5249cba6e9ad2cc38bb1dd7fa259e854_JaffaCakes118.exe
-
Size
418KB
-
MD5
5249cba6e9ad2cc38bb1dd7fa259e854
-
SHA1
518e393a330d5edbb88c4d059df35ecfb634ccb7
-
SHA256
608e74643884b5e54701cf0e7a15dbf18ff2a86676f94b118ff1dafa3b4e03dd
-
SHA512
cf1b31bd9cb9358de9b3acbe03222ff90fd0f9ecaca6c4a7bea3f5b97ceae5f60ab06833d6f7dca2fd69798260d9a328145c08aa4189f2fbac5db041b1b9aa16
-
SSDEEP
6144:Yz3ogwdGRIHLeJs3dfn2Vjcn/Vgth59QFCMSiBtX3Y42Tv25aoZ1Y:YroNdpCJEf2VIn/Vs3SCgrYFkNS
Malware Config
Extracted
oski
samkoproducts.xyz
Signatures
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 648 set thread context of 2472 648 5249cba6e9ad2cc38bb1dd7fa259e854_JaffaCakes118.exe 96 -
Program crash 1 IoCs
pid pid_target Process procid_target 2904 2472 WerFault.exe 96 -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 648 wrote to memory of 2472 648 5249cba6e9ad2cc38bb1dd7fa259e854_JaffaCakes118.exe 96 PID 648 wrote to memory of 2472 648 5249cba6e9ad2cc38bb1dd7fa259e854_JaffaCakes118.exe 96 PID 648 wrote to memory of 2472 648 5249cba6e9ad2cc38bb1dd7fa259e854_JaffaCakes118.exe 96 PID 648 wrote to memory of 2472 648 5249cba6e9ad2cc38bb1dd7fa259e854_JaffaCakes118.exe 96 PID 648 wrote to memory of 2472 648 5249cba6e9ad2cc38bb1dd7fa259e854_JaffaCakes118.exe 96 PID 648 wrote to memory of 2472 648 5249cba6e9ad2cc38bb1dd7fa259e854_JaffaCakes118.exe 96 PID 648 wrote to memory of 2472 648 5249cba6e9ad2cc38bb1dd7fa259e854_JaffaCakes118.exe 96 PID 648 wrote to memory of 2472 648 5249cba6e9ad2cc38bb1dd7fa259e854_JaffaCakes118.exe 96 PID 648 wrote to memory of 2472 648 5249cba6e9ad2cc38bb1dd7fa259e854_JaffaCakes118.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\5249cba6e9ad2cc38bb1dd7fa259e854_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5249cba6e9ad2cc38bb1dd7fa259e854_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:648 -
C:\Users\Admin\AppData\Local\Temp\5249cba6e9ad2cc38bb1dd7fa259e854_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5249cba6e9ad2cc38bb1dd7fa259e854_JaffaCakes118.exe"2⤵PID:2472
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 13123⤵
- Program crash
PID:2904
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2472 -ip 24721⤵PID:4532
Network
-
Remote address:8.8.8.8:53Request58.55.71.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request0.205.248.87.in-addr.arpaIN PTRResponse0.205.248.87.in-addr.arpaIN PTRhttps-87-248-205-0lgwllnwnet
-
Remote address:8.8.8.8:53Request178.223.142.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request133.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request149.220.183.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request104.219.191.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request183.59.114.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request171.39.242.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestsamkoproducts.xyzIN AResponse
-
Remote address:8.8.8.8:53Request217.135.221.88.in-addr.arpaIN PTRResponse217.135.221.88.in-addr.arpaIN PTRa88-221-135-217deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request14.227.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request209.143.182.52.in-addr.arpaIN PTRResponse
-
70 B 144 B 1 1
DNS Request
58.55.71.13.in-addr.arpa
-
71 B 116 B 1 1
DNS Request
0.205.248.87.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
178.223.142.52.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
133.32.126.40.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
149.220.183.52.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
104.219.191.52.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
183.59.114.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
171.39.242.20.in-addr.arpa
-
63 B 128 B 1 1
DNS Request
samkoproducts.xyz
-
73 B 139 B 1 1
DNS Request
217.135.221.88.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
14.227.111.52.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
209.143.182.52.in-addr.arpa