Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02-05-2024 04:44
Static task
static1
Behavioral task
behavioral1
Sample
0d88cf8de40612246c04de7dadb4dc56_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
0d88cf8de40612246c04de7dadb4dc56_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
0d88cf8de40612246c04de7dadb4dc56_JaffaCakes118.exe
-
Size
800KB
-
MD5
0d88cf8de40612246c04de7dadb4dc56
-
SHA1
2ca8d4c46d13a84e16970fb55e17d6544cb51878
-
SHA256
2082c4f394b08d4bb03367395ec711487ee88fc8eed4a7d0eff97f0ad8ea7cee
-
SHA512
375f55741a08625031c3427066b906c663d36b99e760a059aa4a5f700d9976696690b8fb8b9fb2746091aceab4fdcdb951bf3f5a72e71e7ebce4f80152df84e4
-
SSDEEP
24576:G0xnF8LExZhh4Ze2fduGU58bVhXwnoN12dn1ixM2c7gF:G0xnF8LEfhh4kSdRU58woN1UnYxMB7
Malware Config
Extracted
raccoon
236c7f8a01d741b888dc6b6209805e66d41e62ba
-
url4cnc
https://telete.in/brikitiki
Extracted
oski
courtneysdv.ac.ug
Extracted
azorult
http://195.245.112.115/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Detect ZGRat V1 1 IoCs
resource yara_rule behavioral1/memory/2168-9-0x0000000001EB0000-0x0000000001EC2000-memory.dmp family_zgrat_v1 -
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Raccoon Stealer V1 payload 6 IoCs
resource yara_rule behavioral1/memory/2540-20-0x0000000000400000-0x0000000000493000-memory.dmp family_raccoon_v1 behavioral1/memory/2540-21-0x0000000000400000-0x0000000000493000-memory.dmp family_raccoon_v1 behavioral1/memory/2540-17-0x0000000000400000-0x0000000000493000-memory.dmp family_raccoon_v1 behavioral1/memory/2540-14-0x0000000000400000-0x0000000000493000-memory.dmp family_raccoon_v1 behavioral1/memory/2540-13-0x0000000000400000-0x0000000000493000-memory.dmp family_raccoon_v1 behavioral1/memory/2540-76-0x0000000000400000-0x0000000000493000-memory.dmp family_raccoon_v1 -
Executes dropped EXE 4 IoCs
pid Process 2568 Lime_oluma.exe 2516 Lime_oluma.exe 928 Lime_aluma.exe 1920 Lime_aluma.exe -
Loads dropped DLL 9 IoCs
pid Process 2944 WScript.exe 2568 Lime_oluma.exe 2468 WScript.exe 2572 WerFault.exe 2572 WerFault.exe 2572 WerFault.exe 2572 WerFault.exe 2572 WerFault.exe 928 Lime_aluma.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2168 set thread context of 2540 2168 0d88cf8de40612246c04de7dadb4dc56_JaffaCakes118.exe 29 PID 2568 set thread context of 2516 2568 Lime_oluma.exe 32 PID 928 set thread context of 1920 928 Lime_aluma.exe 36 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2572 2516 WerFault.exe 32 -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 0d88cf8de40612246c04de7dadb4dc56_JaffaCakes118.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 0d88cf8de40612246c04de7dadb4dc56_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2168 0d88cf8de40612246c04de7dadb4dc56_JaffaCakes118.exe 2168 0d88cf8de40612246c04de7dadb4dc56_JaffaCakes118.exe 2568 Lime_oluma.exe 2568 Lime_oluma.exe 928 Lime_aluma.exe 928 Lime_aluma.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2168 0d88cf8de40612246c04de7dadb4dc56_JaffaCakes118.exe Token: SeDebugPrivilege 2568 Lime_oluma.exe Token: SeDebugPrivilege 928 Lime_aluma.exe -
Suspicious use of WriteProcessMemory 50 IoCs
description pid Process procid_target PID 2168 wrote to memory of 2944 2168 0d88cf8de40612246c04de7dadb4dc56_JaffaCakes118.exe 28 PID 2168 wrote to memory of 2944 2168 0d88cf8de40612246c04de7dadb4dc56_JaffaCakes118.exe 28 PID 2168 wrote to memory of 2944 2168 0d88cf8de40612246c04de7dadb4dc56_JaffaCakes118.exe 28 PID 2168 wrote to memory of 2944 2168 0d88cf8de40612246c04de7dadb4dc56_JaffaCakes118.exe 28 PID 2168 wrote to memory of 2540 2168 0d88cf8de40612246c04de7dadb4dc56_JaffaCakes118.exe 29 PID 2168 wrote to memory of 2540 2168 0d88cf8de40612246c04de7dadb4dc56_JaffaCakes118.exe 29 PID 2168 wrote to memory of 2540 2168 0d88cf8de40612246c04de7dadb4dc56_JaffaCakes118.exe 29 PID 2168 wrote to memory of 2540 2168 0d88cf8de40612246c04de7dadb4dc56_JaffaCakes118.exe 29 PID 2168 wrote to memory of 2540 2168 0d88cf8de40612246c04de7dadb4dc56_JaffaCakes118.exe 29 PID 2168 wrote to memory of 2540 2168 0d88cf8de40612246c04de7dadb4dc56_JaffaCakes118.exe 29 PID 2168 wrote to memory of 2540 2168 0d88cf8de40612246c04de7dadb4dc56_JaffaCakes118.exe 29 PID 2168 wrote to memory of 2540 2168 0d88cf8de40612246c04de7dadb4dc56_JaffaCakes118.exe 29 PID 2168 wrote to memory of 2540 2168 0d88cf8de40612246c04de7dadb4dc56_JaffaCakes118.exe 29 PID 2168 wrote to memory of 2540 2168 0d88cf8de40612246c04de7dadb4dc56_JaffaCakes118.exe 29 PID 2944 wrote to memory of 2568 2944 WScript.exe 30 PID 2944 wrote to memory of 2568 2944 WScript.exe 30 PID 2944 wrote to memory of 2568 2944 WScript.exe 30 PID 2944 wrote to memory of 2568 2944 WScript.exe 30 PID 2568 wrote to memory of 2468 2568 Lime_oluma.exe 31 PID 2568 wrote to memory of 2468 2568 Lime_oluma.exe 31 PID 2568 wrote to memory of 2468 2568 Lime_oluma.exe 31 PID 2568 wrote to memory of 2468 2568 Lime_oluma.exe 31 PID 2568 wrote to memory of 2516 2568 Lime_oluma.exe 32 PID 2568 wrote to memory of 2516 2568 Lime_oluma.exe 32 PID 2568 wrote to memory of 2516 2568 Lime_oluma.exe 32 PID 2568 wrote to memory of 2516 2568 Lime_oluma.exe 32 PID 2568 wrote to memory of 2516 2568 Lime_oluma.exe 32 PID 2568 wrote to memory of 2516 2568 Lime_oluma.exe 32 PID 2568 wrote to memory of 2516 2568 Lime_oluma.exe 32 PID 2568 wrote to memory of 2516 2568 Lime_oluma.exe 32 PID 2568 wrote to memory of 2516 2568 Lime_oluma.exe 32 PID 2568 wrote to memory of 2516 2568 Lime_oluma.exe 32 PID 2468 wrote to memory of 928 2468 WScript.exe 34 PID 2468 wrote to memory of 928 2468 WScript.exe 34 PID 2468 wrote to memory of 928 2468 WScript.exe 34 PID 2468 wrote to memory of 928 2468 WScript.exe 34 PID 2516 wrote to memory of 2572 2516 Lime_oluma.exe 35 PID 2516 wrote to memory of 2572 2516 Lime_oluma.exe 35 PID 2516 wrote to memory of 2572 2516 Lime_oluma.exe 35 PID 2516 wrote to memory of 2572 2516 Lime_oluma.exe 35 PID 928 wrote to memory of 1920 928 Lime_aluma.exe 36 PID 928 wrote to memory of 1920 928 Lime_aluma.exe 36 PID 928 wrote to memory of 1920 928 Lime_aluma.exe 36 PID 928 wrote to memory of 1920 928 Lime_aluma.exe 36 PID 928 wrote to memory of 1920 928 Lime_aluma.exe 36 PID 928 wrote to memory of 1920 928 Lime_aluma.exe 36 PID 928 wrote to memory of 1920 928 Lime_aluma.exe 36 PID 928 wrote to memory of 1920 928 Lime_aluma.exe 36 PID 928 wrote to memory of 1920 928 Lime_aluma.exe 36 PID 928 wrote to memory of 1920 928 Lime_aluma.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d88cf8de40612246c04de7dadb4dc56_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0d88cf8de40612246c04de7dadb4dc56_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Jzsrlsk.vbs"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Users\Admin\AppData\Local\Temp\Lime_oluma.exe"C:\Users\Admin\AppData\Local\Temp\Lime_oluma.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Lvrhculfm.vbs"4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Users\Admin\AppData\Local\Temp\Lime_aluma.exe"C:\Users\Admin\AppData\Local\Temp\Lime_aluma.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Users\Admin\AppData\Local\Temp\Lime_aluma.exe"C:\Users\Admin\AppData\Local\Temp\Lime_aluma.exe"6⤵
- Executes dropped EXE
PID:1920
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Lime_oluma.exe"C:\Users\Admin\AppData\Local\Temp\Lime_oluma.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 8245⤵
- Loads dropped DLL
- Program crash
PID:2572
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\0d88cf8de40612246c04de7dadb4dc56_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0d88cf8de40612246c04de7dadb4dc56_JaffaCakes118.exe"2⤵
- Modifies system certificate store
PID:2540
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
98B
MD5dd3eed3f345a124bbe6e98110d2084b8
SHA1b89e0ee29eee6d5ba80760f958de242bb99987e4
SHA2569480afebd90c6f8a0c7017dd518f43eface7f4019615d5a2ed36576d40abb66b
SHA512566671d62af950420591d72ca3475873700a76fc699050249755bcd66c4f06791cf8fdf59a9bcf7a233a9e14ee257c2a32623638e1184f9da968c074a9452cdc
-
Filesize
197KB
MD5b9b44b60fdcacf5e1421c9cc20c9bd1e
SHA1e226db9c1a1dd27420c53fc1e5be8a8a48eaa659
SHA256242dcfa01b6427b9de4fb28d82935e3da0b2495fa9f6dea2cf64f6b9b8d6a0bb
SHA512ba0c1e862ac064d3fe3d7324b8ae9bbe1b19d68af02d53a522697aeeea5fc6e5c5b4b955f58e7bdbd1f7f623260468043270501cc5cd09c13914f2d09958cd77
-
Filesize
396KB
MD58a9dbb02d3dec39f918d3268b9e6b532
SHA1eb00edef5c21013b280a0492030e108ef1ced109
SHA2560ed804428ecb0ee5fa3a1d044cdc33468fe5c94deb3308f49b64b668bff9f4d1
SHA512148dae521c1cb6114a88ae34dd5a9782a5b6e634c5d7d27f77349b2ef731955257b023946f0531c2dce14b82f11730e6459f2a009a958d03bae008731b95e0af
-
Filesize
98B
MD5f39c9900eda949eb53c6ede7d3849929
SHA1748ac2a9f9a62861394ec74b4d986e64987f63f3
SHA256549f2e8f869594c61a88279ea0187916b121ed3d41f089a1908cec259f814d1c
SHA51208e6600abcc03926622afa52700fe85cfa66b9b5c6cfad3832572b5d1a1150858393ea617ff8cbe22434eaa9fcd48d5f3807a0d1cdd533fe26b6ec9a9f9699ca