Overview

overview

10

Static

static

3

0d88cf8de4...18.exe

windows7-x64

10

0d88cf8de4...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-05-2024 04:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0d88cf8de40612246c04de7dadb4dc56_JaffaCakes118.exe

  • Size

    800KB

  • MD5

    0d88cf8de40612246c04de7dadb4dc56

  • SHA1

    2ca8d4c46d13a84e16970fb55e17d6544cb51878

  • SHA256

    2082c4f394b08d4bb03367395ec711487ee88fc8eed4a7d0eff97f0ad8ea7cee

  • SHA512

    375f55741a08625031c3427066b906c663d36b99e760a059aa4a5f700d9976696690b8fb8b9fb2746091aceab4fdcdb951bf3f5a72e71e7ebce4f80152df84e4

  • SSDEEP

    24576:G0xnF8LExZhh4Ze2fduGU58bVhXwnoN12dn1ixM2c7gF:G0xnF8LEfhh4kSdRU58woN1UnYxMB7

Score
10/10
azorultoskiraccoonzgrat236c7f8a01d741b888dc6b6209805e66d41e62bainfostealerratspywarestealertrojan

Malware Config

Extracted

Family

raccoon

Botnet

236c7f8a01d741b888dc6b6209805e66d41e62ba

Attributes
  • url4cnc

    https://telete.in/brikitiki

rc4.plain
rc4.plain

Extracted

Family

oski

C2

courtneysdv.ac.ug

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • Detect ZGRat V1 1 IoCs
  • Oski

    Oski is an infostealer targeting browser data, crypto wallets.

    infostealeroski
  • Raccoon

    Raccoon is an infostealer written in C++ and first seen in 2019.

    stealerraccoon
  • Raccoon Stealer V1 payload 4 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0d88cf8de40612246c04de7dadb4dc56_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0d88cf8de40612246c04de7dadb4dc56_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2244
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Jzsrlsk.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:3204
      • C:\Users\Admin\AppData\Local\Temp\Lime_oluma.exe
        "C:\Users\Admin\AppData\Local\Temp\Lime_oluma.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2200
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Lvrhculfm.vbs"
          4⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:2408
          • C:\Users\Admin\AppData\Local\Temp\Lime_aluma.exe
            "C:\Users\Admin\AppData\Local\Temp\Lime_aluma.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3300
            • C:\Users\Admin\AppData\Local\Temp\Lime_aluma.exe
              "C:\Users\Admin\AppData\Local\Temp\Lime_aluma.exe"
              6⤵
              • Executes dropped EXE
              PID:3392
        • C:\Users\Admin\AppData\Local\Temp\Lime_oluma.exe
          "C:\Users\Admin\AppData\Local\Temp\Lime_oluma.exe"
          4⤵
          • Executes dropped EXE
          PID:3832
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3832 -s 1276
            5⤵
            • Program crash
            PID:552
    • C:\Users\Admin\AppData\Local\Temp\0d88cf8de40612246c04de7dadb4dc56_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0d88cf8de40612246c04de7dadb4dc56_JaffaCakes118.exe"
      2⤵
        PID:4484
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3832 -ip 3832
      1⤵
        PID:1188

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Jzsrlsk.vbs
        Filesize

        98B

        MD5

        dd3eed3f345a124bbe6e98110d2084b8

        SHA1

        b89e0ee29eee6d5ba80760f958de242bb99987e4

        SHA256

        9480afebd90c6f8a0c7017dd518f43eface7f4019615d5a2ed36576d40abb66b

        SHA512

        566671d62af950420591d72ca3475873700a76fc699050249755bcd66c4f06791cf8fdf59a9bcf7a233a9e14ee257c2a32623638e1184f9da968c074a9452cdc

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Lime_aluma.exe
        Filesize

        197KB

        MD5

        b9b44b60fdcacf5e1421c9cc20c9bd1e

        SHA1

        e226db9c1a1dd27420c53fc1e5be8a8a48eaa659

        SHA256

        242dcfa01b6427b9de4fb28d82935e3da0b2495fa9f6dea2cf64f6b9b8d6a0bb

        SHA512

        ba0c1e862ac064d3fe3d7324b8ae9bbe1b19d68af02d53a522697aeeea5fc6e5c5b4b955f58e7bdbd1f7f623260468043270501cc5cd09c13914f2d09958cd77

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Lime_oluma.exe
        Filesize

        396KB

        MD5

        8a9dbb02d3dec39f918d3268b9e6b532

        SHA1

        eb00edef5c21013b280a0492030e108ef1ced109

        SHA256

        0ed804428ecb0ee5fa3a1d044cdc33468fe5c94deb3308f49b64b668bff9f4d1

        SHA512

        148dae521c1cb6114a88ae34dd5a9782a5b6e634c5d7d27f77349b2ef731955257b023946f0531c2dce14b82f11730e6459f2a009a958d03bae008731b95e0af

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Lvrhculfm.vbs
        Filesize

        98B

        MD5

        f39c9900eda949eb53c6ede7d3849929

        SHA1

        748ac2a9f9a62861394ec74b4d986e64987f63f3

        SHA256

        549f2e8f869594c61a88279ea0187916b121ed3d41f089a1908cec259f814d1c

        SHA512

        08e6600abcc03926622afa52700fe85cfa66b9b5c6cfad3832572b5d1a1150858393ea617ff8cbe22434eaa9fcd48d5f3807a0d1cdd533fe26b6ec9a9f9699ca

        Download Submit

      • memory/2200-24-0x000000000AF60000-0x000000000AFBC000-memory.dmp

        Filesize

        368KB

        Download

      • memory/2200-23-0x0000000005260000-0x0000000005266000-memory.dmp

        Filesize

        24KB

        Download

      • memory/2200-22-0x0000000000A90000-0x0000000000AFC000-memory.dmp

        Filesize

        432KB

        Download

      • memory/2244-7-0x0000000005D70000-0x0000000005E32000-memory.dmp

        Filesize

        776KB

        Download

      • memory/2244-4-0x0000000074D80000-0x0000000075530000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2244-12-0x0000000006FF0000-0x0000000007002000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2244-18-0x0000000074D80000-0x0000000075530000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2244-0-0x0000000074D8E000-0x0000000074D8F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2244-1-0x0000000000440000-0x0000000000510000-memory.dmp

        Filesize

        832KB

        Download

      • memory/2244-2-0x0000000002760000-0x0000000002766000-memory.dmp

        Filesize

        24KB

        Download

      • memory/2244-3-0x00000000099B0000-0x0000000009F54000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/2244-6-0x0000000005070000-0x000000000507A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2244-5-0x0000000004F80000-0x0000000005012000-memory.dmp

        Filesize

        584KB

        Download

      • memory/3300-36-0x0000000000800000-0x000000000083A000-memory.dmp

        Filesize

        232KB

        Download

      • memory/3300-37-0x0000000002AA0000-0x0000000002AA6000-memory.dmp

        Filesize

        24KB

        Download

      • memory/3300-40-0x0000000005F70000-0x0000000005F9C000-memory.dmp

        Filesize

        176KB

        Download

      • memory/3392-41-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download

      • memory/3392-44-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download

      • memory/3832-32-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3832-29-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4484-19-0x0000000000400000-0x0000000000493000-memory.dmp

        Filesize

        588KB

        Download

      • memory/4484-14-0x0000000000400000-0x0000000000493000-memory.dmp

        Filesize

        588KB

        Download

      • memory/4484-16-0x0000000000400000-0x0000000000493000-memory.dmp

        Filesize

        588KB

        Download

      • memory/4484-13-0x0000000000400000-0x0000000000493000-memory.dmp

        Filesize

        588KB

        Download