Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
-
submitted
06-05-2024 15:09
General
-
Target
1d14c938c3dc37a1e53ffa556b22d177_JaffaCakes118.exe
-
Size
1.0MB
-
MD5
1d14c938c3dc37a1e53ffa556b22d177
-
SHA1
d212b0d999e33da5994d3966e4bcbb369b1c7289
-
SHA256
fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493
-
SHA512
816370cd07c7c04fd6a113c2ebb8fa878d7b4df186101e5bd337bc1f931c292d9d72c7cd6c2895c17be612c79d5ab5a56a848407a8072a25f2817f98c1bac176
-
SSDEEP
12288:K5Ar24e2MaUYo2TVXsdSY7h02P9e1BSPjY7o5B/hlG4sPY0dye3AaQYeFaotTQpv:K5Q7v+7h02Pg+M74HGfIaQ6rei
Malware Config
Extracted
raccoon
d58ee081e4d259676e5c18189c82f5356e64ec30
-
url4cnc
https://telete.in/brikitiki
Extracted
azorult
http://195.245.112.115/index.php
Extracted
oski
courtneysdv.ac.ug
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
-
Raccoon Stealer V1 payload 7 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 3 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d14c938c3dc37a1e53ffa556b22d177_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1d14c938c3dc37a1e53ffa556b22d177_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CVhffgrdDFbv.exe"C:\Users\Admin\AppData\Local\Temp\CVhffgrdDFbv.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CVhffgrdDFbv.exe"C:\Users\Admin\AppData\Local\Temp\CVhffgrdDFbv.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\AppData\Local\Temp\zVhgfgjbnv.exe"C:\Users\Admin\AppData\Local\Temp\zVhgfgjbnv.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\zVhgfgjbnv.exe"C:\Users\Admin\AppData\Local\Temp\zVhgfgjbnv.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 13044⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1d14c938c3dc37a1e53ffa556b22d177_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1d14c938c3dc37a1e53ffa556b22d177_JaffaCakes118.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 436 -ip 4361⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
232KB
MD502a3dc4aeb09f2d0c48a47922bed2d73
SHA1ad59fb3b77bb02a2a38ddba31d617b17eeffb276
SHA2564a2d4f9ed9d34ba93219ad56c5d20902b89ecf8541afde59d1c321e0784f3b57
SHA51222bab6e49b3528b8e74b943c70541b1fbf4eb5b0d57924bf4bf4ae461fd5253e1d6ea3b7b1aff9263f1175d059c8daa4cb6236e869a16b2e585cc0ebe58f9e06
-
Filesize
276KB
MD53353c49b01e245c14103afb71443c724
SHA19d51ca208eb1d2d7e0b9bbd399af7e17bfcb2e97
SHA25629fc25aa5e1cae33ce7df5819cb4cd586784828039f4cda5b4f16583cf92a2d6
SHA512a636f77352ccf2a52778631f2c43365290ae9a7da8e686c28ebe259c63f910269b9f0df5d0595cd46d25f9aa64c84c6423e596fc771ef4c9e024be75448b50df
-
Filesize
224KB
-
Filesize
224KB
-
Filesize
224KB
-
Filesize
208KB
-
Filesize
4KB
-
Filesize
28KB
-
Filesize
604KB
-
Filesize
588KB
-
Filesize
604KB
-
Filesize
604KB
-
Filesize
604KB
-
Filesize
588KB
-
Filesize
604KB
-
Filesize
28KB
-
Filesize
4KB
-
Filesize
28KB
-
Filesize
4KB
-
Filesize
28KB
-
Filesize
4KB
-
Filesize
144KB
-
Filesize
128KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
128KB