Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
07-05-2024 05:55
Static task
static1
Behavioral task
behavioral1
Sample
1fa8859a60ac751d2f902ba0ba4f7f8d_JaffaCakes118.ps1
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
1fa8859a60ac751d2f902ba0ba4f7f8d_JaffaCakes118.ps1
Resource
win10v2004-20240419-en
General
-
Target
1fa8859a60ac751d2f902ba0ba4f7f8d_JaffaCakes118.ps1
-
Size
1.9MB
-
MD5
1fa8859a60ac751d2f902ba0ba4f7f8d
-
SHA1
71ecc132df74adf48989f6074d505120f3af7b60
-
SHA256
79abefa5e6692a3096c000815a138d47c43d361b93ff73c2b13a1c8b77321543
-
SHA512
3452de68d6022daa980f9f82f918107e6d7c28d8d8cf5bb96b66917485d9e6d702fe44f91bd2fa8fc09097201cf927bb2ab71482759bca59b2660fff7ce1e598
-
SSDEEP
24576:BKQruemcQ8gZaiZF3xLUGWyWrPwBAOc1sz7LDOjLO/r30/gRo3zDuvxeS7U:wQg3jcwBhuIj0oRXV4
Malware Config
Extracted
azorult
http://195.245.112.115/index.php
Extracted
oski
tomasisa.ug
Extracted
raccoon
089d42bf776aba2e6326c9c557e433da6c3501f4
-
url4cnc
https://telete.in/jrikitiki
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Raccoon Stealer V1 payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1836-56-0x0000000000400000-0x0000000000497000-memory.dmp family_raccoon_v1 behavioral1/memory/1836-58-0x0000000000400000-0x0000000000497000-memory.dmp family_raccoon_v1 behavioral1/memory/1836-64-0x0000000000400000-0x0000000000493000-memory.dmp family_raccoon_v1 -
Executes dropped EXE 6 IoCs
Processes:
xph.exeJvdacbs.exePkdfshbas.exeJvdacbs.exePkdfshbas.exexph.exepid process 2708 xph.exe 3064 Jvdacbs.exe 2656 Pkdfshbas.exe 3008 Jvdacbs.exe 2612 Pkdfshbas.exe 1836 xph.exe -
Loads dropped DLL 11 IoCs
Processes:
xph.exeJvdacbs.exePkdfshbas.exeWerFault.exepid process 2708 xph.exe 2708 xph.exe 3064 Jvdacbs.exe 2708 xph.exe 2708 xph.exe 2656 Pkdfshbas.exe 1040 WerFault.exe 1040 WerFault.exe 1040 WerFault.exe 1040 WerFault.exe 1040 WerFault.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
Jvdacbs.exePkdfshbas.exexph.exedescription pid process target process PID 3064 set thread context of 3008 3064 Jvdacbs.exe Jvdacbs.exe PID 2656 set thread context of 2612 2656 Pkdfshbas.exe Pkdfshbas.exe PID 2708 set thread context of 1836 2708 xph.exe xph.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1040 2612 WerFault.exe Pkdfshbas.exe -
Processes:
xph.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 xph.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 xph.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2424 powershell.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
Jvdacbs.exePkdfshbas.exexph.exepid process 3064 Jvdacbs.exe 2656 Pkdfshbas.exe 2708 xph.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2424 powershell.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
xph.exeJvdacbs.exePkdfshbas.exepid process 2708 xph.exe 3064 Jvdacbs.exe 2656 Pkdfshbas.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
powershell.exexph.exeJvdacbs.exePkdfshbas.exePkdfshbas.exedescription pid process target process PID 2424 wrote to memory of 2708 2424 powershell.exe xph.exe PID 2424 wrote to memory of 2708 2424 powershell.exe xph.exe PID 2424 wrote to memory of 2708 2424 powershell.exe xph.exe PID 2424 wrote to memory of 2708 2424 powershell.exe xph.exe PID 2708 wrote to memory of 3064 2708 xph.exe Jvdacbs.exe PID 2708 wrote to memory of 3064 2708 xph.exe Jvdacbs.exe PID 2708 wrote to memory of 3064 2708 xph.exe Jvdacbs.exe PID 2708 wrote to memory of 3064 2708 xph.exe Jvdacbs.exe PID 2708 wrote to memory of 2656 2708 xph.exe Pkdfshbas.exe PID 2708 wrote to memory of 2656 2708 xph.exe Pkdfshbas.exe PID 2708 wrote to memory of 2656 2708 xph.exe Pkdfshbas.exe PID 2708 wrote to memory of 2656 2708 xph.exe Pkdfshbas.exe PID 3064 wrote to memory of 3008 3064 Jvdacbs.exe Jvdacbs.exe PID 3064 wrote to memory of 3008 3064 Jvdacbs.exe Jvdacbs.exe PID 3064 wrote to memory of 3008 3064 Jvdacbs.exe Jvdacbs.exe PID 3064 wrote to memory of 3008 3064 Jvdacbs.exe Jvdacbs.exe PID 3064 wrote to memory of 3008 3064 Jvdacbs.exe Jvdacbs.exe PID 2656 wrote to memory of 2612 2656 Pkdfshbas.exe Pkdfshbas.exe PID 2656 wrote to memory of 2612 2656 Pkdfshbas.exe Pkdfshbas.exe PID 2656 wrote to memory of 2612 2656 Pkdfshbas.exe Pkdfshbas.exe PID 2656 wrote to memory of 2612 2656 Pkdfshbas.exe Pkdfshbas.exe PID 2656 wrote to memory of 2612 2656 Pkdfshbas.exe Pkdfshbas.exe PID 2708 wrote to memory of 1836 2708 xph.exe xph.exe PID 2708 wrote to memory of 1836 2708 xph.exe xph.exe PID 2708 wrote to memory of 1836 2708 xph.exe xph.exe PID 2708 wrote to memory of 1836 2708 xph.exe xph.exe PID 2708 wrote to memory of 1836 2708 xph.exe xph.exe PID 2612 wrote to memory of 1040 2612 Pkdfshbas.exe WerFault.exe PID 2612 wrote to memory of 1040 2612 Pkdfshbas.exe WerFault.exe PID 2612 wrote to memory of 1040 2612 Pkdfshbas.exe WerFault.exe PID 2612 wrote to memory of 1040 2612 Pkdfshbas.exe WerFault.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\1fa8859a60ac751d2f902ba0ba4f7f8d_JaffaCakes118.ps11⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Users\Public\xph.exe"C:\Users\Public\xph.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Users\Admin\AppData\Local\Temp\Jvdacbs.exe"C:\Users\Admin\AppData\Local\Temp\Jvdacbs.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Users\Admin\AppData\Local\Temp\Jvdacbs.exe"C:\Users\Admin\AppData\Local\Temp\Jvdacbs.exe"4⤵
- Executes dropped EXE
PID:3008 -
C:\Users\Admin\AppData\Local\Temp\Pkdfshbas.exe"C:\Users\Admin\AppData\Local\Temp\Pkdfshbas.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Users\Admin\AppData\Local\Temp\Pkdfshbas.exe"C:\Users\Admin\AppData\Local\Temp\Pkdfshbas.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 7765⤵
- Loads dropped DLL
- Program crash
PID:1040 -
C:\Users\Public\xph.exe"C:\Users\Public\xph.exe"3⤵
- Executes dropped EXE
- Modifies system certificate store
PID:1836
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD57afa1658a6f338122d355720b4864ed2
SHA1d2d6012eba6cea513f1d7b267b562b35b738d46e
SHA25638d0f6d2d2ccd86e63232e4c702202b167be54dd3c8e21d289f21f4d3775a1e5
SHA512a74585ff241320d340a8242d53ed58d853e25b85b3c5ccce0019c8fdcbc3e8df1b01eadd73ccf820bf193852b527702d4f2c95ddcbb0b6e1456d375e04839c2d
-
Filesize
380KB
MD562835e700428e242e2b3b9a4862504ad
SHA1fc5843c3348ae8507e15e5ccf26de32e8b4f9fee
SHA2563c5a48ddae13424e0a7658c6aa6000c6b7ab4973cbb1ec171f15857dbafa20ef
SHA5124ca0dbd01d4a0d942b9e45ba48fb91b50691353b58fe1eb9e23a2cb7af19dce4c17ef0c001e0472214acb8d524acdcff8b0ad7ec47c1b4156ca78d78f477c4ca
-
Filesize
428KB
MD5ef0d6ae2da95b84e9571375e120c2af4
SHA17c6fb180c3d041780ee58a14528cdb035bac4d87
SHA25674c58a2deb846ff9f62fbc2a3e43884883251b459d772038a2d1539df7ff9c89
SHA512c2fc4430c175df18abf959e9e4a6d724ef4ad7a3542d3027de5bde7d445131f2f169a43bd3c91d79cfa9654244c3bcd38e6013006e3699ceebc7a45712e1f0c0