Analysis Overview
SHA256
362d3fd69c524f00f783eda97ea2229b80573d5cd1e849d3a0d6a17034ebd38a
Threat Level: Known bad
The file adba935c663db2d4c2a53f01434f1e11_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Raccoon Stealer V1 payload
Azorult
Oski
Raccoon
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Program crash
Unsigned PE
Suspicious use of SetWindowsHookEx
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-15 09:18
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-15 09:18
Reported
2024-06-15 09:21
Platform
win7-20240508-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Azorult
Oski
Raccoon
Raccoon Stealer V1 payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gJHKfdgvr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JHdfbvhyt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JHdfbvhyt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gJHKfdgvr.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JHdfbvhyt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gJHKfdgvr.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Reads user/profile data of web browsers
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JHdfbvhyt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JHdfbvhyt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gJHKfdgvr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gJHKfdgvr.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2416 set thread context of 2600 | N/A | C:\Users\Admin\AppData\Local\Temp\JHdfbvhyt.exe | C:\Users\Admin\AppData\Local\Temp\JHdfbvhyt.exe |
| PID 2368 set thread context of 2572 | N/A | C:\Users\Admin\AppData\Local\Temp\adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe |
| PID 2064 set thread context of 2732 | N/A | C:\Users\Admin\AppData\Local\Temp\gJHKfdgvr.exe | C:\Users\Admin\AppData\Local\Temp\gJHKfdgvr.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\JHdfbvhyt.exe |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JHdfbvhyt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gJHKfdgvr.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JHdfbvhyt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gJHKfdgvr.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\gJHKfdgvr.exe
"C:\Users\Admin\AppData\Local\Temp\gJHKfdgvr.exe"
C:\Users\Admin\AppData\Local\Temp\JHdfbvhyt.exe
"C:\Users\Admin\AppData\Local\Temp\JHdfbvhyt.exe"
C:\Users\Admin\AppData\Local\Temp\adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\JHdfbvhyt.exe
"C:\Users\Admin\AppData\Local\Temp\JHdfbvhyt.exe"
C:\Users\Admin\AppData\Local\Temp\gJHKfdgvr.exe
"C:\Users\Admin\AppData\Local\Temp\gJHKfdgvr.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 448
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | telete.in | udp |
| US | 8.8.8.8:53 | courtneysdv.ac.ug | udp |
| US | 8.8.8.8:53 | courtneyhones.ac.ug | udp |
| US | 8.8.8.8:53 | courtneysdv.ac.ug | udp |
| US | 8.8.8.8:53 | courtneyhones.ac.ug | udp |
| US | 8.8.8.8:53 | telete.in | udp |
| US | 8.8.8.8:53 | courtneysdv.ac.ug | udp |
| US | 8.8.8.8:53 | courtneysdv.ac.ug | udp |
| US | 8.8.8.8:53 | telete.in | udp |
| US | 8.8.8.8:53 | courtneysdv.ac.ug | udp |
| US | 8.8.8.8:53 | telete.in | udp |
| US | 8.8.8.8:53 | courtneysdv.ac.ug | udp |
| US | 8.8.8.8:53 | courtneysdv.ac.ug | udp |
| US | 8.8.8.8:53 | telete.in | udp |
| US | 8.8.8.8:53 | telete.in | udp |
| US | 8.8.8.8:53 | telete.in | udp |
| US | 8.8.8.8:53 | telete.in | udp |
Files
memory/2368-2-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2368-21-0x0000000001E30000-0x0000000001E37000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gJHKfdgvr.exe
| MD5 | a980c42338a12435e6274592cb51b982 |
| SHA1 | 09620ff8a6f6678e2c3587c97662dde2ce636f67 |
| SHA256 | 6133d331cb33fd7a1d261ce672f333458216b381426985dd9fa34fe3b1943ec7 |
| SHA512 | 7efc42707d45f9326ec467c01f318d93c3798e55b36455fd09ba990bed55430c7331cd4956ee23bcd7af58e72f702325f194a5dc372f72527c1b85bb04f571c3 |
C:\Users\Admin\AppData\Local\Temp\JHdfbvhyt.exe
| MD5 | 56b539a18d733e7b287ee1bf95696e1f |
| SHA1 | 6f2dab4c86f138032e50fbc6c255e93c9a693e68 |
| SHA256 | f1f45014743cac425404602576dc0fcbc1dcd475d12ac8968b81f1e52e6c6651 |
| SHA512 | 9f7166af4b75b0b7889b3f7488ec8bd92901e8d097041293a88c3fe884d84e8e94924f49784f8091662057e4d42fb7040a99840644aafd7b2ec5f9d79d434bf7 |
memory/2416-28-0x0000000000260000-0x0000000000267000-memory.dmp
memory/2064-27-0x00000000003C0000-0x00000000003C7000-memory.dmp
memory/2416-26-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2572-35-0x0000000000400000-0x0000000000497000-memory.dmp
memory/2416-34-0x0000000000260000-0x0000000000267000-memory.dmp
memory/2600-31-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2600-37-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2572-39-0x0000000000400000-0x0000000000497000-memory.dmp
memory/2732-45-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2572-44-0x0000000000400000-0x0000000000493000-memory.dmp
memory/2600-43-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2732-47-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2600-50-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2572-49-0x0000000000400000-0x0000000000493000-memory.dmp
memory/2732-51-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2732-54-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2732-56-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2732-57-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2600-77-0x0000000000400000-0x0000000000434000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-15 09:18
Reported
2024-06-15 09:21
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
151s
Command Line
Signatures
Azorult
Oski
Raccoon
Raccoon Stealer V1 payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gJHKfdgvr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JHdfbvhyt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JHdfbvhyt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gJHKfdgvr.exe | N/A |
Reads user/profile data of web browsers
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JHdfbvhyt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JHdfbvhyt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gJHKfdgvr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gJHKfdgvr.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2988 set thread context of 2544 | N/A | C:\Users\Admin\AppData\Local\Temp\adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe |
| PID 4512 set thread context of 3164 | N/A | C:\Users\Admin\AppData\Local\Temp\JHdfbvhyt.exe | C:\Users\Admin\AppData\Local\Temp\JHdfbvhyt.exe |
| PID 4780 set thread context of 3572 | N/A | C:\Users\Admin\AppData\Local\Temp\gJHKfdgvr.exe | C:\Users\Admin\AppData\Local\Temp\gJHKfdgvr.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\JHdfbvhyt.exe |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JHdfbvhyt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gJHKfdgvr.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JHdfbvhyt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gJHKfdgvr.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\gJHKfdgvr.exe
"C:\Users\Admin\AppData\Local\Temp\gJHKfdgvr.exe"
C:\Users\Admin\AppData\Local\Temp\JHdfbvhyt.exe
"C:\Users\Admin\AppData\Local\Temp\JHdfbvhyt.exe"
C:\Users\Admin\AppData\Local\Temp\adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\adba935c663db2d4c2a53f01434f1e11_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\JHdfbvhyt.exe
"C:\Users\Admin\AppData\Local\Temp\JHdfbvhyt.exe"
C:\Users\Admin\AppData\Local\Temp\gJHKfdgvr.exe
"C:\Users\Admin\AppData\Local\Temp\gJHKfdgvr.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4216,i,14486271492189381216,15799931579469722648,262144 --variations-seed-version --mojo-platform-channel-handle=4352 /prefetch:8
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3164 -ip 3164
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 1260
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | telete.in | udp |
| US | 8.8.8.8:53 | courtneysdv.ac.ug | udp |
| US | 8.8.8.8:53 | courtneyhones.ac.ug | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | courtneysdv.ac.ug | udp |
| US | 8.8.8.8:53 | courtneyhones.ac.ug | udp |
| US | 8.8.8.8:53 | telete.in | udp |
| US | 8.8.8.8:53 | courtneysdv.ac.ug | udp |
| US | 8.8.8.8:53 | telete.in | udp |
| US | 8.8.8.8:53 | telete.in | udp |
| US | 8.8.8.8:53 | telete.in | udp |
| US | 8.8.8.8:53 | telete.in | udp |
| US | 8.8.8.8:53 | telete.in | udp |
| US | 8.8.8.8:53 | telete.in | udp |
| US | 8.8.8.8:53 | telete.in | udp |
Files
memory/2988-2-0x00000000776A2000-0x00000000776A3000-memory.dmp
memory/2988-4-0x00000000007C0000-0x00000000007C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gJHKfdgvr.exe
| MD5 | a980c42338a12435e6274592cb51b982 |
| SHA1 | 09620ff8a6f6678e2c3587c97662dde2ce636f67 |
| SHA256 | 6133d331cb33fd7a1d261ce672f333458216b381426985dd9fa34fe3b1943ec7 |
| SHA512 | 7efc42707d45f9326ec467c01f318d93c3798e55b36455fd09ba990bed55430c7331cd4956ee23bcd7af58e72f702325f194a5dc372f72527c1b85bb04f571c3 |
C:\Users\Admin\AppData\Local\Temp\JHdfbvhyt.exe
| MD5 | 56b539a18d733e7b287ee1bf95696e1f |
| SHA1 | 6f2dab4c86f138032e50fbc6c255e93c9a693e68 |
| SHA256 | f1f45014743cac425404602576dc0fcbc1dcd475d12ac8968b81f1e52e6c6651 |
| SHA512 | 9f7166af4b75b0b7889b3f7488ec8bd92901e8d097041293a88c3fe884d84e8e94924f49784f8091662057e4d42fb7040a99840644aafd7b2ec5f9d79d434bf7 |
memory/2988-26-0x0000000002D30000-0x0000000002D37000-memory.dmp
memory/4780-32-0x00000000020B0000-0x00000000020B1000-memory.dmp
memory/4512-31-0x0000000000610000-0x0000000000611000-memory.dmp
memory/2544-36-0x0000000000400000-0x0000000000497000-memory.dmp
memory/4780-34-0x0000000002100000-0x0000000002107000-memory.dmp
memory/2544-35-0x0000000000400000-0x0000000000497000-memory.dmp
memory/3164-41-0x0000000000400000-0x0000000000438000-memory.dmp
memory/3164-46-0x0000000000400000-0x0000000000438000-memory.dmp
memory/3572-51-0x0000000000400000-0x0000000000424000-memory.dmp
memory/3572-53-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2988-49-0x0000000002D30000-0x0000000002D37000-memory.dmp
memory/3164-48-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3164-43-0x0000000000400000-0x0000000000438000-memory.dmp
memory/3572-44-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2544-40-0x0000000000400000-0x0000000000493000-memory.dmp
memory/2544-39-0x0000000000400000-0x0000000000497000-memory.dmp
memory/2544-37-0x0000000000400000-0x0000000000497000-memory.dmp
memory/4512-33-0x0000000000620000-0x0000000000627000-memory.dmp
memory/2544-54-0x0000000000400000-0x0000000000493000-memory.dmp
memory/3572-56-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2544-57-0x0000000000400000-0x0000000000497000-memory.dmp
memory/3572-60-0x0000000000400000-0x0000000000420000-memory.dmp
memory/3572-61-0x0000000000400000-0x0000000000424000-memory.dmp
memory/3572-62-0x0000000000430000-0x00000000004F9000-memory.dmp
memory/3572-63-0x0000000000400000-0x0000000000420000-memory.dmp
memory/3164-66-0x0000000000400000-0x0000000000438000-memory.dmp
memory/3164-68-0x0000000000400000-0x0000000000434000-memory.dmp