Analysis
-
max time kernel
147s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
28-07-2024 20:38
Static task
static1
Behavioral task
behavioral1
Sample
2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe
-
Size
1.0MB
-
MD5
2292f50e6ebdf3eae9cbb254ca0464a9
-
SHA1
5e7897406f6a5859638982f347d569bc2bfe3614
-
SHA256
f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2
-
SHA512
688c8814bef5f31254a66a4d83d08d0e2d81ee00eee7887829f3c8639c75cae323e1f30d9bb07ee1751c4c4d06d7ea6315ba48509613c5364ea930c6485586a5
-
SSDEEP
24576:V3QswWX5+hV2Sy8CqmGs8BW1kNtWPDsygFTqqaW:V3bT0hQSy8CqmYW10EsNTRaW
Malware Config
Extracted
raccoon
236c7f8a01d741b888dc6b6209805e66d41e62ba
-
url4cnc
https://telete.in/brikitiki
Extracted
oski
nadia.ac.ug
Extracted
azorult
http://195.245.112.115/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Raccoon Stealer V1 payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/2716-32-0x0000000000400000-0x0000000000493000-memory.dmp family_raccoon_v1 behavioral1/memory/2716-31-0x0000000000400000-0x0000000000498000-memory.dmp family_raccoon_v1 behavioral1/memory/2716-29-0x0000000000400000-0x0000000000498000-memory.dmp family_raccoon_v1 behavioral1/memory/2716-25-0x0000000000400000-0x0000000000498000-memory.dmp family_raccoon_v1 behavioral1/memory/2716-52-0x0000000000400000-0x0000000000493000-memory.dmp family_raccoon_v1 behavioral1/memory/2716-62-0x0000000000400000-0x0000000000498000-memory.dmp family_raccoon_v1 -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Executes dropped EXE 4 IoCs
Processes:
IhfgetrDSqwe.exeVjghertvcSD.exeIhfgetrDSqwe.exeVjghertvcSD.exepid process 1988 IhfgetrDSqwe.exe 2912 VjghertvcSD.exe 2880 IhfgetrDSqwe.exe 2976 VjghertvcSD.exe -
Loads dropped DLL 11 IoCs
Processes:
2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exeIhfgetrDSqwe.exeVjghertvcSD.exeWerFault.exepid process 1460 2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe 1460 2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe 1460 2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe 1460 2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe 1988 IhfgetrDSqwe.exe 2912 VjghertvcSD.exe 576 WerFault.exe 576 WerFault.exe 576 WerFault.exe 576 WerFault.exe 576 WerFault.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
IhfgetrDSqwe.exeVjghertvcSD.exepid process 2880 IhfgetrDSqwe.exe 2880 IhfgetrDSqwe.exe 2976 VjghertvcSD.exe 2976 VjghertvcSD.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exeIhfgetrDSqwe.exeVjghertvcSD.exedescription pid process target process PID 1460 set thread context of 2716 1460 2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe 2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe PID 1988 set thread context of 2880 1988 IhfgetrDSqwe.exe IhfgetrDSqwe.exe PID 2912 set thread context of 2976 2912 VjghertvcSD.exe VjghertvcSD.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 576 2880 WerFault.exe IhfgetrDSqwe.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
VjghertvcSD.exeIhfgetrDSqwe.exe2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exeIhfgetrDSqwe.exeVjghertvcSD.exe2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VjghertvcSD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IhfgetrDSqwe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IhfgetrDSqwe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VjghertvcSD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe -
Processes:
2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exeIhfgetrDSqwe.exeVjghertvcSD.exepid process 1460 2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe 1988 IhfgetrDSqwe.exe 2912 VjghertvcSD.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exeIhfgetrDSqwe.exeVjghertvcSD.exepid process 1460 2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe 1988 IhfgetrDSqwe.exe 2912 VjghertvcSD.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exeIhfgetrDSqwe.exeVjghertvcSD.exeIhfgetrDSqwe.exedescription pid process target process PID 1460 wrote to memory of 2912 1460 2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe VjghertvcSD.exe PID 1460 wrote to memory of 2912 1460 2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe VjghertvcSD.exe PID 1460 wrote to memory of 2912 1460 2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe VjghertvcSD.exe PID 1460 wrote to memory of 2912 1460 2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe VjghertvcSD.exe PID 1460 wrote to memory of 1988 1460 2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe IhfgetrDSqwe.exe PID 1460 wrote to memory of 1988 1460 2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe IhfgetrDSqwe.exe PID 1460 wrote to memory of 1988 1460 2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe IhfgetrDSqwe.exe PID 1460 wrote to memory of 1988 1460 2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe IhfgetrDSqwe.exe PID 1460 wrote to memory of 2716 1460 2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe 2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe PID 1460 wrote to memory of 2716 1460 2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe 2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe PID 1460 wrote to memory of 2716 1460 2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe 2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe PID 1460 wrote to memory of 2716 1460 2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe 2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe PID 1460 wrote to memory of 2716 1460 2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe 2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe PID 1988 wrote to memory of 2880 1988 IhfgetrDSqwe.exe IhfgetrDSqwe.exe PID 1988 wrote to memory of 2880 1988 IhfgetrDSqwe.exe IhfgetrDSqwe.exe PID 1988 wrote to memory of 2880 1988 IhfgetrDSqwe.exe IhfgetrDSqwe.exe PID 1988 wrote to memory of 2880 1988 IhfgetrDSqwe.exe IhfgetrDSqwe.exe PID 1988 wrote to memory of 2880 1988 IhfgetrDSqwe.exe IhfgetrDSqwe.exe PID 2912 wrote to memory of 2976 2912 VjghertvcSD.exe VjghertvcSD.exe PID 2912 wrote to memory of 2976 2912 VjghertvcSD.exe VjghertvcSD.exe PID 2912 wrote to memory of 2976 2912 VjghertvcSD.exe VjghertvcSD.exe PID 2912 wrote to memory of 2976 2912 VjghertvcSD.exe VjghertvcSD.exe PID 2912 wrote to memory of 2976 2912 VjghertvcSD.exe VjghertvcSD.exe PID 2880 wrote to memory of 576 2880 IhfgetrDSqwe.exe WerFault.exe PID 2880 wrote to memory of 576 2880 IhfgetrDSqwe.exe WerFault.exe PID 2880 wrote to memory of 576 2880 IhfgetrDSqwe.exe WerFault.exe PID 2880 wrote to memory of 576 2880 IhfgetrDSqwe.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe"C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe"C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe"C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe"C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2880 -s 7844⤵
- Loads dropped DLL
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2292f50e6ebdf3eae9cbb254ca0464a9_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
- Modifies system certificate store
Network
MITRE ATT&CK Matrix ATT&CK v13
Defense Evasion
Subvert Trust Controls
1Install Root Certificate
1Modify Registry
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exeFilesize
244KB
MD5e22eec453d5d077fecdc1fe9ead85a16
SHA1fdca78352ec06d5b695db0ad3b8c4acb8ba965ba
SHA256a52ed8a9f6d0d26517e6c0940c46345235f226634031fb5ab285f5c1a5d5d7b1
SHA51224e0ff9e37fce0bd0d89215819ae6b44646193a27f424a7475d0d9922902dedc767fb558ffa3a045a2d444665fedbeea86cb821de8415bcb4cfdecd6e4ef140f
-
\Users\Admin\AppData\Local\Temp\VjghertvcSD.exeFilesize
200KB
MD5ce9ef402a6bb862ee9320dbdff92724c
SHA15a5f67412735e2be4f21d184ab6cc2c427eba389
SHA2567c95dcd99bc8274293fc772afe6ad67ba2dccadb671dad68ee9fe5898ff25ea6
SHA5128d38528418d2f260f5699456bc0525dbefe047be233ac5b3a735836f0810227821acf05a78200fd48592117906acc04e9c30d66f3d51be87e91512bcbffd0048
-
memory/1460-21-0x0000000001ED0000-0x0000000001ED7000-memory.dmpFilesize
28KB
-
memory/1460-34-0x0000000001ED0000-0x0000000001ED7000-memory.dmpFilesize
28KB
-
memory/1460-2-0x00000000002B0000-0x00000000002B1000-memory.dmpFilesize
4KB
-
memory/1988-26-0x0000000000240000-0x0000000000248000-memory.dmpFilesize
32KB
-
memory/1988-40-0x0000000000240000-0x0000000000248000-memory.dmpFilesize
32KB
-
memory/1988-24-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/2716-31-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/2716-52-0x0000000000400000-0x0000000000493000-memory.dmpFilesize
588KB
-
memory/2716-29-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/2716-32-0x0000000000400000-0x0000000000493000-memory.dmpFilesize
588KB
-
memory/2716-25-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/2716-62-0x0000000000400000-0x0000000000498000-memory.dmpFilesize
608KB
-
memory/2880-38-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2880-41-0x0000000000400000-0x0000000000439000-memory.dmpFilesize
228KB
-
memory/2880-61-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/2880-53-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB
-
memory/2912-35-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2912-49-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2976-45-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/2976-51-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2976-50-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/2976-47-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB