Analysis
-
max time kernel
145s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
14-09-2024 04:40
Static task
static1
Behavioral task
behavioral1
Sample
df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe
-
Size
1004KB
-
MD5
df81d775612d1565e5564d416420c2fd
-
SHA1
49252eae3983eaa89eea12b5f5b65c5e147d3e5b
-
SHA256
d98fd8189273e4f4fcbb8b1d5b32459b5d7adcd6eaff9efef0c32ace0fdfab0e
-
SHA512
a20e59cff9cd30efa06a5bb5c935d119e19d74f289d22335173e64046c634c4ed2b87db5b0e774c90d87c0b34686b4a7e4a9ff8e3e9c8d56207ccc6146ff03d9
-
SSDEEP
24576:iGVJLVwfsOmo3MYYFhSHOEIk3XWT9JZH9h:X433nYpEIkonZH9h
Malware Config
Extracted
raccoon
1.7.2
8e94b823a9991735de58978b0e8609a618f8ddd3
-
url4cnc
https://tttttt.me/brikitiki
Extracted
azorult
http://195.245.112.115/index.php
Extracted
oski
hanxlas.ac.ug
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Raccoon Stealer V1 payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/584-28-0x0000000000400000-0x0000000000498000-memory.dmp family_raccoon_v1 behavioral1/memory/584-26-0x0000000000400000-0x0000000000498000-memory.dmp family_raccoon_v1 behavioral1/memory/584-30-0x0000000000400000-0x0000000000498000-memory.dmp family_raccoon_v1 behavioral1/memory/584-49-0x0000000000400000-0x0000000000498000-memory.dmp family_raccoon_v1 behavioral1/memory/584-50-0x0000000000400000-0x0000000000494000-memory.dmp family_raccoon_v1 -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Executes dropped EXE 4 IoCs
Processes:
FDdfhgtyrgfb.exebvnhjgDSvbc.exebvnhjgDSvbc.exeFDdfhgtyrgfb.exepid process 2528 FDdfhgtyrgfb.exe 2512 bvnhjgDSvbc.exe 2708 bvnhjgDSvbc.exe 2756 FDdfhgtyrgfb.exe -
Loads dropped DLL 11 IoCs
Processes:
df81d775612d1565e5564d416420c2fd_JaffaCakes118.exebvnhjgDSvbc.exeFDdfhgtyrgfb.exeWerFault.exepid process 1732 df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe 1732 df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe 1732 df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe 1732 df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe 2512 bvnhjgDSvbc.exe 2528 FDdfhgtyrgfb.exe 1108 WerFault.exe 1108 WerFault.exe 1108 WerFault.exe 1108 WerFault.exe 1108 WerFault.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
df81d775612d1565e5564d416420c2fd_JaffaCakes118.exebvnhjgDSvbc.exeFDdfhgtyrgfb.exedescription pid process target process PID 1732 set thread context of 584 1732 df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe PID 2512 set thread context of 2708 2512 bvnhjgDSvbc.exe bvnhjgDSvbc.exe PID 2528 set thread context of 2756 2528 FDdfhgtyrgfb.exe FDdfhgtyrgfb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1108 2756 WerFault.exe FDdfhgtyrgfb.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
bvnhjgDSvbc.exeFDdfhgtyrgfb.exedf81d775612d1565e5564d416420c2fd_JaffaCakes118.exeFDdfhgtyrgfb.exebvnhjgDSvbc.exedf81d775612d1565e5564d416420c2fd_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bvnhjgDSvbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FDdfhgtyrgfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FDdfhgtyrgfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bvnhjgDSvbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
df81d775612d1565e5564d416420c2fd_JaffaCakes118.exebvnhjgDSvbc.exeFDdfhgtyrgfb.exepid process 1732 df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe 2512 bvnhjgDSvbc.exe 2528 FDdfhgtyrgfb.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
df81d775612d1565e5564d416420c2fd_JaffaCakes118.exebvnhjgDSvbc.exeFDdfhgtyrgfb.exepid process 1732 df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe 2512 bvnhjgDSvbc.exe 2528 FDdfhgtyrgfb.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
df81d775612d1565e5564d416420c2fd_JaffaCakes118.exebvnhjgDSvbc.exeFDdfhgtyrgfb.exeFDdfhgtyrgfb.exedescription pid process target process PID 1732 wrote to memory of 2528 1732 df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe FDdfhgtyrgfb.exe PID 1732 wrote to memory of 2528 1732 df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe FDdfhgtyrgfb.exe PID 1732 wrote to memory of 2528 1732 df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe FDdfhgtyrgfb.exe PID 1732 wrote to memory of 2528 1732 df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe FDdfhgtyrgfb.exe PID 1732 wrote to memory of 2512 1732 df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe bvnhjgDSvbc.exe PID 1732 wrote to memory of 2512 1732 df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe bvnhjgDSvbc.exe PID 1732 wrote to memory of 2512 1732 df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe bvnhjgDSvbc.exe PID 1732 wrote to memory of 2512 1732 df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe bvnhjgDSvbc.exe PID 1732 wrote to memory of 584 1732 df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe PID 1732 wrote to memory of 584 1732 df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe PID 1732 wrote to memory of 584 1732 df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe PID 1732 wrote to memory of 584 1732 df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe PID 1732 wrote to memory of 584 1732 df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe PID 2512 wrote to memory of 2708 2512 bvnhjgDSvbc.exe bvnhjgDSvbc.exe PID 2512 wrote to memory of 2708 2512 bvnhjgDSvbc.exe bvnhjgDSvbc.exe PID 2512 wrote to memory of 2708 2512 bvnhjgDSvbc.exe bvnhjgDSvbc.exe PID 2512 wrote to memory of 2708 2512 bvnhjgDSvbc.exe bvnhjgDSvbc.exe PID 2512 wrote to memory of 2708 2512 bvnhjgDSvbc.exe bvnhjgDSvbc.exe PID 2528 wrote to memory of 2756 2528 FDdfhgtyrgfb.exe FDdfhgtyrgfb.exe PID 2528 wrote to memory of 2756 2528 FDdfhgtyrgfb.exe FDdfhgtyrgfb.exe PID 2528 wrote to memory of 2756 2528 FDdfhgtyrgfb.exe FDdfhgtyrgfb.exe PID 2528 wrote to memory of 2756 2528 FDdfhgtyrgfb.exe FDdfhgtyrgfb.exe PID 2528 wrote to memory of 2756 2528 FDdfhgtyrgfb.exe FDdfhgtyrgfb.exe PID 2756 wrote to memory of 1108 2756 FDdfhgtyrgfb.exe WerFault.exe PID 2756 wrote to memory of 1108 2756 FDdfhgtyrgfb.exe WerFault.exe PID 2756 wrote to memory of 1108 2756 FDdfhgtyrgfb.exe WerFault.exe PID 2756 wrote to memory of 1108 2756 FDdfhgtyrgfb.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Users\Admin\AppData\Local\Temp\FDdfhgtyrgfb.exe"C:\Users\Admin\AppData\Local\Temp\FDdfhgtyrgfb.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Users\Admin\AppData\Local\Temp\FDdfhgtyrgfb.exe"C:\Users\Admin\AppData\Local\Temp\FDdfhgtyrgfb.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 7844⤵
- Loads dropped DLL
- Program crash
PID:1108 -
C:\Users\Admin\AppData\Local\Temp\bvnhjgDSvbc.exe"C:\Users\Admin\AppData\Local\Temp\bvnhjgDSvbc.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Users\Admin\AppData\Local\Temp\bvnhjgDSvbc.exe"C:\Users\Admin\AppData\Local\Temp\bvnhjgDSvbc.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2708 -
C:\Users\Admin\AppData\Local\Temp\df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\df81d775612d1565e5564d416420c2fd_JaffaCakes118.exe"2⤵
- System Location Discovery: System Language Discovery
PID:584
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
256KB
MD5cc4e4947dbf30c94a8e0613f7079b04d
SHA106aaaec0cf89c1a63018f4f8ac41fc087f50296d
SHA25653828926c375be5a7f6ec3bb0e535e30312f0cd3ca28089f6447c08e0aaaee1f
SHA5127838ac0a03084010bdaca92f4b5d794bb2cb35c076a46cc64fe3ca49b345ed05131e969621cc8173df55f7d9986a138217dd521145310e8d8631fe1180c8708d
-
Filesize
212KB
MD56c38e33f75aea070ed77a3db9121d5c8
SHA1791d21a38ca8666f58b4e17121bd54c538e438b6
SHA2563376d018a1f90739d3da7ce522215999f388248193f4328a5eb362f0d9a22c6b
SHA512ef66cf665d2829fb534ebd6dbe0707ad638de316f4bba6cd6873d989ebab89357eb3a2e2a62dc13a2aaaca2d71b717bd66177b18a9c02d6878a4928672080e09