Analysis
-
max time kernel
146s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
03-10-2024 03:13
Static task
static1
Behavioral task
behavioral1
Sample
0da43ff2818bd897206bf362ee8aa27f_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
0da43ff2818bd897206bf362ee8aa27f_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
0da43ff2818bd897206bf362ee8aa27f_JaffaCakes118.exe
-
Size
866KB
-
MD5
0da43ff2818bd897206bf362ee8aa27f
-
SHA1
7013151ac5b6e201ebb6f20efff8dd8d269e92e5
-
SHA256
90ca9c7f8b656d2104a812ce9ba2625c1ab3b6ae346df7e6f01c838bf8990bda
-
SHA512
e9711f909d5a11bf7431ea2000f3200e4e206dd53cf1a4ffd4a8fbe0ce974be37878e3c3a2738b3fbeb26acd48a3f04b547e0b3c89884a5d1a74c2d496739a5c
-
SSDEEP
24576:o53uhF1ekWz2q28OV0vn0IGFr6s/5iHkNTAskAuQ:o5+hF1CPhOavGFmsB2kN0szuQ
Malware Config
Extracted
raccoon
1.7.3
e2b58b2c24d80fcfd249021c5a21ac97c09e40a1
-
url4cnc
https://telete.in/mohibrainos
Signatures
-
Raccoon Stealer V1 payload 4 IoCs
resource yara_rule behavioral2/memory/1496-61-0x0000000000400000-0x0000000000496000-memory.dmp family_raccoon_v1 behavioral2/memory/1496-65-0x0000000000400000-0x0000000000496000-memory.dmp family_raccoon_v1 behavioral2/memory/1496-63-0x0000000000400000-0x0000000000496000-memory.dmp family_raccoon_v1 behavioral2/memory/1496-72-0x0000000000400000-0x0000000000492000-memory.dmp family_raccoon_v1 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation 0da43ff2818bd897206bf362ee8aa27f_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 4704 GuiHelper.exe 1496 GuiHelper.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4704 set thread context of 1496 4704 GuiHelper.exe 92 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0da43ff2818bd897206bf362ee8aa27f_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GuiHelper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GuiHelper.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4704 GuiHelper.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4704 GuiHelper.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2164 wrote to memory of 3500 2164 0da43ff2818bd897206bf362ee8aa27f_JaffaCakes118.exe 82 PID 2164 wrote to memory of 3500 2164 0da43ff2818bd897206bf362ee8aa27f_JaffaCakes118.exe 82 PID 2164 wrote to memory of 4704 2164 0da43ff2818bd897206bf362ee8aa27f_JaffaCakes118.exe 84 PID 2164 wrote to memory of 4704 2164 0da43ff2818bd897206bf362ee8aa27f_JaffaCakes118.exe 84 PID 2164 wrote to memory of 4704 2164 0da43ff2818bd897206bf362ee8aa27f_JaffaCakes118.exe 84 PID 4704 wrote to memory of 1496 4704 GuiHelper.exe 92 PID 4704 wrote to memory of 1496 4704 GuiHelper.exe 92 PID 4704 wrote to memory of 1496 4704 GuiHelper.exe 92 PID 4704 wrote to memory of 1496 4704 GuiHelper.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\0da43ff2818bd897206bf362ee8aa27f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0da43ff2818bd897206bf362ee8aa27f_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ""C:\Users\Admin\AppData\Local\Temp\GuiHelper\KillDuplicate.cmd" "C:\Users\Admin\AppData\Local\Temp\GuiHelper" "0da43ff2818bd897206bf362ee8aa27f_JaffaCakes118.exe""2⤵PID:3500
-
-
C:\Users\Admin\AppData\Local\Temp\GuiHelper\GuiHelper.exe"C:\Users\Admin\AppData\Local\Temp\GuiHelper\GuiHelper.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Users\Admin\AppData\Local\Temp\GuiHelper\GuiHelper.exe"C:\Users\Admin\AppData\Local\Temp\GuiHelper\GuiHelper.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1496
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5533dd7c6e2d03b192937a23e72679572
SHA1c3f823ad2660f2c3fe5f0a9f4a98130a3c799be6
SHA256753c49e96e7d6991dfa47778186e7f8f4eb1dec274a9b43d38731b573c311fe6
SHA51242ecc05b9b533a7ef2a4b85f71c6198a9fadf1a1a361b3d016bdee72a9777b1896fbb7d61d642724488dc7244c317cb9bd247f4874372527da105f0eface2922