Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    147s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/12/2024, 11:55 UTC

General

  • Target

    JaffaCakes118_dec5e9999b176c451659966ed2b4faff2a0d8c2719d695f2a3dda0179b6de1ab.exe

  • Size

    731.0MB

  • MD5

    ffb0e16942ee9d0fb384352f8c3d8ced

  • SHA1

    3ea00f50941238eca54cb9452516485b1cddb817

  • SHA256

    dec5e9999b176c451659966ed2b4faff2a0d8c2719d695f2a3dda0179b6de1ab

  • SHA512

    151bdb3da362d5df074603ddc95754db07feab9a7c08a4cbaf96e4fed0c8efe87783e67f83887027a02f50adf7a903049922296ca5a37bbf7080f9ebcbde45a0

  • SSDEEP

    196608:UUJOFXQovEaJV73j5m9iepb+EDGVV3hCKboTEWMw6FO5+3Z4KW:UEfovJ13jk9Xp+VVRJbdwRiDW

Malware Config

Extracted

Family

raccoon

Botnet

9429a6d92284fd6d41daa221d04032be

C2

http://212.113.119.153/

http://77.91.84.147/

http://212.113.119.35/

http://79.137.248.245/

Attributes
  • user_agent

    AYAYAYAY1337

xor.plain
1
9429a6d92284fd6d41daa221d04032be

Signatures

  • Raccoon

    Raccoon is an infostealer written in C++ and first seen in 2019.

  • Raccoon Stealer V2 payload 3 IoCs
  • Raccoon family
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dec5e9999b176c451659966ed2b4faff2a0d8c2719d695f2a3dda0179b6de1ab.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dec5e9999b176c451659966ed2b4faff2a0d8c2719d695f2a3dda0179b6de1ab.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:4440

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    217.106.137.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.106.137.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    71.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    71.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    28.118.140.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    28.118.140.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    228.249.119.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    228.249.119.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    50.23.12.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    50.23.12.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    198.187.3.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.187.3.20.in-addr.arpa
    IN PTR
    Response
  • flag-at
    POST
    http://212.113.119.35/
    JaffaCakes118_dec5e9999b176c451659966ed2b4faff2a0d8c2719d695f2a3dda0179b6de1ab.exe
    Remote address:
    212.113.119.35:80
    Request
    POST / HTTP/1.1
    Accept: */*
    Content-Type: application/x-www-form-urlencoded; charset=utf-8
    User-Agent: AYAYAYAY1337
    Host: 212.113.119.35
    Content-Length: 94
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 405 Not Allowed
    Server: nginx/1.26.2
    Date: Sun, 22 Dec 2024 11:57:18 GMT
    Content-Type: text/html
    Content-Length: 157
    Connection: keep-alive
  • flag-us
    DNS
    35.119.113.212.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    35.119.113.212.in-addr.arpa
    IN PTR
    Response
    35.119.113.212.in-addr.arpa
    IN PTR
    frail-debtaezanetwork
  • flag-us
    DNS
    13.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.227.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    41.173.79.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    41.173.79.40.in-addr.arpa
    IN PTR
    Response
  • 212.113.119.153:80
    JaffaCakes118_dec5e9999b176c451659966ed2b4faff2a0d8c2719d695f2a3dda0179b6de1ab.exe
    260 B
    5
  • 77.91.84.147:80
    JaffaCakes118_dec5e9999b176c451659966ed2b4faff2a0d8c2719d695f2a3dda0179b6de1ab.exe
    260 B
    160 B
    5
    4
  • 212.113.119.35:80
    http://212.113.119.35/
    http
    JaffaCakes118_dec5e9999b176c451659966ed2b4faff2a0d8c2719d695f2a3dda0179b6de1ab.exe
    537 B
    446 B
    5
    3

    HTTP Request

    POST http://212.113.119.35/

    HTTP Response

    405
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
    90 B
    1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    217.106.137.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    217.106.137.52.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    71.159.190.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    71.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    28.118.140.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    28.118.140.52.in-addr.arpa

  • 8.8.8.8:53
    228.249.119.40.in-addr.arpa
    dns
    73 B
    159 B
    1
    1

    DNS Request

    228.249.119.40.in-addr.arpa

  • 8.8.8.8:53
    50.23.12.20.in-addr.arpa
    dns
    70 B
    156 B
    1
    1

    DNS Request

    50.23.12.20.in-addr.arpa

  • 8.8.8.8:53
    198.187.3.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    198.187.3.20.in-addr.arpa

  • 8.8.8.8:53
    35.119.113.212.in-addr.arpa
    dns
    73 B
    110 B
    1
    1

    DNS Request

    35.119.113.212.in-addr.arpa

  • 8.8.8.8:53
    13.227.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    13.227.111.52.in-addr.arpa

  • 8.8.8.8:53
    41.173.79.40.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    41.173.79.40.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4440-0-0x0000000001750000-0x0000000001751000-memory.dmp

    Filesize

    4KB

  • memory/4440-3-0x0000000000424000-0x0000000000C0D000-memory.dmp

    Filesize

    7.9MB

  • memory/4440-4-0x0000000000400000-0x00000000016F9000-memory.dmp

    Filesize

    19.0MB

  • memory/4440-5-0x0000000000424000-0x0000000000C0D000-memory.dmp

    Filesize

    7.9MB

  • memory/4440-6-0x0000000000400000-0x00000000016F9000-memory.dmp

    Filesize

    19.0MB

  • memory/4440-7-0x0000000000400000-0x00000000016F9000-memory.dmp

    Filesize

    19.0MB

  • memory/4440-8-0x0000000000424000-0x0000000000C0D000-memory.dmp

    Filesize

    7.9MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.