Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22/12/2024, 11:55 UTC
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_dec5e9999b176c451659966ed2b4faff2a0d8c2719d695f2a3dda0179b6de1ab.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_dec5e9999b176c451659966ed2b4faff2a0d8c2719d695f2a3dda0179b6de1ab.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_dec5e9999b176c451659966ed2b4faff2a0d8c2719d695f2a3dda0179b6de1ab.exe
-
Size
731.0MB
-
MD5
ffb0e16942ee9d0fb384352f8c3d8ced
-
SHA1
3ea00f50941238eca54cb9452516485b1cddb817
-
SHA256
dec5e9999b176c451659966ed2b4faff2a0d8c2719d695f2a3dda0179b6de1ab
-
SHA512
151bdb3da362d5df074603ddc95754db07feab9a7c08a4cbaf96e4fed0c8efe87783e67f83887027a02f50adf7a903049922296ca5a37bbf7080f9ebcbde45a0
-
SSDEEP
196608:UUJOFXQovEaJV73j5m9iepb+EDGVV3hCKboTEWMw6FO5+3Z4KW:UEfovJ13jk9Xp+VVRJbdwRiDW
Malware Config
Extracted
raccoon
9429a6d92284fd6d41daa221d04032be
http://212.113.119.153/
http://77.91.84.147/
http://212.113.119.35/
http://79.137.248.245/
-
user_agent
AYAYAYAY1337
Signatures
-
Raccoon Stealer V2 payload 3 IoCs
resource yara_rule behavioral2/memory/4440-4-0x0000000000400000-0x00000000016F9000-memory.dmp family_raccoon_v2 behavioral2/memory/4440-6-0x0000000000400000-0x00000000016F9000-memory.dmp family_raccoon_v2 behavioral2/memory/4440-7-0x0000000000400000-0x00000000016F9000-memory.dmp family_raccoon_v2 -
Raccoon family
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_dec5e9999b176c451659966ed2b4faff2a0d8c2719d695f2a3dda0179b6de1ab.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4440 JaffaCakes118_dec5e9999b176c451659966ed2b4faff2a0d8c2719d695f2a3dda0179b6de1ab.exe 4440 JaffaCakes118_dec5e9999b176c451659966ed2b4faff2a0d8c2719d695f2a3dda0179b6de1ab.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dec5e9999b176c451659966ed2b4faff2a0d8c2719d695f2a3dda0179b6de1ab.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dec5e9999b176c451659966ed2b4faff2a0d8c2719d695f2a3dda0179b6de1ab.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4440
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request217.106.137.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request71.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request28.118.140.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request228.249.119.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request50.23.12.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request198.187.3.20.in-addr.arpaIN PTRResponse
-
POSThttp://212.113.119.35/JaffaCakes118_dec5e9999b176c451659966ed2b4faff2a0d8c2719d695f2a3dda0179b6de1ab.exeRemote address:212.113.119.35:80RequestPOST / HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=utf-8
User-Agent: AYAYAYAY1337
Host: 212.113.119.35
Content-Length: 94
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 405 Not Allowed
Date: Sun, 22 Dec 2024 11:57:18 GMT
Content-Type: text/html
Content-Length: 157
Connection: keep-alive
-
Remote address:8.8.8.8:53Request35.119.113.212.in-addr.arpaIN PTRResponse35.119.113.212.in-addr.arpaIN PTRfrail-debtaezanetwork
-
Remote address:8.8.8.8:53Request13.227.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request41.173.79.40.in-addr.arpaIN PTRResponse
-
212.113.119.153:80JaffaCakes118_dec5e9999b176c451659966ed2b4faff2a0d8c2719d695f2a3dda0179b6de1ab.exe260 B 5
-
260 B 160 B 5 4
-
212.113.119.35:80http://212.113.119.35/httpJaffaCakes118_dec5e9999b176c451659966ed2b4faff2a0d8c2719d695f2a3dda0179b6de1ab.exe537 B 446 B 5 3
HTTP Request
POST http://212.113.119.35/HTTP Response
405
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
217.106.137.52.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
71.159.190.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
28.118.140.52.in-addr.arpa
-
73 B 159 B 1 1
DNS Request
228.249.119.40.in-addr.arpa
-
70 B 156 B 1 1
DNS Request
50.23.12.20.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
198.187.3.20.in-addr.arpa
-
73 B 110 B 1 1
DNS Request
35.119.113.212.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
13.227.111.52.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
41.173.79.40.in-addr.arpa