Analysis
-
max time kernel
147s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-12-2024 00:55
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_64f9fe0eeaf1e21c27879c85f0b2fbb5cba9d760fc3a73ae58a490ebe4dced42.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_64f9fe0eeaf1e21c27879c85f0b2fbb5cba9d760fc3a73ae58a490ebe4dced42.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_64f9fe0eeaf1e21c27879c85f0b2fbb5cba9d760fc3a73ae58a490ebe4dced42.exe
-
Size
726.3MB
-
MD5
347ba6013752fbe969bc3026639b0104
-
SHA1
d9e476cb7b09efdc98aedeb3baf5e8d1bbfec6fb
-
SHA256
64f9fe0eeaf1e21c27879c85f0b2fbb5cba9d760fc3a73ae58a490ebe4dced42
-
SHA512
60edc7ee42912f988d3df461f79d2c1059f01180514a994e6980258136c8a7937cb5d97b599d127a5caaf564c4891e18b9577b7eb14a57e34613b40bd16d3a88
-
SSDEEP
98304:lCPkOmG+sbBOcINYWcrdY6N+Q/tvW0qXNa6ntZQoTlNKD6RGb2Uv1P7mgjqwGaxj:lCP1xbZdY6gQ1uv9a+vNKDfJ1jmzwzj
Malware Config
Extracted
raccoon
985151cfbc2662a774d6e7f7d992c04d
http://89.185.85.53/
-
user_agent
mozzzzzzzzzzz
Signatures
-
Raccoon family
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 748 JaffaCakes118_64f9fe0eeaf1e21c27879c85f0b2fbb5cba9d760fc3a73ae58a490ebe4dced42.exe 748 JaffaCakes118_64f9fe0eeaf1e21c27879c85f0b2fbb5cba9d760fc3a73ae58a490ebe4dced42.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_64f9fe0eeaf1e21c27879c85f0b2fbb5cba9d760fc3a73ae58a490ebe4dced42.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 748 JaffaCakes118_64f9fe0eeaf1e21c27879c85f0b2fbb5cba9d760fc3a73ae58a490ebe4dced42.exe 748 JaffaCakes118_64f9fe0eeaf1e21c27879c85f0b2fbb5cba9d760fc3a73ae58a490ebe4dced42.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64f9fe0eeaf1e21c27879c85f0b2fbb5cba9d760fc3a73ae58a490ebe4dced42.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_64f9fe0eeaf1e21c27879c85f0b2fbb5cba9d760fc3a73ae58a490ebe4dced42.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:748