Overview

overview

10

Static

static

3

JaffaCakes...3e.exe

windows7-x64

10

JaffaCakes...3e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-01-2025 12:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_2354d9753f0f741bd358dae604e48c3e.exe

  • Size

    1012KB

  • MD5

    2354d9753f0f741bd358dae604e48c3e

  • SHA1

    f128c560612c22c30ff0a3593bb66794ae7774d5

  • SHA256

    f3be725453067dd4fd33c93d841f8bc707334cad295708f36319294405066346

  • SHA512

    f5efb5abeaee35770ffb44cedce62bb718553d730eb25ab93b3538deed30ea88c35db5961890ab134f8dd9f8fe3da55b9a48951d07ba39709dcd42dcacf2208b

  • SSDEEP

    12288:hxt6hRd3GUju9Al4QMe89d18EbVAXMJrQF0p4v9TH9yzsN2j33+RgshWtqU59d3i:hxQhf3DcA78DbVAXWQF0p2hNIeQqU5w1

Score
10/10
azorultoskiraccoonb76017a227a0d879dec7c76613918569d03892fbdiscoveryinfostealerspywarestealertrojan

Malware Config

Extracted

Family

raccoon

Botnet

b76017a227a0d879dec7c76613918569d03892fb

Attributes
  • url4cnc

    http://telegka.top/brikitiki

    http://telegin.top/brikitiki

    https://t.me/brikitiki

rc4.plain
rc4.plain

Extracted

Family

oski

C2

scarsa.ac.ug

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • Azorult family
    azorult
  • Oski

    Oski is an infostealer targeting browser data, crypto wallets.

    infostealeroski
  • Oski family
    oski
  • Raccoon

    Raccoon is an infostealer written in C++ and first seen in 2019.

    stealerraccoon
  • Raccoon Stealer V1 payload 8 IoCs
  • Raccoon family
    raccoon
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2354d9753f0f741bd358dae604e48c3e.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2354d9753f0f741bd358dae604e48c3e.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2020
    • C:\Users\Admin\AppData\Local\Temp\Vtergfds.exe
      "C:\Users\Admin\AppData\Local\Temp\Vtergfds.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2540
      • C:\Users\Admin\AppData\Local\Temp\Vtergfds.exe
        "C:\Users\Admin\AppData\Local\Temp\Vtergfds.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1988
    • C:\Users\Admin\AppData\Local\Temp\Vereransa.exe
      "C:\Users\Admin\AppData\Local\Temp\Vereransa.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4680
      • C:\Users\Admin\AppData\Local\Temp\Vereransa.exe
        "C:\Users\Admin\AppData\Local\Temp\Vereransa.exe"
        3⤵
        • Executes dropped EXE
        PID:1984
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 1268
          4⤵
          • Program crash
          PID:4928
    • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2354d9753f0f741bd358dae604e48c3e.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2354d9753f0f741bd358dae604e48c3e.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2788
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1984 -ip 1984
    1⤵
      PID:3740

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Vereransa.exe
      Filesize

      264KB

      MD5

      bbc3d625038de2cc64cbfdb76e888528

      SHA1

      75b19ab88f8c23d0088252e8c725d4ceea56895a

      SHA256

      3b8b57a0fa99b4d29b259e3641e967cbc84a314891273b56ce5bdeba30e49601

      SHA512

      9014f5d15f4e5311650e2b5357e72655c28cc64cb0dc7f1a37636270985a411a8baa26433f330d735850fe6a3dfe7479f70a9a52aa45c708879036ab1a1d3465

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Vtergfds.exe
      Filesize

      216KB

      MD5

      0a8854ddd119e42c62bf2904efb29c1c

      SHA1

      986ab504ca3cc36fc0418516f26aabc4168224d6

      SHA256

      69f64ca4b22180560648691c2d52cfe11b253bb403663f8e92f25e0f76308dbb

      SHA512

      905e1ee950617ede45baf4f356c379f7c05876ac457ac36a556937c4d4ac55aa991902e1df069c92c654cf2260c4ac6cb21595e2f3fcce916fcf92d4f39aeec7

      Download Submit

    • memory/1984-56-0x0000000000400000-0x0000000000438000-memory.dmp

      Filesize

      224KB

      Download

    • memory/1984-42-0x0000000000400000-0x0000000000438000-memory.dmp

      Filesize

      224KB

      Download

    • memory/1984-57-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/1984-43-0x0000000000400000-0x0000000000438000-memory.dmp

      Filesize

      224KB

      Download

    • memory/1984-45-0x0000000000400000-0x0000000000434000-memory.dmp

      Filesize

      208KB

      Download

    • memory/1984-40-0x0000000000400000-0x0000000000438000-memory.dmp

      Filesize

      224KB

      Download

    • memory/1988-53-0x0000000000400000-0x0000000000420000-memory.dmp

      Filesize

      128KB

      Download

    • memory/1988-52-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download

    • memory/1988-47-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download

    • memory/1988-49-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

      Download

    • memory/2020-3-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2020-2-0x0000000077C52000-0x0000000077C53000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2020-32-0x0000000003600000-0x0000000003607000-memory.dmp

      Filesize

      28KB

      Download

    • memory/2540-50-0x0000000000400000-0x0000000000437000-memory.dmp

      Filesize

      220KB

      Download

    • memory/2540-30-0x0000000000810000-0x0000000000811000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2788-33-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

      Download

    • memory/2788-34-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

      Download

    • memory/2788-37-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

      Download

    • memory/2788-38-0x0000000000400000-0x0000000000491000-memory.dmp

      Filesize

      580KB

      Download

    • memory/2788-35-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

      Download

    • memory/2788-58-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

      Download

    • memory/2788-59-0x0000000000400000-0x0000000000491000-memory.dmp

      Filesize

      580KB

      Download

    • memory/2788-65-0x0000000000400000-0x0000000000491000-memory.dmp

      Filesize

      580KB

      Download

    • memory/4680-46-0x0000000000400000-0x0000000000443000-memory.dmp

      Filesize

      268KB

      Download

    • memory/4680-39-0x0000000000400000-0x0000000000443000-memory.dmp

      Filesize

      268KB

      Download

    • memory/4680-31-0x0000000000980000-0x0000000000981000-memory.dmp

      Filesize

      4KB

      Download