Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
28-03-2024 08:41
Static task
static1
Behavioral task
behavioral1
Sample
01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe
Resource
win7-20231129-en
General
-
Target
01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe
-
Size
570KB
-
MD5
01863136c202a0df665d3c05549f6f0f
-
SHA1
3c7491155a98d6a50e54f0ded6b6acf95e7e0eb8
-
SHA256
b75d52e883034848f4e22ae6a13d42cb6bc85dce0dd524572c9d9ba1a81f9ca1
-
SHA512
6c24a8676b5fd3d369a71660e7787c490e017378bfc6a0d3548c76d9910b7302c72df0628e513d1f75ceee0559b3b28824d5ee748e506099d25b7f120e972476
-
SSDEEP
6144:hmpz5hiNU5PRLGGTxcwQbyc8DdgiJdBL2nFeIOl8V6IghYNmnTV+WEZ4Z+YirYP2:hzaPtGkQbaDdbDBL2JW8II9WEifsSJo
Malware Config
Extracted
formbook
4.1
gd3e
losfesdffewfdskokoka11.xyz
aspenroofingel.net
mlstrategygroup.com
breakaway.asia
gzmx3.com
dronesadvise.com
bitmain.discount
lifestylekenya.com
dragonfly-road.store
rumbaughrecruiting.com
tarimech.com
starmcb.com
xn--kfz-schlsseldienst-t6b.com
eqgiftshop.com
regionsi.com
bonsainer.com
guideofguardians.com
orlv7x.icu
xemnha100.com
thelupinlady.com
irideomacula.xyz
xanudu.com
fudgeho.com
mrkambu.com
lovedhouseishome.com
qualesusings.xyz
habbinz.online
video-registrator.site
abccookiebiz.com
betterpeixun.com
hotosita.website
metamars.life
journalofmj.com
magnoliagarnish.com
ziyouff.com
moneyshotvid.com
lariontsev.com
hulattsfurniture.com
vidoil.net
rostovetagi.store
trafalgarlonepiece.com
xyperfumecollection.com
northfaceuksaleoutlet.com
rupiahtoto.tech
primordialroot.com
emsteapot.com
dentistryforhealthnj.com
sanaoll.com
zmapo.xyz
mobilenotaryservicesfl.com
evolvevigor.com
2sscu.icu
tafefg.online
squid-mask.net
bluetulipboutique.com
chelsearenee.coach
pepsigoandplay.com
narrativenips.com
seowhiteflag.com
toiletseatsgalore.com
tongchibo.com
antiquestores.xyz
richardfecteau2021.com
cosmosglobaltrade.xyz
lasakaya.com
Signatures
-
Formbook payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2576-18-0x0000000000400000-0x000000000042F000-memory.dmp formbook -
Suspicious use of SetThreadContext 1 IoCs
Processes:
01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exedescription pid process target process PID 2364 set thread context of 2576 2364 01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe 01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exepid process 2364 01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe 2576 01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exedescription pid process Token: SeDebugPrivilege 2364 01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exedescription pid process target process PID 2364 wrote to memory of 2708 2364 01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe schtasks.exe PID 2364 wrote to memory of 2708 2364 01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe schtasks.exe PID 2364 wrote to memory of 2708 2364 01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe schtasks.exe PID 2364 wrote to memory of 2708 2364 01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe schtasks.exe PID 2364 wrote to memory of 2584 2364 01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe 01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe PID 2364 wrote to memory of 2584 2364 01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe 01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe PID 2364 wrote to memory of 2584 2364 01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe 01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe PID 2364 wrote to memory of 2584 2364 01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe 01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe PID 2364 wrote to memory of 2576 2364 01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe 01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe PID 2364 wrote to memory of 2576 2364 01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe 01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe PID 2364 wrote to memory of 2576 2364 01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe 01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe PID 2364 wrote to memory of 2576 2364 01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe 01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe PID 2364 wrote to memory of 2576 2364 01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe 01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe PID 2364 wrote to memory of 2576 2364 01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe 01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe PID 2364 wrote to memory of 2576 2364 01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe 01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sPsWoUxI" /XML "C:\Users\Admin\AppData\Local\Temp\tmp92DD.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2364-6-0x00000000046E0000-0x0000000004738000-memory.dmpFilesize
352KB
-
memory/2364-1-0x00000000748B0000-0x0000000074F9E000-memory.dmpFilesize
6.9MB
-
memory/2364-2-0x00000000072F0000-0x0000000007330000-memory.dmpFilesize
256KB
-
memory/2364-3-0x00000000003C0000-0x00000000003CE000-memory.dmpFilesize
56KB
-
memory/2364-4-0x00000000748B0000-0x0000000074F9E000-memory.dmpFilesize
6.9MB
-
memory/2364-5-0x00000000072F0000-0x0000000007330000-memory.dmpFilesize
256KB
-
memory/2364-0-0x0000000000100000-0x0000000000194000-memory.dmpFilesize
592KB
-
memory/2364-19-0x00000000748B0000-0x0000000074F9E000-memory.dmpFilesize
6.9MB
-
memory/2576-12-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2576-14-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2576-18-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2576-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2576-20-0x00000000009C0000-0x0000000000CC3000-memory.dmpFilesize
3.0MB