Analysis Overview
SHA256
6d6ed63e357100a38b5bb4f4a256be07e34960bf25dbf0cc7d8f6b66e06d2df3
Threat Level: Known bad
The file 8c0ee1047417c73e05ff20905963357e_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Formbook
Formbook payload
Checks computer location settings
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-02 12:03
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-02 12:03
Reported
2024-04-02 12:05
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Formbook
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\8c0ee1047417c73e05ff20905963357e_JaffaCakes118.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1988 set thread context of 1552 | N/A | C:\Users\Admin\AppData\Local\Temp\8c0ee1047417c73e05ff20905963357e_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\8c0ee1047417c73e05ff20905963357e_JaffaCakes118.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8c0ee1047417c73e05ff20905963357e_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8c0ee1047417c73e05ff20905963357e_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8c0ee1047417c73e05ff20905963357e_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8c0ee1047417c73e05ff20905963357e_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8c0ee1047417c73e05ff20905963357e_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8c0ee1047417c73e05ff20905963357e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8c0ee1047417c73e05ff20905963357e_JaffaCakes118.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LyTtZRlfdo" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB93E.tmp"
C:\Users\Admin\AppData\Local\Temp\8c0ee1047417c73e05ff20905963357e_JaffaCakes118.exe
"{path}"
C:\Users\Admin\AppData\Local\Temp\8c0ee1047417c73e05ff20905963357e_JaffaCakes118.exe
"{path}"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 153.141.79.40.in-addr.arpa | udp |
Files
memory/1988-1-0x0000000074630000-0x0000000074DE0000-memory.dmp
memory/1988-0-0x00000000002D0000-0x00000000003A6000-memory.dmp
memory/1988-2-0x0000000004D20000-0x0000000004DBC000-memory.dmp
memory/1988-3-0x0000000005370000-0x0000000005914000-memory.dmp
memory/1988-4-0x0000000004E60000-0x0000000004EF2000-memory.dmp
memory/1988-6-0x0000000004E10000-0x0000000004E1A000-memory.dmp
memory/1988-5-0x00000000050B0000-0x00000000050C0000-memory.dmp
memory/1988-7-0x0000000005050000-0x00000000050A6000-memory.dmp
memory/1988-8-0x0000000005210000-0x0000000005224000-memory.dmp
memory/1988-9-0x0000000074630000-0x0000000074DE0000-memory.dmp
memory/1988-10-0x00000000050B0000-0x00000000050C0000-memory.dmp
memory/1988-11-0x00000000061B0000-0x0000000006238000-memory.dmp
memory/1988-12-0x0000000009F80000-0x0000000009FB4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpB93E.tmp
| MD5 | 5a560e66047871247de8af1279e74c2e |
| SHA1 | d31a5bd508a8fe936a4f5972c91ba694b4ba239c |
| SHA256 | 4826ee7b9725ad506329816580219aeae4bdf869c354111d11430ea964e71dde |
| SHA512 | fb7cce92cf6959d6729ab04c0f79d638a2385f09547247ca75d59bbbdd9e6ec0f8a20f8e73dfd64ebdcb3c6fc2d965ac294f615b00701a92737beef4b0df0b44 |
memory/1552-16-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1988-18-0x0000000074630000-0x0000000074DE0000-memory.dmp
memory/1552-19-0x0000000001A30000-0x0000000001D7A000-memory.dmp
memory/1552-20-0x0000000001A30000-0x0000000001D7A000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-02 12:03
Reported
2024-04-02 12:05
Platform
win7-20240221-en
Max time kernel
122s
Max time network
125s
Command Line
Signatures
Formbook
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2172 set thread context of 2568 | N/A | C:\Users\Admin\AppData\Local\Temp\8c0ee1047417c73e05ff20905963357e_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\8c0ee1047417c73e05ff20905963357e_JaffaCakes118.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8c0ee1047417c73e05ff20905963357e_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8c0ee1047417c73e05ff20905963357e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8c0ee1047417c73e05ff20905963357e_JaffaCakes118.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LyTtZRlfdo" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC6E7.tmp"
C:\Users\Admin\AppData\Local\Temp\8c0ee1047417c73e05ff20905963357e_JaffaCakes118.exe
"{path}"
Network
Files
memory/2172-0-0x0000000000860000-0x0000000000936000-memory.dmp
memory/2172-1-0x0000000074EA0000-0x000000007558E000-memory.dmp
memory/2172-2-0x0000000004D60000-0x0000000004DA0000-memory.dmp
memory/2172-3-0x0000000000310000-0x0000000000324000-memory.dmp
memory/2172-4-0x0000000074EA0000-0x000000007558E000-memory.dmp
memory/2172-5-0x0000000004C70000-0x0000000004CF8000-memory.dmp
memory/2172-6-0x0000000000700000-0x0000000000734000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpC6E7.tmp
| MD5 | 104838440e89532dcfafabcf31400a63 |
| SHA1 | f843fbc4fc17a082802c23e93b65069a2f0366f0 |
| SHA256 | 9e35bfee45baf8b4698b2140326a4ba5c51b25b29340b90b5cac9b376830a921 |
| SHA512 | 3c6da5cc8b90da07c36de0c5676a44f616863ce794129dd285c7cdb4f1bb255b4c0e8657a86d71ffcb2da643b46ec285691940617dfd2466d780df30cd60b703 |
memory/2568-10-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2568-11-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2568-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2568-14-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2172-15-0x0000000074EA0000-0x000000007558E000-memory.dmp
memory/2568-16-0x0000000000C10000-0x0000000000F13000-memory.dmp