Analysis Overview
SHA256
51163ba8395c234d2bca072d4df6127c486b552582087f47eaee929749142eff
Threat Level: Known bad
The file a94f77319fe290f434b31daecd83eddb_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Formbook
Formbook payload
Checks computer location settings
Deletes itself
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious behavior: MapViewOfSection
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-03 23:15
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-03 23:15
Reported
2024-04-03 23:18
Platform
win7-20240221-en
Max time kernel
146s
Max time network
123s
Command Line
Signatures
Formbook
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2904 set thread context of 2836 | N/A | C:\Users\Admin\AppData\Local\Temp\Bulletin de paiement.exe | C:\Users\Admin\AppData\Local\Temp\Bulletin de paiement.exe |
| PID 2836 set thread context of 1196 | N/A | C:\Users\Admin\AppData\Local\Temp\Bulletin de paiement.exe | C:\Windows\Explorer.EXE |
| PID 2836 set thread context of 1196 | N/A | C:\Users\Admin\AppData\Local\Temp\Bulletin de paiement.exe | C:\Windows\Explorer.EXE |
| PID 2780 set thread context of 1196 | N/A | C:\Windows\SysWOW64\systray.exe | C:\Windows\Explorer.EXE |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bulletin de paiement.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bulletin de paiement.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bulletin de paiement.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bulletin de paiement.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\systray.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\systray.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Bulletin de paiement.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Bulletin de paiement.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\systray.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\Bulletin de paiement.exe
"C:\Users\Admin\AppData\Local\Temp\Bulletin de paiement.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DlhDrhEGby" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBD85.tmp"
C:\Users\Admin\AppData\Local\Temp\Bulletin de paiement.exe
"C:\Users\Admin\AppData\Local\Temp\Bulletin de paiement.exe"
C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Bulletin de paiement.exe"
Network
Files
memory/2904-0-0x0000000000BC0000-0x0000000000C2A000-memory.dmp
memory/2904-1-0x00000000744E0000-0x0000000074BCE000-memory.dmp
memory/2904-2-0x0000000004ED0000-0x0000000004F10000-memory.dmp
memory/2904-3-0x00000000005D0000-0x00000000005DE000-memory.dmp
memory/2904-4-0x00000000744E0000-0x0000000074BCE000-memory.dmp
memory/2904-5-0x0000000004ED0000-0x0000000004F10000-memory.dmp
memory/2904-6-0x0000000004820000-0x0000000004876000-memory.dmp
memory/2836-12-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2836-14-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2836-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2836-18-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2904-19-0x00000000744E0000-0x0000000074BCE000-memory.dmp
memory/2836-20-0x0000000000C30000-0x0000000000F33000-memory.dmp
memory/1196-23-0x0000000003110000-0x0000000003210000-memory.dmp
memory/2836-24-0x0000000000140000-0x0000000000154000-memory.dmp
memory/2836-22-0x0000000000400000-0x000000000042E000-memory.dmp
memory/1196-25-0x0000000006B90000-0x0000000006CAB000-memory.dmp
memory/1196-27-0x0000000006B90000-0x0000000006CAB000-memory.dmp
memory/2836-28-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2836-29-0x00000000002F0000-0x0000000000304000-memory.dmp
memory/1196-30-0x0000000006E90000-0x0000000006FDA000-memory.dmp
memory/2780-32-0x0000000000F00000-0x0000000000F05000-memory.dmp
memory/2780-31-0x0000000000F00000-0x0000000000F05000-memory.dmp
memory/2780-34-0x0000000000A00000-0x0000000000D03000-memory.dmp
memory/2780-33-0x0000000000080000-0x00000000000AE000-memory.dmp
memory/2780-35-0x0000000000080000-0x00000000000AE000-memory.dmp
memory/2780-37-0x00000000008F0000-0x0000000000983000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-03 23:15
Reported
2024-04-03 23:18
Platform
win10v2004-20240226-en
Max time kernel
153s
Max time network
157s
Command Line
Signatures
Formbook
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Bulletin de paiement.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3272 set thread context of 2876 | N/A | C:\Users\Admin\AppData\Local\Temp\Bulletin de paiement.exe | C:\Users\Admin\AppData\Local\Temp\Bulletin de paiement.exe |
| PID 2876 set thread context of 3240 | N/A | C:\Users\Admin\AppData\Local\Temp\Bulletin de paiement.exe | C:\Windows\Explorer.EXE |
| PID 1256 set thread context of 3240 | N/A | C:\Windows\SysWOW64\raserver.exe | C:\Windows\Explorer.EXE |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bulletin de paiement.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bulletin de paiement.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bulletin de paiement.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\raserver.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\raserver.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Bulletin de paiement.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Bulletin de paiement.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\raserver.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\Bulletin de paiement.exe
"C:\Users\Admin\AppData\Local\Temp\Bulletin de paiement.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DlhDrhEGby" /XML "C:\Users\Admin\AppData\Local\Temp\tmp97D6.tmp"
C:\Users\Admin\AppData\Local\Temp\Bulletin de paiement.exe
"C:\Users\Admin\AppData\Local\Temp\Bulletin de paiement.exe"
C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Bulletin de paiement.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.110.86.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.20revcoe.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 142.250.187.234:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 234.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.88finxe.com | udp |
| US | 8.8.8.8:53 | www.xn--gstemappe-v2a.digital | udp |
| US | 8.8.8.8:53 | 26.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/3272-0-0x0000000074F30000-0x00000000756E0000-memory.dmp
memory/3272-1-0x0000000000710000-0x000000000077A000-memory.dmp
memory/3272-2-0x0000000005760000-0x0000000005D04000-memory.dmp
memory/3272-3-0x00000000051B0000-0x0000000005242000-memory.dmp
memory/3272-4-0x00000000053B0000-0x00000000053C0000-memory.dmp
memory/3272-5-0x0000000005130000-0x000000000513A000-memory.dmp
memory/3272-6-0x0000000006540000-0x000000000654E000-memory.dmp
memory/3272-7-0x0000000074F30000-0x00000000756E0000-memory.dmp
memory/3272-8-0x00000000053B0000-0x00000000053C0000-memory.dmp
memory/3272-9-0x0000000007BC0000-0x0000000007C5C000-memory.dmp
memory/3272-10-0x0000000007CB0000-0x0000000007D06000-memory.dmp
memory/2876-16-0x0000000000400000-0x000000000042E000-memory.dmp
memory/3272-18-0x0000000074F30000-0x00000000756E0000-memory.dmp
memory/2876-19-0x00000000019E0000-0x0000000001D2A000-memory.dmp
memory/2876-21-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2876-22-0x0000000001D50000-0x0000000001D64000-memory.dmp
memory/3240-23-0x00000000081E0000-0x0000000008345000-memory.dmp
memory/1256-26-0x0000000000430000-0x000000000044F000-memory.dmp
memory/1256-27-0x0000000001200000-0x000000000122E000-memory.dmp
memory/1256-24-0x0000000000430000-0x000000000044F000-memory.dmp
memory/1256-28-0x0000000003100000-0x000000000344A000-memory.dmp
memory/1256-29-0x0000000001200000-0x000000000122E000-memory.dmp
memory/1256-31-0x0000000002F40000-0x0000000002FD3000-memory.dmp
memory/3240-32-0x00000000081E0000-0x0000000008345000-memory.dmp
memory/3240-35-0x0000000002B10000-0x0000000002BB8000-memory.dmp
memory/3240-36-0x0000000002B10000-0x0000000002BB8000-memory.dmp
memory/3240-39-0x0000000002B10000-0x0000000002BB8000-memory.dmp