Analysis Overview
SHA256
d7fa1327e8e502c0658dc031eac50affd1a40ec45aee6c0110d61d0ebe9744a5
Threat Level: Known bad
The file a172b261614d5d5d0513ecfa06bc5711_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Formbook
Formbook payload
Checks computer location settings
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-03 05:32
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-03 05:32
Reported
2024-04-03 05:35
Platform
win7-20240319-en
Max time kernel
120s
Max time network
123s
Command Line
Signatures
Formbook
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2348 set thread context of 2552 | N/A | C:\Users\Admin\AppData\Local\Temp\a172b261614d5d5d0513ecfa06bc5711_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\a172b261614d5d5d0513ecfa06bc5711_JaffaCakes118.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a172b261614d5d5d0513ecfa06bc5711_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a172b261614d5d5d0513ecfa06bc5711_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a172b261614d5d5d0513ecfa06bc5711_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a172b261614d5d5d0513ecfa06bc5711_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a172b261614d5d5d0513ecfa06bc5711_JaffaCakes118.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VKyccEisJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAE49.tmp"
C:\Users\Admin\AppData\Local\Temp\a172b261614d5d5d0513ecfa06bc5711_JaffaCakes118.exe
"{path}"
Network
Files
memory/2348-0-0x0000000000DE0000-0x0000000000ED2000-memory.dmp
memory/2348-1-0x00000000749E0000-0x00000000750CE000-memory.dmp
memory/2348-2-0x0000000004E10000-0x0000000004E50000-memory.dmp
memory/2348-3-0x00000000004F0000-0x0000000000504000-memory.dmp
memory/2348-4-0x00000000749E0000-0x00000000750CE000-memory.dmp
memory/2348-5-0x0000000004E10000-0x0000000004E50000-memory.dmp
memory/2348-6-0x0000000005A20000-0x0000000005AC4000-memory.dmp
memory/2348-7-0x0000000004900000-0x0000000004956000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpAE49.tmp
| MD5 | e7f257a54ac969b278c1f5a38462c2c2 |
| SHA1 | 95c897fe20965beb852af4cc567076de90e235e7 |
| SHA256 | 6a72638a56ba5797cef38249193e24d5cce413e0c7e0128c76efc1116fb0f42a |
| SHA512 | d6291da4509b4333ad1cdfa62fcb4f62d5c631f23ac841afc48265e9a993c36baf118ec95167887a34566eb462c83c16579d70110885c1b10ece07df9dc3c139 |
memory/2552-11-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2552-13-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2552-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2552-17-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2552-18-0x0000000000860000-0x0000000000B63000-memory.dmp
memory/2348-19-0x00000000749E0000-0x00000000750CE000-memory.dmp
memory/2552-20-0x0000000000860000-0x0000000000B63000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-03 05:32
Reported
2024-04-03 05:35
Platform
win10v2004-20240226-en
Max time kernel
142s
Max time network
151s
Command Line
Signatures
Formbook
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a172b261614d5d5d0513ecfa06bc5711_JaffaCakes118.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3656 set thread context of 1536 | N/A | C:\Users\Admin\AppData\Local\Temp\a172b261614d5d5d0513ecfa06bc5711_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\a172b261614d5d5d0513ecfa06bc5711_JaffaCakes118.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a172b261614d5d5d0513ecfa06bc5711_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a172b261614d5d5d0513ecfa06bc5711_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a172b261614d5d5d0513ecfa06bc5711_JaffaCakes118.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VKyccEisJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp85D5.tmp"
C:\Users\Admin\AppData\Local\Temp\a172b261614d5d5d0513ecfa06bc5711_JaffaCakes118.exe
"{path}"
C:\Users\Admin\AppData\Local\Temp\a172b261614d5d5d0513ecfa06bc5711_JaffaCakes118.exe
"{path}"
C:\Users\Admin\AppData\Local\Temp\a172b261614d5d5d0513ecfa06bc5711_JaffaCakes118.exe
"{path}"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4064 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.178.10:443 | tcp | |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.110.86.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| GB | 23.44.234.16:80 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.33.115.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.173.189.20.in-addr.arpa | udp |
Files
memory/3656-0-0x00000000752D0000-0x0000000075A80000-memory.dmp
memory/3656-1-0x0000000000960000-0x0000000000A52000-memory.dmp
memory/3656-2-0x00000000053C0000-0x000000000545C000-memory.dmp
memory/3656-3-0x0000000005A80000-0x0000000006024000-memory.dmp
memory/3656-4-0x0000000005570000-0x0000000005602000-memory.dmp
memory/3656-5-0x0000000005790000-0x00000000057A0000-memory.dmp
memory/3656-6-0x00000000054A0000-0x00000000054AA000-memory.dmp
memory/3656-7-0x0000000005610000-0x0000000005666000-memory.dmp
memory/3656-8-0x0000000005510000-0x0000000005532000-memory.dmp
memory/3656-9-0x0000000004E40000-0x0000000004E54000-memory.dmp
memory/3656-10-0x00000000752D0000-0x0000000075A80000-memory.dmp
memory/3656-11-0x0000000005790000-0x00000000057A0000-memory.dmp
memory/3656-12-0x0000000007F50000-0x0000000007FF4000-memory.dmp
memory/3656-13-0x0000000006870000-0x00000000068C6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp85D5.tmp
| MD5 | 7bc8a8bb6b33f649ab3a673564d2df08 |
| SHA1 | 0795794ddbb61dbeba87db39b80d72d10626da10 |
| SHA256 | 29b3ce8753817f1c1dde4993e31cac3e0b39d0efe8019800fc9e97ec7b6d98b6 |
| SHA512 | f5b4a7a573d5249221a93f9fffb8fa61f9c48f25ab5a212a97b9eae5933aa12c3d15479915c25119a6be26a18bc0aca072cc61d10a2a666bee675049000fd996 |
memory/1536-17-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3656-19-0x00000000752D0000-0x0000000075A80000-memory.dmp
memory/1536-20-0x0000000001680000-0x00000000019CA000-memory.dmp