Analysis Overview
SHA256
e6aaec2b958d4b734ff02c7c63b7e24a619eef826efb16b955ebe5306b9953aa
Threat Level: Known bad
The file bfb2b5d00165cb4984c29c172e0dad8d_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Formbook
Formbook payload
Loads dropped DLL
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
NSIS installer
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-04 18:34
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-04 18:34
Reported
2024-04-04 18:36
Platform
win7-20231129-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Formbook
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bfb2b5d00165cb4984c29c172e0dad8d_JaffaCakes118.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2264 set thread context of 2180 | N/A | C:\Users\Admin\AppData\Local\Temp\bfb2b5d00165cb4984c29c172e0dad8d_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\bfb2b5d00165cb4984c29c172e0dad8d_JaffaCakes118.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bfb2b5d00165cb4984c29c172e0dad8d_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bfb2b5d00165cb4984c29c172e0dad8d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bfb2b5d00165cb4984c29c172e0dad8d_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\bfb2b5d00165cb4984c29c172e0dad8d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bfb2b5d00165cb4984c29c172e0dad8d_JaffaCakes118.exe"
Network
Files
\Users\Admin\AppData\Local\Temp\nstFAD4.tmp\irjzbmbgo.dll
| MD5 | 3525f0279729cb34e886c8a83b5ce9c8 |
| SHA1 | b6edfeff839616e0155026cabed1e48de96a9063 |
| SHA256 | 082c9b72407d063bb96c2830bcaf5f285d2d616e8a8d729a52b39ccbd30b8211 |
| SHA512 | 2c74fc1a977204adb58a1af19850fa705716ca5c9b1d42f2b0d84dfe14a2e5c6af5f9e158b4cc132c1874de3b67cdd422cfc00e0dad63982718d5d0ce5f31f55 |
memory/2264-7-0x0000000074830000-0x000000007483B000-memory.dmp
memory/2180-9-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2264-10-0x0000000074830000-0x000000007483B000-memory.dmp
memory/2180-13-0x00000000006F0000-0x00000000009F3000-memory.dmp
memory/2180-14-0x00000000006F0000-0x00000000009F3000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-04 18:34
Reported
2024-04-04 18:37
Platform
win10v2004-20240226-en
Max time kernel
120s
Max time network
157s
Command Line
Signatures
Formbook
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bfb2b5d00165cb4984c29c172e0dad8d_JaffaCakes118.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2664 set thread context of 1344 | N/A | C:\Users\Admin\AppData\Local\Temp\bfb2b5d00165cb4984c29c172e0dad8d_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\bfb2b5d00165cb4984c29c172e0dad8d_JaffaCakes118.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bfb2b5d00165cb4984c29c172e0dad8d_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bfb2b5d00165cb4984c29c172e0dad8d_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bfb2b5d00165cb4984c29c172e0dad8d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bfb2b5d00165cb4984c29c172e0dad8d_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\bfb2b5d00165cb4984c29c172e0dad8d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bfb2b5d00165cb4984c29c172e0dad8d_JaffaCakes118.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5092 --field-trial-handle=3084,i,11997299123381683778,5904351605020331957,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.66.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.86.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 216.58.212.202:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 202.212.58.216.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsa8761.tmp\irjzbmbgo.dll
| MD5 | 3525f0279729cb34e886c8a83b5ce9c8 |
| SHA1 | b6edfeff839616e0155026cabed1e48de96a9063 |
| SHA256 | 082c9b72407d063bb96c2830bcaf5f285d2d616e8a8d729a52b39ccbd30b8211 |
| SHA512 | 2c74fc1a977204adb58a1af19850fa705716ca5c9b1d42f2b0d84dfe14a2e5c6af5f9e158b4cc132c1874de3b67cdd422cfc00e0dad63982718d5d0ce5f31f55 |
memory/2664-5-0x0000000074410000-0x000000007441B000-memory.dmp
memory/1344-9-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2664-10-0x0000000074410000-0x000000007441B000-memory.dmp
memory/1344-11-0x0000000000A30000-0x0000000000D7A000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-04-04 18:34
Reported
2024-04-04 18:36
Platform
win7-20240221-en
Max time kernel
148s
Max time network
118s
Command Line
Signatures
Formbook
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2228 set thread context of 2172 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2172 set thread context of 1204 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\Explorer.EXE |
| PID 1700 set thread context of 1204 | N/A | C:\Windows\SysWOW64\colorcpl.exe | C:\Windows\Explorer.EXE |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\colorcpl.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\colorcpl.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\colorcpl.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\irjzbmbgo.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\irjzbmbgo.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\irjzbmbgo.dll,#1
C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\rundll32.exe"
Network
Files
memory/2228-0-0x0000000075410000-0x000000007541B000-memory.dmp
memory/2228-1-0x0000000075400000-0x000000007540B000-memory.dmp
memory/2228-2-0x0000000075410000-0x000000007541B000-memory.dmp
memory/2228-3-0x0000000075400000-0x000000007540B000-memory.dmp
memory/2172-4-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2228-6-0x0000000075400000-0x000000007540B000-memory.dmp
memory/2228-5-0x0000000075410000-0x000000007541B000-memory.dmp
memory/2172-8-0x00000000021E0000-0x00000000024E3000-memory.dmp
memory/1204-10-0x0000000003160000-0x0000000003260000-memory.dmp
memory/2172-11-0x00000000001A0000-0x00000000001B4000-memory.dmp
memory/2172-9-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1204-12-0x0000000004D40000-0x0000000004E2C000-memory.dmp
memory/1700-13-0x00000000004E0000-0x00000000004F8000-memory.dmp
memory/1700-14-0x00000000004E0000-0x00000000004F8000-memory.dmp
memory/1700-15-0x0000000000080000-0x00000000000AF000-memory.dmp
memory/1700-16-0x0000000002430000-0x0000000002733000-memory.dmp
memory/1700-17-0x0000000000080000-0x00000000000AF000-memory.dmp
memory/1700-20-0x0000000001E00000-0x0000000001E93000-memory.dmp
memory/1204-21-0x0000000004D40000-0x0000000004E2C000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-04-04 18:34
Reported
2024-04-04 18:36
Platform
win10v2004-20240226-en
Max time kernel
92s
Max time network
118s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4680 wrote to memory of 648 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4680 wrote to memory of 648 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4680 wrote to memory of 648 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 648 wrote to memory of 4448 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 648 wrote to memory of 4448 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 648 wrote to memory of 4448 | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\irjzbmbgo.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\irjzbmbgo.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\irjzbmbgo.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.77.24.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.162.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.66.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.66.18.2.in-addr.arpa | udp |
Files
memory/648-0-0x0000000074930000-0x000000007493B000-memory.dmp
memory/648-1-0x0000000074930000-0x000000007493B000-memory.dmp