Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
05-04-2024 02:17
Static task
static1
Behavioral task
behavioral1
Sample
c8199355d0ca0fe289ea4d1ee018ff47_JaffaCakes118.exe
Resource
win7-20231129-en
General
-
Target
c8199355d0ca0fe289ea4d1ee018ff47_JaffaCakes118.exe
-
Size
1.0MB
-
MD5
c8199355d0ca0fe289ea4d1ee018ff47
-
SHA1
ac0428f426c0bda431bd80f6abab183ccd484d07
-
SHA256
127262efb50609596b0597f1f357d75ff1dca0a0519fd8805d4fac1b288abae7
-
SHA512
0f1f70ef0bbfa75b53a57549ef170d493b2706bbb8c41c2288fb831ace0dce902e6b9fa97834baf4b0adaa995df3767318055ad43b5bd366bbe257678f1da395
-
SSDEEP
12288:jSMa7/gxmfOwwi0O2iNNHeIwbZhqQGo7w7xamI3XdqKbE0xsoI76JswNaSctMX:bA/08EO17eIKZh7UdvI3tBbG76J4M
Malware Config
Extracted
formbook
4.1
k9d0
flourishpodcast.xyz
xn--nga.group
music-tomato.com
motory.store
arrivehike.info
xn--diseowebseo-4db.com
centpourcentsons.com
qnnjja005.xyz
annielynnrose.com
darlaevans.com
door-maximum.com
chinataibaifen.com
stickerhicks.com
ta2gamesstudio.com
jendelanews.com
milestoneneuro.com
premierconciergehomes.com
exitcounter.com
jrsway.com
famurainmobiliaria.com
rutielvoitte.xyz
dhft.xyz
fshesan.com
farmaciavicentellaudesfmas.com
aolchattranscripts.com
huangzh.store
treybenson.com
globalnepalimusicaward.com
red0rangejuice.com
getfreemushrooms.net
miro24.icu
agiatektro.com
nature-hugreen.com
hiaey.online
mysupersol.com
ordermeikingpawtucket.com
xyaomao.com
epistledigital.com
robertgeniesse.com
6m8r6i.icu
metalodging.com
mailez1.net
fondoimpresadonna.com
suckhoemoingay26.website
palakasorel.rest
expanchemlcals.com
itfgf.xyz
hindiepustakalaya.com
axieinfiniti.net
med-news.club
geekgarment.com
sanaviiva.xyz
unicouno.com
northcromepoa.com
sanclementesportsacademy.com
ventasjustin.com
d7snv.xyz
yutasblog.com
kingcloud88.com
ijibejivv.xyz
routhchafe.com
arcane-sentinels.com
sscd5g.icu
seo-kumar.com
dotgroup-email.com
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\Windows Desktop.exe," reg.exe -
Formbook payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4276-30-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/4276-36-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/4140-41-0x0000000001200000-0x000000000122F000-memory.dmp formbook behavioral2/memory/4140-44-0x0000000001200000-0x000000000122F000-memory.dmp formbook -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
c8199355d0ca0fe289ea4d1ee018ff47_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation c8199355d0ca0fe289ea4d1ee018ff47_JaffaCakes118.exe -
Drops startup file 2 IoCs
Processes:
c8199355d0ca0fe289ea4d1ee018ff47_JaffaCakes118.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Desktop.exe c8199355d0ca0fe289ea4d1ee018ff47_JaffaCakes118.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Desktop.exe c8199355d0ca0fe289ea4d1ee018ff47_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
Processes:
Windows Desktop.exeAddInProcess32.exepid process 2264 Windows Desktop.exe 4276 AddInProcess32.exe -
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral2/memory/636-7-0x00000000056F0000-0x0000000005718000-memory.dmp agile_net behavioral2/memory/636-10-0x0000000005620000-0x0000000005630000-memory.dmp agile_net -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Windows Desktop.exeAddInProcess32.execscript.exedescription pid process target process PID 2264 set thread context of 4276 2264 Windows Desktop.exe AddInProcess32.exe PID 4276 set thread context of 3576 4276 AddInProcess32.exe Explorer.EXE PID 4140 set thread context of 3576 4140 cscript.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
c8199355d0ca0fe289ea4d1ee018ff47_JaffaCakes118.exeWindows Desktop.exeAddInProcess32.execscript.exepid process 636 c8199355d0ca0fe289ea4d1ee018ff47_JaffaCakes118.exe 636 c8199355d0ca0fe289ea4d1ee018ff47_JaffaCakes118.exe 636 c8199355d0ca0fe289ea4d1ee018ff47_JaffaCakes118.exe 636 c8199355d0ca0fe289ea4d1ee018ff47_JaffaCakes118.exe 636 c8199355d0ca0fe289ea4d1ee018ff47_JaffaCakes118.exe 636 c8199355d0ca0fe289ea4d1ee018ff47_JaffaCakes118.exe 636 c8199355d0ca0fe289ea4d1ee018ff47_JaffaCakes118.exe 636 c8199355d0ca0fe289ea4d1ee018ff47_JaffaCakes118.exe 636 c8199355d0ca0fe289ea4d1ee018ff47_JaffaCakes118.exe 636 c8199355d0ca0fe289ea4d1ee018ff47_JaffaCakes118.exe 636 c8199355d0ca0fe289ea4d1ee018ff47_JaffaCakes118.exe 636 c8199355d0ca0fe289ea4d1ee018ff47_JaffaCakes118.exe 636 c8199355d0ca0fe289ea4d1ee018ff47_JaffaCakes118.exe 636 c8199355d0ca0fe289ea4d1ee018ff47_JaffaCakes118.exe 636 c8199355d0ca0fe289ea4d1ee018ff47_JaffaCakes118.exe 636 c8199355d0ca0fe289ea4d1ee018ff47_JaffaCakes118.exe 636 c8199355d0ca0fe289ea4d1ee018ff47_JaffaCakes118.exe 636 c8199355d0ca0fe289ea4d1ee018ff47_JaffaCakes118.exe 636 c8199355d0ca0fe289ea4d1ee018ff47_JaffaCakes118.exe 636 c8199355d0ca0fe289ea4d1ee018ff47_JaffaCakes118.exe 636 c8199355d0ca0fe289ea4d1ee018ff47_JaffaCakes118.exe 636 c8199355d0ca0fe289ea4d1ee018ff47_JaffaCakes118.exe 636 c8199355d0ca0fe289ea4d1ee018ff47_JaffaCakes118.exe 636 c8199355d0ca0fe289ea4d1ee018ff47_JaffaCakes118.exe 636 c8199355d0ca0fe289ea4d1ee018ff47_JaffaCakes118.exe 2264 Windows Desktop.exe 2264 Windows Desktop.exe 4276 AddInProcess32.exe 4276 AddInProcess32.exe 4276 AddInProcess32.exe 4276 AddInProcess32.exe 4140 cscript.exe 4140 cscript.exe 4140 cscript.exe 4140 cscript.exe 4140 cscript.exe 4140 cscript.exe 4140 cscript.exe 4140 cscript.exe 4140 cscript.exe 4140 cscript.exe 4140 cscript.exe 4140 cscript.exe 4140 cscript.exe 4140 cscript.exe 4140 cscript.exe 4140 cscript.exe 4140 cscript.exe 4140 cscript.exe 4140 cscript.exe 4140 cscript.exe 4140 cscript.exe 4140 cscript.exe 4140 cscript.exe 4140 cscript.exe 4140 cscript.exe 4140 cscript.exe 4140 cscript.exe 4140 cscript.exe 4140 cscript.exe 4140 cscript.exe 4140 cscript.exe 4140 cscript.exe 4140 cscript.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
AddInProcess32.execscript.exepid process 4276 AddInProcess32.exe 4276 AddInProcess32.exe 4276 AddInProcess32.exe 4140 cscript.exe 4140 cscript.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
c8199355d0ca0fe289ea4d1ee018ff47_JaffaCakes118.exeWindows Desktop.exeAddInProcess32.execscript.exedescription pid process Token: SeDebugPrivilege 636 c8199355d0ca0fe289ea4d1ee018ff47_JaffaCakes118.exe Token: SeDebugPrivilege 2264 Windows Desktop.exe Token: SeDebugPrivilege 4276 AddInProcess32.exe Token: SeDebugPrivilege 4140 cscript.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3576 Explorer.EXE -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
c8199355d0ca0fe289ea4d1ee018ff47_JaffaCakes118.execmd.exeWindows Desktop.exeExplorer.EXEcscript.exedescription pid process target process PID 636 wrote to memory of 2488 636 c8199355d0ca0fe289ea4d1ee018ff47_JaffaCakes118.exe cmd.exe PID 636 wrote to memory of 2488 636 c8199355d0ca0fe289ea4d1ee018ff47_JaffaCakes118.exe cmd.exe PID 636 wrote to memory of 2488 636 c8199355d0ca0fe289ea4d1ee018ff47_JaffaCakes118.exe cmd.exe PID 2488 wrote to memory of 4412 2488 cmd.exe reg.exe PID 2488 wrote to memory of 4412 2488 cmd.exe reg.exe PID 2488 wrote to memory of 4412 2488 cmd.exe reg.exe PID 636 wrote to memory of 2264 636 c8199355d0ca0fe289ea4d1ee018ff47_JaffaCakes118.exe Windows Desktop.exe PID 636 wrote to memory of 2264 636 c8199355d0ca0fe289ea4d1ee018ff47_JaffaCakes118.exe Windows Desktop.exe PID 636 wrote to memory of 2264 636 c8199355d0ca0fe289ea4d1ee018ff47_JaffaCakes118.exe Windows Desktop.exe PID 2264 wrote to memory of 4276 2264 Windows Desktop.exe AddInProcess32.exe PID 2264 wrote to memory of 4276 2264 Windows Desktop.exe AddInProcess32.exe PID 2264 wrote to memory of 4276 2264 Windows Desktop.exe AddInProcess32.exe PID 2264 wrote to memory of 4276 2264 Windows Desktop.exe AddInProcess32.exe PID 2264 wrote to memory of 4276 2264 Windows Desktop.exe AddInProcess32.exe PID 2264 wrote to memory of 4276 2264 Windows Desktop.exe AddInProcess32.exe PID 3576 wrote to memory of 4140 3576 Explorer.EXE cscript.exe PID 3576 wrote to memory of 4140 3576 Explorer.EXE cscript.exe PID 3576 wrote to memory of 4140 3576 Explorer.EXE cscript.exe PID 4140 wrote to memory of 2996 4140 cscript.exe cmd.exe PID 4140 wrote to memory of 2996 4140 cscript.exe cmd.exe PID 4140 wrote to memory of 2996 4140 cscript.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3576 -
C:\Users\Admin\AppData\Local\Temp\c8199355d0ca0fe289ea4d1ee018ff47_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c8199355d0ca0fe289ea4d1ee018ff47_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Desktop.exe,"3⤵
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Desktop.exe,"4⤵
- Modifies WinLogon for persistence
PID:4412
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Desktop.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Desktop.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4276
-
-
-
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:2976
-
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\SysWOW64\cscript.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"3⤵PID:2996
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
42KB
MD59827ff3cdf4b83f9c86354606736ca9c
SHA1e73d73f42bb2a310f03eb1bcbb22be2b8eb7c723
SHA256c1cf3dc8fa1c7fc00f88e07ad539979b3706ca8d69223cffd1d58bc8f521f63a
SHA5128261828d55f3b5134c0aeb98311c04e20c5395d4347251746f3be0fb854f36cc7e118713cd00c9867537e6e47d5e71f2b2384fc00c67f0ae1b285b8310321579
-
Filesize
1.0MB
MD5c8199355d0ca0fe289ea4d1ee018ff47
SHA1ac0428f426c0bda431bd80f6abab183ccd484d07
SHA256127262efb50609596b0597f1f357d75ff1dca0a0519fd8805d4fac1b288abae7
SHA5120f1f70ef0bbfa75b53a57549ef170d493b2706bbb8c41c2288fb831ace0dce902e6b9fa97834baf4b0adaa995df3767318055ad43b5bd366bbe257678f1da395