Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
06-05-2024 22:36
Behavioral task
behavioral1
Sample
1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exe
Resource
win7-20240419-en
General
-
Target
1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exe
-
Size
1.2MB
-
MD5
1e96b55fdd95824b3f3c5f2156be44c5
-
SHA1
5ec468430b06c8a3c43f8ee20fb8a1ef5e41241f
-
SHA256
caf8a53c2a1bbc6169474702cd71a047176f4e4c78244e2a1c2a82352ca97c25
-
SHA512
e4f6aa43af7ccef63549438e514260c3d4381119c3a5f0991c23e91117803eb69072e8ad99afe3a3d5b638ffacc8ba35eefd688ba379dfcc2392731cb9b53a54
-
SSDEEP
12288:oFpvKqiiQwvG9a9xl4JQ5+xa+3Ao1QdiLD/XG:CpvzQO9fMQ54azo1QALbG
Malware Config
Extracted
formbook
4.1
hx232
kcmjdgf.com
live2attain.com
constellationgalaxy.com
anyandallpodcasts.com
ahsapfuarstandi.com
apoif.com
jointeambrandyn.com
thelifeof2kand1q.com
zhmzwhy.com
ilovefloattanks.com
thirdeyeproductionstep.com
karasing.online
bpyvyx.online
dingdingjiaoche.com
mrotcl.net
chargetimely.com
meesthetic.com
absence.ltd
zj-training.com
gzgpc07.com
bocebd.com
from-the-sea-music.com
3bbx.loan
peartreelettings.com
thinkingbicycle.com
shiftpays.com
maresmexico.com
ryrcontructionllc.com
xn--jlqv3me1rvfay6z204e.net
dappinsider.com
jjtx8.com
zhenlipai.com
violetletters.com
linkkashowhangdep.com
tobusinessall.com
whenshitgetswestern.com
thetelecommutingkenyan.com
raydiancedangerfield.com
dhykjm.com
dasschlafwerk.com
thespanishsenora.com
xxwdtw.info
4o74wx7.info
pankajundale.com
automowermi.com
yunshangyitui.com
isbankasigiriis.com
sydneecaldwell.com
njraffle.com
annadave.com
yanktonmotor.com
mart4.com
essayotet.accountant
putintopractice.info
emirates-gulf.com
apk4down.com
handy-test.online
lzweibang.com
restoryver.win
avrupayakargo.com
droch.men
car2street.com
newcarsapproved.com
bbeyondwords.com
regulars5.info
Signatures
-
Formbook payload 16 IoCs
Processes:
resource yara_rule behavioral1/memory/2284-1-0x0000000001140000-0x000000000127E000-memory.dmp formbook behavioral1/memory/2748-18-0x0000000000400000-0x000000000048E000-memory.dmp formbook behavioral1/memory/2748-16-0x0000000000400000-0x000000000048E000-memory.dmp formbook behavioral1/memory/2748-21-0x0000000000400000-0x000000000048E000-memory.dmp formbook behavioral1/memory/2748-24-0x0000000000400000-0x000000000048E000-memory.dmp formbook behavioral1/memory/2748-47-0x0000000000400000-0x000000000048E000-memory.dmp formbook behavioral1/memory/2748-45-0x0000000000400000-0x000000000048E000-memory.dmp formbook behavioral1/memory/2748-44-0x0000000000400000-0x000000000048E000-memory.dmp formbook behavioral1/memory/2748-41-0x0000000000400000-0x000000000048E000-memory.dmp formbook behavioral1/memory/2748-40-0x0000000000400000-0x000000000048E000-memory.dmp formbook behavioral1/memory/2748-38-0x0000000000400000-0x000000000048E000-memory.dmp formbook behavioral1/memory/2748-36-0x0000000000400000-0x000000000048E000-memory.dmp formbook behavioral1/memory/2748-28-0x0000000000400000-0x000000000048E000-memory.dmp formbook behavioral1/memory/3060-62-0x0000000000400000-0x000000000042D000-memory.dmp formbook behavioral1/memory/3060-72-0x0000000000400000-0x000000000042D000-memory.dmp formbook behavioral1/memory/3060-77-0x0000000000400000-0x000000000042D000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
Processes:
InstallUtil.exeRegAsm.exepid process 2748 InstallUtil.exe 3060 RegAsm.exe -
Loads dropped DLL 3 IoCs
Processes:
1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exeInstallUtil.exeRegAsm.exepid process 2284 1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exe 2748 InstallUtil.exe 3060 RegAsm.exe -
Suspicious use of SetThreadContext 5 IoCs
Processes:
1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exeInstallUtil.exeRegAsm.execmstp.exedescription pid process target process PID 2284 set thread context of 2748 2284 1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exe InstallUtil.exe PID 2748 set thread context of 3060 2748 InstallUtil.exe RegAsm.exe PID 3060 set thread context of 1188 3060 RegAsm.exe Explorer.EXE PID 3060 set thread context of 1188 3060 RegAsm.exe Explorer.EXE PID 1452 set thread context of 1188 1452 cmstp.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exeInstallUtil.exeRegAsm.execmstp.exepid process 2284 1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exe 2284 1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exe 2284 1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exe 2748 InstallUtil.exe 2748 InstallUtil.exe 2748 InstallUtil.exe 3060 RegAsm.exe 3060 RegAsm.exe 3060 RegAsm.exe 1452 cmstp.exe 1452 cmstp.exe 1452 cmstp.exe 1452 cmstp.exe 1452 cmstp.exe 1452 cmstp.exe 1452 cmstp.exe 1452 cmstp.exe 1452 cmstp.exe 1452 cmstp.exe 1452 cmstp.exe 1452 cmstp.exe 1452 cmstp.exe 1452 cmstp.exe 1452 cmstp.exe 1452 cmstp.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
RegAsm.execmstp.exepid process 3060 RegAsm.exe 3060 RegAsm.exe 3060 RegAsm.exe 3060 RegAsm.exe 1452 cmstp.exe 1452 cmstp.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exeInstallUtil.exeRegAsm.execmstp.exedescription pid process Token: SeDebugPrivilege 2284 1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exe Token: SeDebugPrivilege 2748 InstallUtil.exe Token: SeDebugPrivilege 3060 RegAsm.exe Token: SeDebugPrivilege 1452 cmstp.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exeInstallUtil.exeRegAsm.execmstp.exedescription pid process target process PID 2284 wrote to memory of 2748 2284 1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exe InstallUtil.exe PID 2284 wrote to memory of 2748 2284 1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exe InstallUtil.exe PID 2284 wrote to memory of 2748 2284 1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exe InstallUtil.exe PID 2284 wrote to memory of 2748 2284 1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exe InstallUtil.exe PID 2284 wrote to memory of 2748 2284 1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exe InstallUtil.exe PID 2284 wrote to memory of 2748 2284 1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exe InstallUtil.exe PID 2284 wrote to memory of 2748 2284 1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exe InstallUtil.exe PID 2284 wrote to memory of 2748 2284 1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exe InstallUtil.exe PID 2284 wrote to memory of 2748 2284 1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exe InstallUtil.exe PID 2284 wrote to memory of 2748 2284 1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exe InstallUtil.exe PID 2284 wrote to memory of 2748 2284 1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exe InstallUtil.exe PID 2284 wrote to memory of 2748 2284 1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exe InstallUtil.exe PID 2748 wrote to memory of 3060 2748 InstallUtil.exe RegAsm.exe PID 2748 wrote to memory of 3060 2748 InstallUtil.exe RegAsm.exe PID 2748 wrote to memory of 3060 2748 InstallUtil.exe RegAsm.exe PID 2748 wrote to memory of 3060 2748 InstallUtil.exe RegAsm.exe PID 2748 wrote to memory of 3060 2748 InstallUtil.exe RegAsm.exe PID 2748 wrote to memory of 3060 2748 InstallUtil.exe RegAsm.exe PID 2748 wrote to memory of 3060 2748 InstallUtil.exe RegAsm.exe PID 2748 wrote to memory of 3060 2748 InstallUtil.exe RegAsm.exe PID 2748 wrote to memory of 3060 2748 InstallUtil.exe RegAsm.exe PID 2748 wrote to memory of 3060 2748 InstallUtil.exe RegAsm.exe PID 3060 wrote to memory of 1452 3060 RegAsm.exe cmstp.exe PID 3060 wrote to memory of 1452 3060 RegAsm.exe cmstp.exe PID 3060 wrote to memory of 1452 3060 RegAsm.exe cmstp.exe PID 3060 wrote to memory of 1452 3060 RegAsm.exe cmstp.exe PID 3060 wrote to memory of 1452 3060 RegAsm.exe cmstp.exe PID 3060 wrote to memory of 1452 3060 RegAsm.exe cmstp.exe PID 3060 wrote to memory of 1452 3060 RegAsm.exe cmstp.exe PID 1452 wrote to memory of 2760 1452 cmstp.exe cmd.exe PID 1452 wrote to memory of 2760 1452 cmstp.exe cmd.exe PID 1452 wrote to memory of 2760 1452 cmstp.exe cmd.exe PID 1452 wrote to memory of 2760 1452 cmstp.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1188
-
C:\Users\Admin\AppData\Local\Temp\1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe"C:\Users\Admin\AppData\Local\Temp\RegAsm.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\SysWOW64\cmstp.exe"5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\RegAsm.exe"6⤵PID:2760
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40KB
MD591c9ae9c9a17a9db5e08b120e668c74c
SHA150770954c1ceb0bb6f1d5d3f2de2a0a065773723
SHA256e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f
SHA512ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e
-
Filesize
63KB
MD5b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab