Analysis
-
max time kernel
138s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
06-05-2024 22:36
Behavioral task
behavioral1
Sample
1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exe
Resource
win7-20240419-en
General
-
Target
1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exe
-
Size
1.2MB
-
MD5
1e96b55fdd95824b3f3c5f2156be44c5
-
SHA1
5ec468430b06c8a3c43f8ee20fb8a1ef5e41241f
-
SHA256
caf8a53c2a1bbc6169474702cd71a047176f4e4c78244e2a1c2a82352ca97c25
-
SHA512
e4f6aa43af7ccef63549438e514260c3d4381119c3a5f0991c23e91117803eb69072e8ad99afe3a3d5b638ffacc8ba35eefd688ba379dfcc2392731cb9b53a54
-
SSDEEP
12288:oFpvKqiiQwvG9a9xl4JQ5+xa+3Ao1QdiLD/XG:CpvzQO9fMQ54azo1QALbG
Malware Config
Extracted
formbook
4.1
hx232
kcmjdgf.com
live2attain.com
constellationgalaxy.com
anyandallpodcasts.com
ahsapfuarstandi.com
apoif.com
jointeambrandyn.com
thelifeof2kand1q.com
zhmzwhy.com
ilovefloattanks.com
thirdeyeproductionstep.com
karasing.online
bpyvyx.online
dingdingjiaoche.com
mrotcl.net
chargetimely.com
meesthetic.com
absence.ltd
zj-training.com
gzgpc07.com
bocebd.com
from-the-sea-music.com
3bbx.loan
peartreelettings.com
thinkingbicycle.com
shiftpays.com
maresmexico.com
ryrcontructionllc.com
xn--jlqv3me1rvfay6z204e.net
dappinsider.com
jjtx8.com
zhenlipai.com
violetletters.com
linkkashowhangdep.com
tobusinessall.com
whenshitgetswestern.com
thetelecommutingkenyan.com
raydiancedangerfield.com
dhykjm.com
dasschlafwerk.com
thespanishsenora.com
xxwdtw.info
4o74wx7.info
pankajundale.com
automowermi.com
yunshangyitui.com
isbankasigiriis.com
sydneecaldwell.com
njraffle.com
annadave.com
yanktonmotor.com
mart4.com
essayotet.accountant
putintopractice.info
emirates-gulf.com
apk4down.com
handy-test.online
lzweibang.com
restoryver.win
avrupayakargo.com
droch.men
car2street.com
newcarsapproved.com
bbeyondwords.com
regulars5.info
Signatures
-
Formbook payload 10 IoCs
Processes:
resource yara_rule behavioral2/memory/3092-1-0x0000000000E40000-0x0000000000F7E000-memory.dmp formbook behavioral2/memory/1940-12-0x0000000000400000-0x000000000048E000-memory.dmp formbook behavioral2/memory/1940-27-0x0000000000400000-0x000000000048E000-memory.dmp formbook behavioral2/memory/1940-34-0x0000000000400000-0x000000000048E000-memory.dmp formbook behavioral2/memory/1940-32-0x0000000000400000-0x000000000048E000-memory.dmp formbook behavioral2/memory/1940-31-0x0000000000400000-0x000000000048E000-memory.dmp formbook behavioral2/memory/1940-28-0x0000000000400000-0x000000000048E000-memory.dmp formbook behavioral2/memory/1940-25-0x0000000000400000-0x000000000048E000-memory.dmp formbook behavioral2/memory/1940-23-0x0000000000400000-0x000000000048E000-memory.dmp formbook behavioral2/memory/4348-43-0x0000000000580000-0x00000000005AD000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
Processes:
InstallUtil.exeRegAsm.exepid process 1940 InstallUtil.exe 4348 RegAsm.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exeInstallUtil.exedescription pid process target process PID 3092 set thread context of 1940 3092 1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exe InstallUtil.exe PID 1940 set thread context of 4348 1940 InstallUtil.exe RegAsm.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3776 4348 WerFault.exe RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exeInstallUtil.exepid process 3092 1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exe 3092 1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exe 3092 1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exe 1940 InstallUtil.exe 1940 InstallUtil.exe 1940 InstallUtil.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exeInstallUtil.exedescription pid process Token: SeDebugPrivilege 3092 1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exe Token: SeDebugPrivilege 1940 InstallUtil.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exeInstallUtil.exedescription pid process target process PID 3092 wrote to memory of 1940 3092 1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exe InstallUtil.exe PID 3092 wrote to memory of 1940 3092 1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exe InstallUtil.exe PID 3092 wrote to memory of 1940 3092 1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exe InstallUtil.exe PID 3092 wrote to memory of 1940 3092 1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exe InstallUtil.exe PID 3092 wrote to memory of 1940 3092 1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exe InstallUtil.exe PID 3092 wrote to memory of 1940 3092 1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exe InstallUtil.exe PID 3092 wrote to memory of 1940 3092 1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exe InstallUtil.exe PID 3092 wrote to memory of 1940 3092 1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exe InstallUtil.exe PID 1940 wrote to memory of 4348 1940 InstallUtil.exe RegAsm.exe PID 1940 wrote to memory of 4348 1940 InstallUtil.exe RegAsm.exe PID 1940 wrote to memory of 4348 1940 InstallUtil.exe RegAsm.exe PID 1940 wrote to memory of 4348 1940 InstallUtil.exe RegAsm.exe PID 1940 wrote to memory of 4348 1940 InstallUtil.exe RegAsm.exe PID 1940 wrote to memory of 4348 1940 InstallUtil.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe"C:\Users\Admin\AppData\Local\Temp\RegAsm.exe"3⤵
- Executes dropped EXE
PID:4348 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 5404⤵
- Program crash
PID:3776
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4348 -ip 43481⤵PID:4060
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
41KB
MD55d4073b2eb6d217c19f2b22f21bf8d57
SHA1f0209900fbf08d004b886a0b3ba33ea2b0bf9da8
SHA256ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3
SHA5129ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159
-
Filesize
63KB
MD50d5df43af2916f47d00c1573797c1a13
SHA1230ab5559e806574d26b4c20847c368ed55483b0
SHA256c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc
SHA512f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2