Analysis
-
max time kernel
138s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
06-05-2024 17:34
Static task
static1
Behavioral task
behavioral1
Sample
1d9d946599bbe47314f6dfa89f1c6e77_JaffaCakes118.exe
Resource
win7-20240419-en
General
-
Target
1d9d946599bbe47314f6dfa89f1c6e77_JaffaCakes118.exe
-
Size
681KB
-
MD5
1d9d946599bbe47314f6dfa89f1c6e77
-
SHA1
7bbdeb9670c8dc3a4f529b41b88cdd0900acad00
-
SHA256
15af9bb36b7a51efea7ab70d98a29ef7059f4f5b7178fef0aaff0671bf6c9386
-
SHA512
667d49dbd33d8e62da14ec03d1b138fee8df6ca580112e81437225bce9be3853d4485922f902206412342dede766140b44bfe718e6b567ff5ed75f6cd6e675cd
-
SSDEEP
12288:SY2SRgOu9uO2dm4rqoXa3p1nirvopIBP8A1cNChQS0Vc:SxSJvObTV37irvopI1rVR
Malware Config
Extracted
formbook
4.1
3nk4
teresaanaya.com
byronhobbs.com
altiizgara.com
reignsponsibly.com
kanistones.com
clickpk.site
aizzainvestments.com
bpqbq.com
openfitxbstretch.com
blackvoicesstore.com
yousefzaid.com
verdeaccounting.com
independentthoughtshow.com
fainlywatchdog.com
elreventondelsabor.com
spiceyourfood.com
1277hb.com
cesttoni.com
portalngs.com
turismoplayas.com
futurevisiondubai.com
grandpaeddiesbbq.com
tenkillersolutions.com
laagerlitigation.club
kyleandabbey.com
badassbae-bae.com
qraieahckby.com
moskvaoptom.net
autoserviceprovider.com
foodrhyme.com
andrew-vencetore.com
clasimovie.com
universitylook.com
123ufabet.club
bucearte.com
mytreasurecare.com
tenstarcleaning.com
iluvpictures.com
emvision.online
thepurplestrip.com
msrawyh.com
viiokey.com
davidgrayceramic.art
letsdiscover.coach
codingintamil.com
luxtourbus.com
appsofbuffalo.com
lunacardenas.com
aurifexinsurance.com
turkishhouse.restaurant
pureanddutch.com
thechurchboyapparel.com
eyebeamblue.com
upperbunk.com
jsruiyang.com
hillarykelly.com
stanleys.website
2r738euwdfhijn.com
luma-luxury-matchmaker.com
familycarehd.com
securitybyicon.com
myveeta-talents.com
nubianartstudio.com
liancaiwangv2.com
trulex.xyz
Signatures
-
Formbook payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3512-4-0x0000000000400000-0x000000000042E000-memory.dmp formbook -
Suspicious use of SetThreadContext 1 IoCs
Processes:
1d9d946599bbe47314f6dfa89f1c6e77_JaffaCakes118.exedescription pid process target process PID 4648 set thread context of 3512 4648 1d9d946599bbe47314f6dfa89f1c6e77_JaffaCakes118.exe 1d9d946599bbe47314f6dfa89f1c6e77_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
1d9d946599bbe47314f6dfa89f1c6e77_JaffaCakes118.exe1d9d946599bbe47314f6dfa89f1c6e77_JaffaCakes118.exepid process 4648 1d9d946599bbe47314f6dfa89f1c6e77_JaffaCakes118.exe 4648 1d9d946599bbe47314f6dfa89f1c6e77_JaffaCakes118.exe 3512 1d9d946599bbe47314f6dfa89f1c6e77_JaffaCakes118.exe 3512 1d9d946599bbe47314f6dfa89f1c6e77_JaffaCakes118.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
1d9d946599bbe47314f6dfa89f1c6e77_JaffaCakes118.exepid process 4648 1d9d946599bbe47314f6dfa89f1c6e77_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
1d9d946599bbe47314f6dfa89f1c6e77_JaffaCakes118.exedescription pid process target process PID 4648 wrote to memory of 3512 4648 1d9d946599bbe47314f6dfa89f1c6e77_JaffaCakes118.exe 1d9d946599bbe47314f6dfa89f1c6e77_JaffaCakes118.exe PID 4648 wrote to memory of 3512 4648 1d9d946599bbe47314f6dfa89f1c6e77_JaffaCakes118.exe 1d9d946599bbe47314f6dfa89f1c6e77_JaffaCakes118.exe PID 4648 wrote to memory of 3512 4648 1d9d946599bbe47314f6dfa89f1c6e77_JaffaCakes118.exe 1d9d946599bbe47314f6dfa89f1c6e77_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d9d946599bbe47314f6dfa89f1c6e77_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1d9d946599bbe47314f6dfa89f1c6e77_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Users\Admin\AppData\Local\Temp\1d9d946599bbe47314f6dfa89f1c6e77_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1d9d946599bbe47314f6dfa89f1c6e77_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3512