Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07-05-2024 11:42
Static task
static1
Behavioral task
behavioral1
Sample
2076f3389e743659dcb4daef802479f3_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
2076f3389e743659dcb4daef802479f3_JaffaCakes118.exe
-
Size
412KB
-
MD5
2076f3389e743659dcb4daef802479f3
-
SHA1
e29db627de75b18e61fcaa452b44b6609def8cb7
-
SHA256
faf0518430f6333ff6fe2e3c51bb69cd3a1be29511aaa8b568b96945b4ff18ed
-
SHA512
828fa0929acb64f78c46476121c2053c32ee682f812fa23f98ccd9143facba38230cd0da04bef5f81935c8791bae5605a38b05e2f45586be0ff1e3370e4b4811
-
SSDEEP
6144:u07TDvqyS2EEBFH0WbMtg9mOYm/k+M84bCQM8475:xTDvq1C5XQq9mOr/k+M8Pd84
Malware Config
Extracted
formbook
3.9
cu
szmsdwl.com
sansurftowntesting.rocks
mixingtheworld.com
jagadhribartanbhandar.com
albanypieshop.com
tago.ltd
lmwellnessgroup.com
xn--vb0bj6jvrexvt.com
180pe.com
1l1threecome.men
visualgraphicarts.science
ecofitlife.com
kearneygeneralcontracting.com
stmarysbandclub.info
jinshucaijing.com
mariahdawson.com
tophoteluniverse.com
yastudent.com
fastrautoservice.com
fslgt.com
alexandertopalov.com
88biffaa.com
i9magistralshop.com
xn--djr21gdtc118h.com
adsactly.review
jcustomfab.com
fitnesswellnessmind.com
zackwilliamsphotography.com
nguoitinhtuyetvoi.com
chihoukara.com
manrrs.net
axetennisexport.com
waptudes.com
urnesserenite.com
nightreaderspress.com
www0080f.com
giuseppesitalianice.com
fitnious.com
xn--fiq4eu8y9s1aqs3b3rk.com
translatediplomas.com
meimeilaiya.com
myseedmyway.com
fatskidoo.com
companysafety-security.com
hgw2014.com
chinaliuwei.com
puromusica.online
gggav98981.com
vancouveroralsurgeons.com
forsharedoc.com
vernanirappresentanze.com
leachbi.com
downyer.com
hot-jewel.com
brindleroasters.com
cowfian.top
zonabistro.com
kocabasauto.com
tpsferiacom.com
eiseza.download
179aa9.com
reverendgabby.com
guiasexocanarias.com
xn--astucesdegrandmre-6sb.com
ajexin.com
Signatures
-
Formbook payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/820-9-0x0000000000400000-0x0000000000467000-memory.dmp formbook -
Suspicious use of SetThreadContext 1 IoCs
Processes:
2076f3389e743659dcb4daef802479f3_JaffaCakes118.exedescription pid process target process PID 2984 set thread context of 820 2984 2076f3389e743659dcb4daef802479f3_JaffaCakes118.exe 2076f3389e743659dcb4daef802479f3_JaffaCakes118.exe -
Drops file in Windows directory 2 IoCs
Processes:
2076f3389e743659dcb4daef802479f3_JaffaCakes118.exe2076f3389e743659dcb4daef802479f3_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\win.ini 2076f3389e743659dcb4daef802479f3_JaffaCakes118.exe File opened for modification C:\Windows\win.ini 2076f3389e743659dcb4daef802479f3_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
2076f3389e743659dcb4daef802479f3_JaffaCakes118.exepid process 820 2076f3389e743659dcb4daef802479f3_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
2076f3389e743659dcb4daef802479f3_JaffaCakes118.exe2076f3389e743659dcb4daef802479f3_JaffaCakes118.exepid process 2984 2076f3389e743659dcb4daef802479f3_JaffaCakes118.exe 820 2076f3389e743659dcb4daef802479f3_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
2076f3389e743659dcb4daef802479f3_JaffaCakes118.exedescription pid process target process PID 2984 wrote to memory of 820 2984 2076f3389e743659dcb4daef802479f3_JaffaCakes118.exe 2076f3389e743659dcb4daef802479f3_JaffaCakes118.exe PID 2984 wrote to memory of 820 2984 2076f3389e743659dcb4daef802479f3_JaffaCakes118.exe 2076f3389e743659dcb4daef802479f3_JaffaCakes118.exe PID 2984 wrote to memory of 820 2984 2076f3389e743659dcb4daef802479f3_JaffaCakes118.exe 2076f3389e743659dcb4daef802479f3_JaffaCakes118.exe PID 2984 wrote to memory of 820 2984 2076f3389e743659dcb4daef802479f3_JaffaCakes118.exe 2076f3389e743659dcb4daef802479f3_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2076f3389e743659dcb4daef802479f3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2076f3389e743659dcb4daef802479f3_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Users\Admin\AppData\Local\Temp\2076f3389e743659dcb4daef802479f3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2076f3389e743659dcb4daef802479f3_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:820
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
509B
MD5d2a2412bddba16d60ec63bd9550d933f
SHA1deb3d3bdc9055f0b4909b31d3048446848fae0e1
SHA25679ff2254e38192be1626d05bec6c82e10c85e1cf91df7440c4c443380a1e877a
SHA5128fecada107f72e59e43a689eeb8e2e18fa6134d0941c122025ed5bd00e5eab8114d7125bd289505be75641385a0c3f112d402c693f142c3ddc870d5fa8116e31