Analysis
-
max time kernel
134s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
07-05-2024 11:42
Static task
static1
Behavioral task
behavioral1
Sample
2076f3389e743659dcb4daef802479f3_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
2076f3389e743659dcb4daef802479f3_JaffaCakes118.exe
-
Size
412KB
-
MD5
2076f3389e743659dcb4daef802479f3
-
SHA1
e29db627de75b18e61fcaa452b44b6609def8cb7
-
SHA256
faf0518430f6333ff6fe2e3c51bb69cd3a1be29511aaa8b568b96945b4ff18ed
-
SHA512
828fa0929acb64f78c46476121c2053c32ee682f812fa23f98ccd9143facba38230cd0da04bef5f81935c8791bae5605a38b05e2f45586be0ff1e3370e4b4811
-
SSDEEP
6144:u07TDvqyS2EEBFH0WbMtg9mOYm/k+M84bCQM8475:xTDvq1C5XQq9mOr/k+M8Pd84
Malware Config
Extracted
formbook
3.9
cu
szmsdwl.com
sansurftowntesting.rocks
mixingtheworld.com
jagadhribartanbhandar.com
albanypieshop.com
tago.ltd
lmwellnessgroup.com
xn--vb0bj6jvrexvt.com
180pe.com
1l1threecome.men
visualgraphicarts.science
ecofitlife.com
kearneygeneralcontracting.com
stmarysbandclub.info
jinshucaijing.com
mariahdawson.com
tophoteluniverse.com
yastudent.com
fastrautoservice.com
fslgt.com
alexandertopalov.com
88biffaa.com
i9magistralshop.com
xn--djr21gdtc118h.com
adsactly.review
jcustomfab.com
fitnesswellnessmind.com
zackwilliamsphotography.com
nguoitinhtuyetvoi.com
chihoukara.com
manrrs.net
axetennisexport.com
waptudes.com
urnesserenite.com
nightreaderspress.com
www0080f.com
giuseppesitalianice.com
fitnious.com
xn--fiq4eu8y9s1aqs3b3rk.com
translatediplomas.com
meimeilaiya.com
myseedmyway.com
fatskidoo.com
companysafety-security.com
hgw2014.com
chinaliuwei.com
puromusica.online
gggav98981.com
vancouveroralsurgeons.com
forsharedoc.com
vernanirappresentanze.com
leachbi.com
downyer.com
hot-jewel.com
brindleroasters.com
cowfian.top
zonabistro.com
kocabasauto.com
tpsferiacom.com
eiseza.download
179aa9.com
reverendgabby.com
guiasexocanarias.com
xn--astucesdegrandmre-6sb.com
ajexin.com
Signatures
-
Formbook payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4680-8-0x0000000000400000-0x0000000000467000-memory.dmp formbook -
Drops file in Windows directory 2 IoCs
Processes:
2076f3389e743659dcb4daef802479f3_JaffaCakes118.exe2076f3389e743659dcb4daef802479f3_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\win.ini 2076f3389e743659dcb4daef802479f3_JaffaCakes118.exe File opened for modification C:\Windows\win.ini 2076f3389e743659dcb4daef802479f3_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
2076f3389e743659dcb4daef802479f3_JaffaCakes118.exepid process 4680 2076f3389e743659dcb4daef802479f3_JaffaCakes118.exe 4680 2076f3389e743659dcb4daef802479f3_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
2076f3389e743659dcb4daef802479f3_JaffaCakes118.exe2076f3389e743659dcb4daef802479f3_JaffaCakes118.exepid process 4848 2076f3389e743659dcb4daef802479f3_JaffaCakes118.exe 4680 2076f3389e743659dcb4daef802479f3_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
2076f3389e743659dcb4daef802479f3_JaffaCakes118.exedescription pid process target process PID 4848 wrote to memory of 4680 4848 2076f3389e743659dcb4daef802479f3_JaffaCakes118.exe 2076f3389e743659dcb4daef802479f3_JaffaCakes118.exe PID 4848 wrote to memory of 4680 4848 2076f3389e743659dcb4daef802479f3_JaffaCakes118.exe 2076f3389e743659dcb4daef802479f3_JaffaCakes118.exe PID 4848 wrote to memory of 4680 4848 2076f3389e743659dcb4daef802479f3_JaffaCakes118.exe 2076f3389e743659dcb4daef802479f3_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2076f3389e743659dcb4daef802479f3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2076f3389e743659dcb4daef802479f3_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Users\Admin\AppData\Local\Temp\2076f3389e743659dcb4daef802479f3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2076f3389e743659dcb4daef802479f3_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4680
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
123B
MD56bf517432f65eb7f0d18d574bf14124c
SHA15b9f37c1dd1318ebbec3bd2f07c109eb9d22c727
SHA2566e2b70dfccabf3cc651545676a3a566c9cfae03f15f772886646abce1da35b46
SHA5127b0cb8c20034585ec8bf4b45eda5eda5993a56e24931a7426dc5a9f081ec1f82545f3e26a48a4df885c8691fc6e8026d0808aebe3cc3358ba85ddca08ac4cb06