Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
08-05-2024 07:41
Static task
static1
Behavioral task
behavioral1
Sample
23dc2a640442410ae6c23a73c2e2ae52_JaffaCakes118.exe
Resource
win7-20231129-en
General
-
Target
23dc2a640442410ae6c23a73c2e2ae52_JaffaCakes118.exe
-
Size
448KB
-
MD5
23dc2a640442410ae6c23a73c2e2ae52
-
SHA1
9933e0318d92fd2759068df828158e59035310c6
-
SHA256
bccde349905fcc2c6c393e3f8664d37e640fbd8ec43fbdf47ab899fe8b443344
-
SHA512
feb7bc136c8d08ac370f51e55b63a0fb595f59521fea3fc00eb2e7742e8368b26ecf1363d8030e96552333f7252e5f0ce6e6fec7b88e1c99caa3c59776d92a46
-
SSDEEP
6144:kKUuubOrWe8ohBkSxZKx95h2ktgZHcNOEcG5WpJvpc22:kUuGmohBdKz5h2kO8cVGMpJRM
Malware Config
Extracted
formbook
3.9
ts
tablenook.com
referenceyouraccount.com
google-adw.site
xiangyu0769.com
arvoliittaa-nouwakasaitama.com
www473234.com
oneudy.com
vleku.com
beyonnc.com
aguirre.solutions
51hdz.com
pipe.ventures
productandconcept.com
comprar-ahora.com
migraineproject.com
tinder-match.express
itacruisebig.live
cryptostrength.com
61999w.com
makits.net
hewrn.info
fcoaehv.com
excheq.mobi
lifewithoutsteroids.com
chunbaifloor.com
sosyalesnaf.net
hanolhanol.com
boyscard.com
xn--flsa-1ra.com
texashearingaid.com
internationaldiplomat.net
146paddington.com
administracionpublica.center
barbierhk.com
4jett.com
heluva.site
vitchain.com
cookingunlocked.com
kindfulnessyoga.com
vebag-solution.com
mississippimood.com
mtsb.online
emojifyg.com
knotjustties.net
facesofsales.com
adpatdesign.com
sexoestanoche.com
spirithouse.guru
xn--clre-moa.net
itamarcolombia.com
stellarmediums.com
startruckingfl.com
357sf.com
wwwcapify.com
nmdr1primeknitzebrapack.com
pleasehelp.support
isitthebarracuda.com
innovatehlth.com
starfleetcartography.com
tecmouv.com
re684.com
cosmetiques-beaute.net
auctionhouselive.com
nottinghamtaxii.com
apevy.com
Signatures
-
Formbook payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1600-5-0x0000000000400000-0x000000000042A000-memory.dmp formbook -
Suspicious use of SetThreadContext 1 IoCs
Processes:
23dc2a640442410ae6c23a73c2e2ae52_JaffaCakes118.exedescription pid process target process PID 2352 set thread context of 1600 2352 23dc2a640442410ae6c23a73c2e2ae52_JaffaCakes118.exe 23dc2a640442410ae6c23a73c2e2ae52_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
23dc2a640442410ae6c23a73c2e2ae52_JaffaCakes118.exepid process 1600 23dc2a640442410ae6c23a73c2e2ae52_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
23dc2a640442410ae6c23a73c2e2ae52_JaffaCakes118.exepid process 2352 23dc2a640442410ae6c23a73c2e2ae52_JaffaCakes118.exe 2352 23dc2a640442410ae6c23a73c2e2ae52_JaffaCakes118.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
23dc2a640442410ae6c23a73c2e2ae52_JaffaCakes118.exepid process 2352 23dc2a640442410ae6c23a73c2e2ae52_JaffaCakes118.exe 2352 23dc2a640442410ae6c23a73c2e2ae52_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
23dc2a640442410ae6c23a73c2e2ae52_JaffaCakes118.exepid process 2352 23dc2a640442410ae6c23a73c2e2ae52_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
23dc2a640442410ae6c23a73c2e2ae52_JaffaCakes118.exedescription pid process target process PID 2352 wrote to memory of 1600 2352 23dc2a640442410ae6c23a73c2e2ae52_JaffaCakes118.exe 23dc2a640442410ae6c23a73c2e2ae52_JaffaCakes118.exe PID 2352 wrote to memory of 1600 2352 23dc2a640442410ae6c23a73c2e2ae52_JaffaCakes118.exe 23dc2a640442410ae6c23a73c2e2ae52_JaffaCakes118.exe PID 2352 wrote to memory of 1600 2352 23dc2a640442410ae6c23a73c2e2ae52_JaffaCakes118.exe 23dc2a640442410ae6c23a73c2e2ae52_JaffaCakes118.exe PID 2352 wrote to memory of 1600 2352 23dc2a640442410ae6c23a73c2e2ae52_JaffaCakes118.exe 23dc2a640442410ae6c23a73c2e2ae52_JaffaCakes118.exe PID 2352 wrote to memory of 1600 2352 23dc2a640442410ae6c23a73c2e2ae52_JaffaCakes118.exe 23dc2a640442410ae6c23a73c2e2ae52_JaffaCakes118.exe PID 2352 wrote to memory of 1600 2352 23dc2a640442410ae6c23a73c2e2ae52_JaffaCakes118.exe 23dc2a640442410ae6c23a73c2e2ae52_JaffaCakes118.exe PID 2352 wrote to memory of 1600 2352 23dc2a640442410ae6c23a73c2e2ae52_JaffaCakes118.exe 23dc2a640442410ae6c23a73c2e2ae52_JaffaCakes118.exe PID 2352 wrote to memory of 1600 2352 23dc2a640442410ae6c23a73c2e2ae52_JaffaCakes118.exe 23dc2a640442410ae6c23a73c2e2ae52_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\23dc2a640442410ae6c23a73c2e2ae52_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\23dc2a640442410ae6c23a73c2e2ae52_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Users\Admin\AppData\Local\Temp\23dc2a640442410ae6c23a73c2e2ae52_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\23dc2a640442410ae6c23a73c2e2ae52_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1600