Analysis Overview
SHA256
5b8369fd8e0ee96e8a54151a110628c79df21ab82ef65910e92feb40afe1757b
Threat Level: Known bad
The file 2598ebf1b561402e5a4c9042514ac04d_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Formbook
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in Program Files directory
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Modifies Internet Explorer settings
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-08 15:54
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-08 15:54
Reported
2024-05-08 15:57
Platform
win7-20231129-en
Max time kernel
147s
Max time network
118s
Command Line
Signatures
Formbook
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\Quote.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Quote.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Quote.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Quote = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Quote.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CookiesOZ7 = "C:\\Program Files (x86)\\Common Files\\IconCachebbc.com" | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1892 set thread context of 2720 | N/A | C:\Users\Admin\Desktop\Quote.exe | C:\Users\Admin\Desktop\Quote.exe |
| PID 2720 set thread context of 1376 | N/A | C:\Users\Admin\Desktop\Quote.exe | C:\Windows\Explorer.EXE |
| PID 2536 set thread context of 1376 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\Explorer.EXE |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Common Files\IconCachebbc.com | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\IconCachebbc.com | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\IconCachebbc.com | C:\Windows\SysWOW64\svchost.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \Registry\User\S-1-5-21-3627615824-4061627003-3019543961-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\Quote.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Quote.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Quote.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2598ebf1b561402e5a4c9042514ac04d_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\Quote.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\Quote.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\2598ebf1b561402e5a4c9042514ac04d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2598ebf1b561402e5a4c9042514ac04d_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Users\Admin\Desktop\Quote.exe
"C:\Users\Admin\Desktop\Quote.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Quote" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Quote.txt" | cmd"
C:\Users\Admin\Desktop\Quote.exe
"C:\Users\Admin\Desktop\Quote.exe"
C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\Desktop\Quote.exe" "C:\Program Files (x86)\Common Files\IconCachebbc.com" /V
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\Desktop\Quote.exe"
Network
Files
memory/1972-0-0x0000000074B91000-0x0000000074B92000-memory.dmp
memory/1972-1-0x0000000074B90000-0x000000007513B000-memory.dmp
memory/1972-2-0x0000000074B90000-0x000000007513B000-memory.dmp
C:\Users\Admin\Desktop\Quote.exe
| MD5 | 2598ebf1b561402e5a4c9042514ac04d |
| SHA1 | a888bbd8d3c26c99e3eb49b3121d669c340687ec |
| SHA256 | 5b8369fd8e0ee96e8a54151a110628c79df21ab82ef65910e92feb40afe1757b |
| SHA512 | 5cc1ce18ef0242d6519055cf4cf1fa3300682a6a8ed77232135e178eeba457402dcafc747a26898e0d525a0b5ba57890b5472e62236fb4d5ef888020d3b644f0 |
memory/1972-8-0x0000000074B90000-0x000000007513B000-memory.dmp
memory/1892-9-0x0000000074B90000-0x000000007513B000-memory.dmp
memory/1892-11-0x0000000074B90000-0x000000007513B000-memory.dmp
memory/1892-16-0x0000000074B90000-0x000000007513B000-memory.dmp
memory/2720-14-0x0000000000400000-0x0000000000426000-memory.dmp
memory/2720-17-0x0000000000770000-0x0000000000A73000-memory.dmp
memory/1376-19-0x0000000002F90000-0x0000000003090000-memory.dmp
memory/1892-12-0x0000000074B90000-0x000000007513B000-memory.dmp
memory/2536-21-0x0000000000520000-0x0000000000528000-memory.dmp
memory/2720-20-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1376-30-0x0000000000010000-0x0000000000020000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-08 15:54
Reported
2024-05-08 15:57
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Formbook
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\Quote.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Quote.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Quote.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\colorcplS = "C:\\Program Files (x86)\\audiodghz74.cmd" | C:\Windows\SysWOW64\cscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Quote = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Quote.txt | cmd" | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4160 set thread context of 3160 | N/A | C:\Users\Admin\Desktop\Quote.exe | C:\Users\Admin\Desktop\Quote.exe |
| PID 3160 set thread context of 3448 | N/A | C:\Users\Admin\Desktop\Quote.exe | C:\Windows\Explorer.EXE |
| PID 3432 set thread context of 3448 | N/A | C:\Windows\SysWOW64\cscript.exe | C:\Windows\Explorer.EXE |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\audiodghz74.cmd | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\audiodghz74.cmd | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\audiodghz74.cmd | C:\Windows\SysWOW64\cscript.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \Registry\User\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 | C:\Windows\SysWOW64\cscript.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\Quote.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Quote.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Quote.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cscript.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2598ebf1b561402e5a4c9042514ac04d_JaffaCakes118.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\Quote.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\Quote.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\cscript.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\2598ebf1b561402e5a4c9042514ac04d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2598ebf1b561402e5a4c9042514ac04d_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Users\Admin\Desktop\Quote.exe
"C:\Users\Admin\Desktop\Quote.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Quote" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Quote.txt" | cmd"
C:\Users\Admin\Desktop\Quote.exe
"C:\Users\Admin\Desktop\Quote.exe"
C:\Users\Admin\Desktop\Quote.exe
"C:\Users\Admin\Desktop\Quote.exe"
C:\Windows\SysWOW64\cscript.exe
"C:\Windows\SysWOW64\cscript.exe"
C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\Desktop\Quote.exe" "C:\Program Files (x86)\audiodghz74.cmd" /V
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\Desktop\Quote.exe"
C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
Network
| Country | Destination | Domain | Proto |
| US | 52.111.229.43:443 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.179.89.13.in-addr.arpa | udp |
Files
memory/404-0-0x0000000074832000-0x0000000074833000-memory.dmp
memory/404-1-0x0000000074830000-0x0000000074DE1000-memory.dmp
memory/404-2-0x0000000074830000-0x0000000074DE1000-memory.dmp
C:\Users\Admin\Desktop\Quote.exe
| MD5 | 2598ebf1b561402e5a4c9042514ac04d |
| SHA1 | a888bbd8d3c26c99e3eb49b3121d669c340687ec |
| SHA256 | 5b8369fd8e0ee96e8a54151a110628c79df21ab82ef65910e92feb40afe1757b |
| SHA512 | 5cc1ce18ef0242d6519055cf4cf1fa3300682a6a8ed77232135e178eeba457402dcafc747a26898e0d525a0b5ba57890b5472e62236fb4d5ef888020d3b644f0 |
memory/4160-9-0x0000000074830000-0x0000000074DE1000-memory.dmp
memory/404-8-0x0000000074830000-0x0000000074DE1000-memory.dmp
memory/4160-11-0x0000000074830000-0x0000000074DE1000-memory.dmp
memory/4160-10-0x0000000074830000-0x0000000074DE1000-memory.dmp
memory/4160-17-0x0000000074830000-0x0000000074DE1000-memory.dmp
memory/3160-14-0x0000000000400000-0x0000000000426000-memory.dmp
memory/3160-18-0x0000000001840000-0x0000000001B8A000-memory.dmp
memory/3160-20-0x0000000000400000-0x0000000000426000-memory.dmp
memory/3160-21-0x00000000012B0000-0x00000000012C0000-memory.dmp
memory/3448-22-0x0000000002D90000-0x0000000002E1A000-memory.dmp
memory/3432-24-0x00000000009A0000-0x00000000009C7000-memory.dmp
memory/3432-23-0x00000000009A0000-0x00000000009C7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DB1
| MD5 | 8f5942354d3809f865f9767eddf51314 |
| SHA1 | 20be11c0d42fc0cef53931ea9152b55082d1a11e |
| SHA256 | 776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea |
| SHA512 | fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218 |