General
-
Target
268afc68ac43d35ebd367d49433f0e37_JaffaCakes118
-
Size
616KB
-
Sample
240508-y1p1esdd8z
-
MD5
268afc68ac43d35ebd367d49433f0e37
-
SHA1
fdb5f6dd1e6194e439ab2380ed2cb49c0184a34a
-
SHA256
5eec2983e5ade0317c7380df23c6e70e4cdae38bfd39c27668b982b787b1c40c
-
SHA512
6b732ed56e428500deb390b0f6317c70f925a24ec572b9b076f78080dfdb19789cc987356b569aae2d472780e604fd55d0efca071e26f0d3dfea0a5e2383b65f
-
SSDEEP
6144:7mGJqJqBQv2LZA52ewOm/UroZnsEZ5wqvWcQCnB5aMkY+LqEemje3Gs73KeJK:7mOaGLtec/KoJL7xBBOimje2sDKeJK
Static task
static1
Behavioral task
behavioral1
Sample
268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe
Resource
win10v2004-20240426-en
Malware Config
Extracted
formbook
3.8
to
13s9.com
stayingcentred.com
cravastudios.com
yukilegal.com
895manbet.com
bf1tdesign.com
jakeandjackie.com
squisita.online
nuoya68888.com
bizkaibus.live
pupnpints.com
bigflew.online
researchinabox.com
tenerifediscounts.com
spookyshoppe.com
huipai-trade.com
beroar.com
readysetshot.com
veggie.fyi
findworkjobsonline.com
marketingdigitaljuridico.com
doamininbest.win
vigeoinvest.com
guernseyskydive.com
rockheadjones.faith
onlineorderbioreg.com
coralantonio.win
outdoorvocies.com
blackboxtv.info
insectno.com
mriconstructioninc.net
mortgagebrokerservice.com
742sss.com
jiza.ltd
fusionimports-exports.com
rpmautocarellc.com
yoninkazoku.com
libertylauren.info
judi.ltd
americantruckshowcircuit.com
glf.life
supertutorialespc.com
livinginlemons.com
qk745.com
nekojitablog.com
rebuildparadise.info
lagana.online
paragon.construction
accrenew-jpjembtuz378102.com
ingridpress.com
1024aaaw.info
xnr168.com
parsesites.com
servejam.com
jacksonfragile.win
hnltqcxs.com
crystal-lang.com
eatcalmare.com
7600k.com
coinett.com
1212dl.com
anhdaonails-spa.com
intimus.online
chimabang.com
mudscript.com
Extracted
pony
http://tolain.ru/tola/gate.php
-
payload_url
http://myp0nysite.ru/shit.exe
Targets
-
-
Target
268afc68ac43d35ebd367d49433f0e37_JaffaCakes118
-
Size
616KB
-
MD5
268afc68ac43d35ebd367d49433f0e37
-
SHA1
fdb5f6dd1e6194e439ab2380ed2cb49c0184a34a
-
SHA256
5eec2983e5ade0317c7380df23c6e70e4cdae38bfd39c27668b982b787b1c40c
-
SHA512
6b732ed56e428500deb390b0f6317c70f925a24ec572b9b076f78080dfdb19789cc987356b569aae2d472780e604fd55d0efca071e26f0d3dfea0a5e2383b65f
-
SSDEEP
6144:7mGJqJqBQv2LZA52ewOm/UroZnsEZ5wqvWcQCnB5aMkY+LqEemje3Gs73KeJK:7mOaGLtec/KoJL7xBBOimje2sDKeJK
-
Formbook payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook accounts
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-