Analysis
-
max time kernel
147s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
08-05-2024 20:15
Static task
static1
Behavioral task
behavioral1
Sample
268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe
-
Size
616KB
-
MD5
268afc68ac43d35ebd367d49433f0e37
-
SHA1
fdb5f6dd1e6194e439ab2380ed2cb49c0184a34a
-
SHA256
5eec2983e5ade0317c7380df23c6e70e4cdae38bfd39c27668b982b787b1c40c
-
SHA512
6b732ed56e428500deb390b0f6317c70f925a24ec572b9b076f78080dfdb19789cc987356b569aae2d472780e604fd55d0efca071e26f0d3dfea0a5e2383b65f
-
SSDEEP
6144:7mGJqJqBQv2LZA52ewOm/UroZnsEZ5wqvWcQCnB5aMkY+LqEemje3Gs73KeJK:7mOaGLtec/KoJL7xBBOimje2sDKeJK
Malware Config
Extracted
formbook
3.8
to
13s9.com
stayingcentred.com
cravastudios.com
yukilegal.com
895manbet.com
bf1tdesign.com
jakeandjackie.com
squisita.online
nuoya68888.com
bizkaibus.live
pupnpints.com
bigflew.online
researchinabox.com
tenerifediscounts.com
spookyshoppe.com
huipai-trade.com
beroar.com
readysetshot.com
veggie.fyi
findworkjobsonline.com
marketingdigitaljuridico.com
doamininbest.win
vigeoinvest.com
guernseyskydive.com
rockheadjones.faith
onlineorderbioreg.com
coralantonio.win
outdoorvocies.com
blackboxtv.info
insectno.com
mriconstructioninc.net
mortgagebrokerservice.com
742sss.com
jiza.ltd
fusionimports-exports.com
rpmautocarellc.com
yoninkazoku.com
libertylauren.info
judi.ltd
americantruckshowcircuit.com
glf.life
supertutorialespc.com
livinginlemons.com
qk745.com
nekojitablog.com
rebuildparadise.info
lagana.online
paragon.construction
accrenew-jpjembtuz378102.com
ingridpress.com
1024aaaw.info
xnr168.com
parsesites.com
servejam.com
jacksonfragile.win
hnltqcxs.com
crystal-lang.com
eatcalmare.com
7600k.com
coinett.com
1212dl.com
anhdaonails-spa.com
intimus.online
chimabang.com
mudscript.com
Extracted
pony
http://tolain.ru/tola/gate.php
-
payload_url
http://myp0nysite.ru/shit.exe
Signatures
-
Formbook payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\TOLAbin.exe formbook behavioral1/memory/2548-26-0x0000000000D70000-0x0000000000D9A000-memory.dmp formbook -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2876 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
TOLAbin.exepid process 2548 TOLAbin.exe -
Loads dropped DLL 2 IoCs
Processes:
268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exepid process 2320 268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe 2320 268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts 268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 4 IoCs
Processes:
268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exeTOLAbin.exeexplorer.exedescription pid process target process PID 2320 set thread context of 2672 2320 268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe 268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe PID 2548 set thread context of 1156 2548 TOLAbin.exe Explorer.EXE PID 2548 set thread context of 1156 2548 TOLAbin.exe Explorer.EXE PID 2388 set thread context of 1156 2388 explorer.exe Explorer.EXE -
Drops file in Windows directory 1 IoCs
Processes:
268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\win.ini 268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
TOLAbin.exeexplorer.exepid process 2548 TOLAbin.exe 2548 TOLAbin.exe 2548 TOLAbin.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe 2388 explorer.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
TOLAbin.exeexplorer.exepid process 2548 TOLAbin.exe 2548 TOLAbin.exe 2548 TOLAbin.exe 2548 TOLAbin.exe 2388 explorer.exe 2388 explorer.exe -
Suspicious use of AdjustPrivilegeToken 34 IoCs
Processes:
TOLAbin.exe268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exeexplorer.exedescription pid process Token: SeDebugPrivilege 2548 TOLAbin.exe Token: SeImpersonatePrivilege 2672 268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe Token: SeTcbPrivilege 2672 268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 2672 268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe Token: SeCreateTokenPrivilege 2672 268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe Token: SeBackupPrivilege 2672 268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe Token: SeRestorePrivilege 2672 268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2672 268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe Token: SeAssignPrimaryTokenPrivilege 2672 268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe Token: SeImpersonatePrivilege 2672 268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe Token: SeTcbPrivilege 2672 268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 2672 268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe Token: SeCreateTokenPrivilege 2672 268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe Token: SeBackupPrivilege 2672 268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe Token: SeRestorePrivilege 2672 268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2672 268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe Token: SeAssignPrimaryTokenPrivilege 2672 268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe Token: SeImpersonatePrivilege 2672 268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe Token: SeTcbPrivilege 2672 268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 2672 268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe Token: SeCreateTokenPrivilege 2672 268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe Token: SeBackupPrivilege 2672 268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe Token: SeRestorePrivilege 2672 268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2672 268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe Token: SeAssignPrimaryTokenPrivilege 2672 268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe Token: SeImpersonatePrivilege 2672 268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe Token: SeTcbPrivilege 2672 268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 2672 268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe Token: SeCreateTokenPrivilege 2672 268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe Token: SeBackupPrivilege 2672 268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe Token: SeRestorePrivilege 2672 268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2672 268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe Token: SeAssignPrimaryTokenPrivilege 2672 268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe Token: SeDebugPrivilege 2388 explorer.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exepid process 2320 268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exeExplorer.EXE268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exeexplorer.exedescription pid process target process PID 2320 wrote to memory of 2548 2320 268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe TOLAbin.exe PID 2320 wrote to memory of 2548 2320 268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe TOLAbin.exe PID 2320 wrote to memory of 2548 2320 268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe TOLAbin.exe PID 2320 wrote to memory of 2548 2320 268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe TOLAbin.exe PID 2320 wrote to memory of 2672 2320 268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe 268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe PID 2320 wrote to memory of 2672 2320 268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe 268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe PID 2320 wrote to memory of 2672 2320 268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe 268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe PID 2320 wrote to memory of 2672 2320 268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe 268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe PID 2320 wrote to memory of 2672 2320 268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe 268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe PID 2320 wrote to memory of 2672 2320 268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe 268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe PID 2320 wrote to memory of 2672 2320 268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe 268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe PID 2320 wrote to memory of 2672 2320 268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe 268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe PID 2320 wrote to memory of 2672 2320 268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe 268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe PID 2320 wrote to memory of 2672 2320 268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe 268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe PID 1156 wrote to memory of 2388 1156 Explorer.EXE explorer.exe PID 1156 wrote to memory of 2388 1156 Explorer.EXE explorer.exe PID 1156 wrote to memory of 2388 1156 Explorer.EXE explorer.exe PID 1156 wrote to memory of 2388 1156 Explorer.EXE explorer.exe PID 2672 wrote to memory of 2876 2672 268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe cmd.exe PID 2672 wrote to memory of 2876 2672 268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe cmd.exe PID 2672 wrote to memory of 2876 2672 268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe cmd.exe PID 2672 wrote to memory of 2876 2672 268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe cmd.exe PID 2388 wrote to memory of 1560 2388 explorer.exe cmd.exe PID 2388 wrote to memory of 1560 2388 explorer.exe cmd.exe PID 2388 wrote to memory of 1560 2388 explorer.exe cmd.exe PID 2388 wrote to memory of 1560 2388 explorer.exe cmd.exe -
outlook_win_path 1 IoCs
Processes:
268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Users\Admin\AppData\Local\Temp\TOLAbin.exe"C:\Users\Admin\AppData\Local\Temp\TOLAbin.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2548 -
C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe"3⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_win_path
PID:2672 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\259407838.bat" "C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe" "4⤵
- Deletes itself
PID:2876 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\TOLAbin.exe"3⤵PID:1560
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
94B
MD53880eeb1c736d853eb13b44898b718ab
SHA14eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA5123eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b
-
Filesize
506B
MD58e6100faa270f8b935ebba91ae814491
SHA11b5d16ec7d3f2ed289fc4c079fed992275578257
SHA256293b109535400cdd3eb36c8a47dcdda245e8f48200aa59bfddb21d105923e93b
SHA51278b36ef3fd77d991d7ef9aa4f900f653edb1df5ab6ddbc369e0b3b3430fba9074673bf67d208cbb885b41afd3a9cd26ae9c2b392c70df7d08f055a41318469e7
-
Filesize
167KB
MD53903702822dd3f972ad6f23c855ebaea
SHA1677a7b1e5a5b71f6f492c57a21dd1149cff95302
SHA256e6c547ff98f9f695304185cc6b39567ae0bc64c63be6a21d1c97dbb941b378c3
SHA5122f5844301a43176f5607dbf9406b97c9ad2220631499b3644b95faa5a2d9b3dc3ab4d18bcbaf01c37aea9defc5e067a71d0bf11d865c121a6c955d0d1df740b0