Analysis
-
max time kernel
117s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
08-05-2024 21:21
Static task
static1
Behavioral task
behavioral1
Sample
26cc0c76595f1e82f6be57f44a7c6232_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
26cc0c76595f1e82f6be57f44a7c6232_JaffaCakes118.exe
-
Size
821KB
-
MD5
26cc0c76595f1e82f6be57f44a7c6232
-
SHA1
0d58b9a7feb0c43aa20907707ce81ebfd21f21a6
-
SHA256
4275b2dbfe9de1028660a52bae61fc22d560abf0a96d9bf8079b319e8f610973
-
SHA512
be9cc0efe3433a9d8320df49385a699e5df713cfe83008267ba76e334e35058ca7e4aeeda83ae178a62f9fd46e9adfc57cbbc7c1f0e35d5f258a18f4bcb72e4e
-
SSDEEP
6144:v3fINvQlQQbSLXdB8usErKQEDCYwIjtSdj/4KngWIq6jRkO:vPINvWQQV+mDCY5SKKngWIj
Malware Config
Extracted
formbook
3.9
dg1
fcbarcelona.cloud
diadelosdoggos.com
zgyxmt.com
puntlanddna.online
ob58zzk99.biz
alvamd.com
fjgcf.info
liquormelbourne.com
essentialkratom.com
konbiniotakara.com
stressnomorebyalyssa.com
adoptiondossiers.com
3dprinted.gold
grandmasystems.com
17klxx.com
fstoptom.com
redd2801.com
wxibh1vx.biz
ahqiheng.com
607manbet.com
yao-s.com
remaled.com
ukpropertyforums.net
chicagomovingmen.com
theauburnmotel.com
teja.solar
inponosshoes.com
xn--chq4w114hlyf.com
nr6v7hd2.biz
52dazhongtou.com
catfriendlyhoming.com
2ddyy.com
jcrliberty.com
umreader.com
businessaflame.com
com-324238-add325493.info
products4living.net
melaniestruck.com
hesvary.date
boooooooook.com
lgcygraphics.com
1v1nineapple.men
authnologies.net
arconsinfra.com
othergate.com
classiccarsnnews.info
kyliebraydynphotography.com
hechbone.com
dongman00.com
mdologybeauty.com
jingyuanfeng.com
xn--jj0b238auyl.com
dapianhk.com
ternarypro.net
lensembles.com
lerosmtc.com
getfoodrecipes.info
kirstygalliard.com
artood.net
wellsofrestoration.com
bfchinadaily6.com
deutzaultas.com
qansen.net
markameba.com
handanzhize.com
Signatures
-
Detect ZGRat V1 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2020-3-0x00000000004C0000-0x00000000004E0000-memory.dmp family_zgrat_v1 -
Formbook payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2456-8-0x0000000000080000-0x00000000000AA000-memory.dmp formbook -
Suspicious use of SetThreadContext 1 IoCs
Processes:
26cc0c76595f1e82f6be57f44a7c6232_JaffaCakes118.exedescription pid process target process PID 2020 set thread context of 2456 2020 26cc0c76595f1e82f6be57f44a7c6232_JaffaCakes118.exe 26cc0c76595f1e82f6be57f44a7c6232_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
26cc0c76595f1e82f6be57f44a7c6232_JaffaCakes118.exepid process 2456 26cc0c76595f1e82f6be57f44a7c6232_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
26cc0c76595f1e82f6be57f44a7c6232_JaffaCakes118.exedescription pid process Token: SeDebugPrivilege 2020 26cc0c76595f1e82f6be57f44a7c6232_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
26cc0c76595f1e82f6be57f44a7c6232_JaffaCakes118.exedescription pid process target process PID 2020 wrote to memory of 2456 2020 26cc0c76595f1e82f6be57f44a7c6232_JaffaCakes118.exe 26cc0c76595f1e82f6be57f44a7c6232_JaffaCakes118.exe PID 2020 wrote to memory of 2456 2020 26cc0c76595f1e82f6be57f44a7c6232_JaffaCakes118.exe 26cc0c76595f1e82f6be57f44a7c6232_JaffaCakes118.exe PID 2020 wrote to memory of 2456 2020 26cc0c76595f1e82f6be57f44a7c6232_JaffaCakes118.exe 26cc0c76595f1e82f6be57f44a7c6232_JaffaCakes118.exe PID 2020 wrote to memory of 2456 2020 26cc0c76595f1e82f6be57f44a7c6232_JaffaCakes118.exe 26cc0c76595f1e82f6be57f44a7c6232_JaffaCakes118.exe PID 2020 wrote to memory of 2456 2020 26cc0c76595f1e82f6be57f44a7c6232_JaffaCakes118.exe 26cc0c76595f1e82f6be57f44a7c6232_JaffaCakes118.exe PID 2020 wrote to memory of 2456 2020 26cc0c76595f1e82f6be57f44a7c6232_JaffaCakes118.exe 26cc0c76595f1e82f6be57f44a7c6232_JaffaCakes118.exe PID 2020 wrote to memory of 2456 2020 26cc0c76595f1e82f6be57f44a7c6232_JaffaCakes118.exe 26cc0c76595f1e82f6be57f44a7c6232_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\26cc0c76595f1e82f6be57f44a7c6232_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\26cc0c76595f1e82f6be57f44a7c6232_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Users\Admin\AppData\Local\Temp\26cc0c76595f1e82f6be57f44a7c6232_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\26cc0c76595f1e82f6be57f44a7c6232_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2456