Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
08-05-2024 20:46
Static task
static1
Behavioral task
behavioral1
Sample
26aa9b7bf926ffa61dd823895ce0a868_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
26aa9b7bf926ffa61dd823895ce0a868_JaffaCakes118.exe
-
Size
766KB
-
MD5
26aa9b7bf926ffa61dd823895ce0a868
-
SHA1
f7ae1863e31a855feb8956b3c113afb8a1992e47
-
SHA256
51be25e5c754614603992540797d953736c4ac163818db5de69734fabb2f8f82
-
SHA512
08cf1deef378097a14a94b5fdd1186865cf18c62f010ddf4bfd714faf869232385cc8cf9682328fae2752bd5690034e4239c2fb8878defce53c7d4918f2f5050
-
SSDEEP
12288:b58WhWmNEYOyd4Sau/yaqDzjnOeX6nKAZgDpaSO3nMJibf41y99zzSl+XoEzz1wt:b5dxN/4k/yGrB9zztzzK
Malware Config
Extracted
formbook
4.1
gtb
kbsvipbags.com
grandma-salt.com
org-id100.info
marketobserverllc.com
robjmccarthy.com
orbitnest.com
7d5d.com
hotdealsallday.com
kaban-shitsuji.com
eivisionexport.com
luatfv.com
creationxbydom.com
realjuku.com
roast365.com
epis2020.com
schcman.com
xn--pimi-ooa.com
jobshustle.com
rightnewswire.com
seguonra.com
graececonsulting.com
fondflowers.net
khawarlearners.com
andkth.xyz
chengfu114.com
kombitfashion.com
thameensa.com
sopwidget.com
zethcameron.com
numbered-tags.com
mazasilva.com
huawang.love
19songs.cloud
coachinggay.com
arazonatile.com
westburyclose.com
ovejaalbox.com
pickiuram.com
fabiecreations.com
1in7proman.com
fancefeet.com
imsfirm.com
befache.com
theracingplace.com
themoddgroup.com
monitoringsibi.run
foodonwish.com
38sdsd.com
serilga.com
digisaze.com
sandynoses.com
bright-brave.com
xn--gwos-epa.com
hkganghua.com
roofingsantamonica.com
migranreceta.com
whendoamericans.com
thepurrfectprints.com
aldosminconclave.com
modifiedhomes4vets.net
crowd50.online
fintechtreding.com
sop-games.com
alltechlansing.com
kelitastudio.com
Signatures
-
Formbook payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2400-204-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral2/memory/2400-208-0x0000000000400000-0x000000000042E000-memory.dmp formbook -
Executes dropped EXE 1 IoCs
Processes:
ngentask.exepid process 2400 ngentask.exe -
Loads dropped DLL 1 IoCs
Processes:
26aa9b7bf926ffa61dd823895ce0a868_JaffaCakes118.exepid process 3920 26aa9b7bf926ffa61dd823895ce0a868_JaffaCakes118.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
26aa9b7bf926ffa61dd823895ce0a868_JaffaCakes118.exengentask.exeipconfig.exedescription pid process target process PID 3920 set thread context of 2400 3920 26aa9b7bf926ffa61dd823895ce0a868_JaffaCakes118.exe ngentask.exe PID 2400 set thread context of 3448 2400 ngentask.exe Explorer.EXE PID 5020 set thread context of 3448 5020 ipconfig.exe Explorer.EXE -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 5020 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 45 IoCs
Processes:
26aa9b7bf926ffa61dd823895ce0a868_JaffaCakes118.exengentask.exeipconfig.exepid process 3920 26aa9b7bf926ffa61dd823895ce0a868_JaffaCakes118.exe 2400 ngentask.exe 2400 ngentask.exe 2400 ngentask.exe 2400 ngentask.exe 5020 ipconfig.exe 5020 ipconfig.exe 5020 ipconfig.exe 5020 ipconfig.exe 5020 ipconfig.exe 5020 ipconfig.exe 5020 ipconfig.exe 5020 ipconfig.exe 5020 ipconfig.exe 5020 ipconfig.exe 5020 ipconfig.exe 5020 ipconfig.exe 5020 ipconfig.exe 5020 ipconfig.exe 5020 ipconfig.exe 5020 ipconfig.exe 5020 ipconfig.exe 5020 ipconfig.exe 5020 ipconfig.exe 5020 ipconfig.exe 5020 ipconfig.exe 5020 ipconfig.exe 5020 ipconfig.exe 5020 ipconfig.exe 5020 ipconfig.exe 5020 ipconfig.exe 5020 ipconfig.exe 5020 ipconfig.exe 5020 ipconfig.exe 5020 ipconfig.exe 5020 ipconfig.exe 5020 ipconfig.exe 5020 ipconfig.exe 5020 ipconfig.exe 5020 ipconfig.exe 5020 ipconfig.exe 5020 ipconfig.exe 5020 ipconfig.exe 5020 ipconfig.exe 5020 ipconfig.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
ngentask.exeipconfig.exepid process 2400 ngentask.exe 2400 ngentask.exe 2400 ngentask.exe 5020 ipconfig.exe 5020 ipconfig.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
26aa9b7bf926ffa61dd823895ce0a868_JaffaCakes118.exengentask.exeipconfig.exedescription pid process Token: SeDebugPrivilege 3920 26aa9b7bf926ffa61dd823895ce0a868_JaffaCakes118.exe Token: SeDebugPrivilege 2400 ngentask.exe Token: SeDebugPrivilege 5020 ipconfig.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
26aa9b7bf926ffa61dd823895ce0a868_JaffaCakes118.exeExplorer.EXEipconfig.exedescription pid process target process PID 3920 wrote to memory of 2400 3920 26aa9b7bf926ffa61dd823895ce0a868_JaffaCakes118.exe ngentask.exe PID 3920 wrote to memory of 2400 3920 26aa9b7bf926ffa61dd823895ce0a868_JaffaCakes118.exe ngentask.exe PID 3920 wrote to memory of 2400 3920 26aa9b7bf926ffa61dd823895ce0a868_JaffaCakes118.exe ngentask.exe PID 3920 wrote to memory of 2400 3920 26aa9b7bf926ffa61dd823895ce0a868_JaffaCakes118.exe ngentask.exe PID 3920 wrote to memory of 2400 3920 26aa9b7bf926ffa61dd823895ce0a868_JaffaCakes118.exe ngentask.exe PID 3920 wrote to memory of 2400 3920 26aa9b7bf926ffa61dd823895ce0a868_JaffaCakes118.exe ngentask.exe PID 3448 wrote to memory of 5020 3448 Explorer.EXE ipconfig.exe PID 3448 wrote to memory of 5020 3448 Explorer.EXE ipconfig.exe PID 3448 wrote to memory of 5020 3448 Explorer.EXE ipconfig.exe PID 5020 wrote to memory of 696 5020 ipconfig.exe cmd.exe PID 5020 wrote to memory of 696 5020 ipconfig.exe cmd.exe PID 5020 wrote to memory of 696 5020 ipconfig.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:3448 -
C:\Users\Admin\AppData\Local\Temp\26aa9b7bf926ffa61dd823895ce0a868_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\26aa9b7bf926ffa61dd823895ce0a868_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3920 -
C:\Users\Admin\AppData\Local\Temp\ngentask.exe"C:\Users\Admin\AppData\Local\Temp\ngentask.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2400 -
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\SysWOW64\ipconfig.exe"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\ngentask.exe"3⤵PID:696
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
94KB
MD514ff402962ad21b78ae0b4c43cd1f194
SHA1f8a510eb26666e875a5bdd1cadad40602763ad72
SHA256fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b
SHA512daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b
-
Filesize
85KB
MD5c6ce045ca7809169a017f73d45c21462
SHA17d2504133d8235e91c2e98355c4f223cdf500d4d
SHA25641019bd2dff58eca53a25ffce26e487af0b693c3d305e67a0d4e8f8cd60c6ef6
SHA512cb42d614f4e543be090e2d09f0f6c28ecd346b8ea2ca06ba10389a735a23792bd4d4ec189f94c8dcdc0b35707b36ba0df811c18b7608f8a2cc2b8d429242b205