Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09-05-2024 12:28
Static task
static1
Behavioral task
behavioral1
Sample
29f92283750de72e762be0defcaaf7bc_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
29f92283750de72e762be0defcaaf7bc_JaffaCakes118.exe
-
Size
272KB
-
MD5
29f92283750de72e762be0defcaaf7bc
-
SHA1
2375cd5381df116fcd4e548065a1a1f8e6d9d4f3
-
SHA256
214252466a63120c1473180e5f4d2558f59a6a12aa8f3c38d3d5f45712965d7c
-
SHA512
2b346d0898e63308fc88b7a7f0dc70bd3ec91ee835e3e46cbd05275030ba0a5ef02802ae31b033cc4d156fdca8a4d88e4c16ffdc75a21ec2387f051db68f95ad
-
SSDEEP
6144:9mWaVTWFH0b/8FvlTbXOVj73t7ustHdepOPxKLQJ:AWhFc/8ZlNycpOJK
Malware Config
Extracted
formbook
3.8
mk
push-notifications.net
riopumpen.com
tourniquetleash.com
webjobsource.com
lovelouevents.com
exesac.com
zodiacleagues.com
detoutespetiteschoses.com
canondrop.com
588pz.com
townsvillewomenmarketplace.com
caramaschitopquality.com
1lrl.com
fg-lawchambers.com
sdbeishida.com
puregarciniacambogia.store
virtualcurrency.loan
retinaonline.store
memesclothes.com
wineflash.net
floab.com
makrobet353.com
cdgcubed.com
teknindo-cipta.com
expertiseleap.men
m3gtp.com
cabotaccessscaffolding.net
go2host.net
moonlightloving.com
helpforpc-websecurity.com
puqka.net
doingthiscorrect.info
jinxudq.com
medismartmx.com
aviedeluxe.net
fan-award2017.com
68hours.com
ibixing.com
cannontruckingllc.com
northshorespecials.com
nickcrossley.com
prevenciometro.net
41eu.com
jawharatalrawabi.com
sixpj.com
15707590580.com
falcondawgs.com
ghc.ink
gameslatest.net
tongpaq.com
shungavietnam.com
brandbootsjps.online
justfencepainting.com
maryannromerolaw.com
beleefdebijbel.net
kaustubhcreations.com
jquaxf.info
productstrade.com
perfectanimes.com
kepdry.net
planetakz.info
backpackerdesi.info
check.wine
givesource.net
casiinoeuros.info
Signatures
-
Formbook payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1768-4-0x0000000000400000-0x000000000042A000-memory.dmp formbook -
Suspicious use of SetThreadContext 1 IoCs
Processes:
29f92283750de72e762be0defcaaf7bc_JaffaCakes118.exedescription pid process target process PID 3028 set thread context of 1768 3028 29f92283750de72e762be0defcaaf7bc_JaffaCakes118.exe 29f92283750de72e762be0defcaaf7bc_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
29f92283750de72e762be0defcaaf7bc_JaffaCakes118.exepid process 1768 29f92283750de72e762be0defcaaf7bc_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
29f92283750de72e762be0defcaaf7bc_JaffaCakes118.exepid process 3028 29f92283750de72e762be0defcaaf7bc_JaffaCakes118.exe 3028 29f92283750de72e762be0defcaaf7bc_JaffaCakes118.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
29f92283750de72e762be0defcaaf7bc_JaffaCakes118.exepid process 3028 29f92283750de72e762be0defcaaf7bc_JaffaCakes118.exe 3028 29f92283750de72e762be0defcaaf7bc_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
29f92283750de72e762be0defcaaf7bc_JaffaCakes118.exepid process 3028 29f92283750de72e762be0defcaaf7bc_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
29f92283750de72e762be0defcaaf7bc_JaffaCakes118.exedescription pid process target process PID 3028 wrote to memory of 1768 3028 29f92283750de72e762be0defcaaf7bc_JaffaCakes118.exe 29f92283750de72e762be0defcaaf7bc_JaffaCakes118.exe PID 3028 wrote to memory of 1768 3028 29f92283750de72e762be0defcaaf7bc_JaffaCakes118.exe 29f92283750de72e762be0defcaaf7bc_JaffaCakes118.exe PID 3028 wrote to memory of 1768 3028 29f92283750de72e762be0defcaaf7bc_JaffaCakes118.exe 29f92283750de72e762be0defcaaf7bc_JaffaCakes118.exe PID 3028 wrote to memory of 1768 3028 29f92283750de72e762be0defcaaf7bc_JaffaCakes118.exe 29f92283750de72e762be0defcaaf7bc_JaffaCakes118.exe PID 3028 wrote to memory of 1768 3028 29f92283750de72e762be0defcaaf7bc_JaffaCakes118.exe 29f92283750de72e762be0defcaaf7bc_JaffaCakes118.exe PID 3028 wrote to memory of 1768 3028 29f92283750de72e762be0defcaaf7bc_JaffaCakes118.exe 29f92283750de72e762be0defcaaf7bc_JaffaCakes118.exe PID 3028 wrote to memory of 1768 3028 29f92283750de72e762be0defcaaf7bc_JaffaCakes118.exe 29f92283750de72e762be0defcaaf7bc_JaffaCakes118.exe PID 3028 wrote to memory of 1768 3028 29f92283750de72e762be0defcaaf7bc_JaffaCakes118.exe 29f92283750de72e762be0defcaaf7bc_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\29f92283750de72e762be0defcaaf7bc_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\29f92283750de72e762be0defcaaf7bc_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Users\Admin\AppData\Local\Temp\29f92283750de72e762be0defcaaf7bc_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\29f92283750de72e762be0defcaaf7bc_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1768