Analysis
-
max time kernel
117s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
09-05-2024 15:22
Static task
static1
Behavioral task
behavioral1
Sample
2a9a30eec97ab00aa5383eb5b7b39e4c_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
2a9a30eec97ab00aa5383eb5b7b39e4c_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
2a9a30eec97ab00aa5383eb5b7b39e4c
-
SHA1
4e557ee5f1c71f649ec7c700d4d8582bce462db3
-
SHA256
61c879a82dd2352181a729b07d05a8d4c871a120a1ca69a673892b7ecb5b95c1
-
SHA512
fdc1dc6795d746be2a695498d718b88f3debebe636f4fbef7b7858dfb64ed3a9f1aebf29287a1d880aa0ac1f05f410ebc9097de8a5501020e3e309677dc1387b
-
SSDEEP
12288:Dvm7Ib5morl71BT1c2rtHCaDKUdaKAM9J1VyAtR9jphJYIcjdLtophIm9wIdAksQ:Uri1fHhH2MM+9VXfpC0w2AM2m
Malware Config
Extracted
formbook
3.8
l7
water360.net
mantle-liquid.com
crypto1st.com
zhangying7.com
macsupportusa.online
hellocellular.online
linkhay.info
equipoprofesional.online
happyholi2017.com
halobuilders.net
gaelleautin.com
kateklamer.com
keyarmor.com
sandamall.com
livifyfe.com
pkmuxb.ink
precios10.com
baitongjxgs.com
pinnacle175.com
dlpansr.com
bang.money
crossfitcielo.com
davenunn.com
ss1559.com
xn--z0x114dg7c.net
exodusenerlytics.technology
infoskorbola.win
xawe.ltd
sinevizyonajans.com
fengxingnan.com
mondobdsm.online
thelivelysoul.biz
stashified.com
scsansheng.com
maihesystem.com
nguoivanminh.com
nordraack.com
equalwish.com
kimonosabine.win
dazhongtz.com
skimbrell.net
dmaz.life
pupnations.com
iqtlab.net
wiperwiper.com
bkinfoprosdiscountworld.com
jbsoc.loan
titandevelopmentgroup.com
mat-echu.com
troc-montagne.com
ezhao8.com
wrept.info
flashmane.com
currentdomain.online
sociologyofsports.com
patchworkedsoul.com
dem45.com
xn--hazdetripascorazn-vyb.com
diligence.agency
l6r082llpo.com
rodrigoshares.com
stratusstaff.com
curry.estate
xw6080.com
szccf360.com
Signatures
-
Formbook payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2752-22-0x0000000000400000-0x000000000042A000-memory.dmp formbook -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
2a9a30eec97ab00aa5383eb5b7b39e4c_JaffaCakes118.exedescription ioc process File opened for modification \??\PhysicalDrive0 2a9a30eec97ab00aa5383eb5b7b39e4c_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
2a9a30eec97ab00aa5383eb5b7b39e4c_JaffaCakes118.exedescription pid process target process PID 2236 set thread context of 2752 2236 2a9a30eec97ab00aa5383eb5b7b39e4c_JaffaCakes118.exe 2a9a30eec97ab00aa5383eb5b7b39e4c_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
2a9a30eec97ab00aa5383eb5b7b39e4c_JaffaCakes118.exepid process 2752 2a9a30eec97ab00aa5383eb5b7b39e4c_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
2a9a30eec97ab00aa5383eb5b7b39e4c_JaffaCakes118.exepid process 2236 2a9a30eec97ab00aa5383eb5b7b39e4c_JaffaCakes118.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
2a9a30eec97ab00aa5383eb5b7b39e4c_JaffaCakes118.exepid process 2236 2a9a30eec97ab00aa5383eb5b7b39e4c_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
2a9a30eec97ab00aa5383eb5b7b39e4c_JaffaCakes118.exedescription pid process target process PID 2236 wrote to memory of 2752 2236 2a9a30eec97ab00aa5383eb5b7b39e4c_JaffaCakes118.exe 2a9a30eec97ab00aa5383eb5b7b39e4c_JaffaCakes118.exe PID 2236 wrote to memory of 2752 2236 2a9a30eec97ab00aa5383eb5b7b39e4c_JaffaCakes118.exe 2a9a30eec97ab00aa5383eb5b7b39e4c_JaffaCakes118.exe PID 2236 wrote to memory of 2752 2236 2a9a30eec97ab00aa5383eb5b7b39e4c_JaffaCakes118.exe 2a9a30eec97ab00aa5383eb5b7b39e4c_JaffaCakes118.exe PID 2236 wrote to memory of 2752 2236 2a9a30eec97ab00aa5383eb5b7b39e4c_JaffaCakes118.exe 2a9a30eec97ab00aa5383eb5b7b39e4c_JaffaCakes118.exe PID 2236 wrote to memory of 2752 2236 2a9a30eec97ab00aa5383eb5b7b39e4c_JaffaCakes118.exe 2a9a30eec97ab00aa5383eb5b7b39e4c_JaffaCakes118.exe PID 2236 wrote to memory of 2752 2236 2a9a30eec97ab00aa5383eb5b7b39e4c_JaffaCakes118.exe 2a9a30eec97ab00aa5383eb5b7b39e4c_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2a9a30eec97ab00aa5383eb5b7b39e4c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2a9a30eec97ab00aa5383eb5b7b39e4c_JaffaCakes118.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Users\Admin\AppData\Local\Temp\2a9a30eec97ab00aa5383eb5b7b39e4c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2a9a30eec97ab00aa5383eb5b7b39e4c_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2752