Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09-05-2024 18:38
Static task
static1
Behavioral task
behavioral1
Sample
2b57098751a9c78d2990b3050460d341_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
2b57098751a9c78d2990b3050460d341_JaffaCakes118.exe
-
Size
724KB
-
MD5
2b57098751a9c78d2990b3050460d341
-
SHA1
d7b25f469904ae214ce423f7a264dbc993630fbd
-
SHA256
8b0c88ecea508a1d13d1a6b5ef32af213e5d80527fd489efb7f1cc6a29f00af3
-
SHA512
5887c418cd6e91350d3fb82da7ced73486b182f75778c8f0d891a1dcc7cfdf40a39aa46775398778427c01e6abf56aa561302ba1302c7dada77f22e1fdba4833
-
SSDEEP
12288:FkXOU51w5qnnf9aG3EV+M6qzvXkqYJZAbMMYAzMkFpTehIzSh:OeMbnn7EIqzATGMMYAzMKT2US
Malware Config
Extracted
formbook
4.1
pp0
take.digital
riegerh.info
kpopdl.com
victorshealthsupplements.com
drsachingoel.com
onekecoin.com
nookest.com
laurenceleclaire.com
easykeys.info
xiaobeiwo.net
stancash.com
facetimelapse.com
threadlocks.life
af1seven.loan
tonirovka-avto.store
planningfor.jobs
jiajiawang168.com
mceffects.com
871xwn.info
topcriminaljusticedegrees.sale
188ie.com
mrn-aqua.com
antonshotel.com
kkluav65.com
calitech.biz
viaonlineusa.com
angelsgamers.com
51fht.com
1099enterprises.com
therealdiamondlovee.com
dccarpentrypei.com
piratebayproxy.biz
thehealingstonecollection.com
b44atw579.biz
gvljvb.info
colonnasshipyard-west.com
adlbfjvlugdaainjrpjf.com
tremendousipsum.com
rugid.net
pro-muze.com
tasandojoyas.com
transportesgrupobeltran.com
bebreak.com
smallbizquotecreative.online
cities-talking.com
dixonwagyu.com
amansmorning.com
kaka298.com
rank-realize.com
7f3.info
youthpic.com
passrebeccaslaw.com
okeyter.com
veinsband.com
reme.ltd
brickopr.win
gossip-fame.com
ldhpromo.com
taguslab.com
lovethebeatradio.net
libertycomparisonplan.com
yrmqs.com
sacredhearteducationusc.com
huawener.com
porcber.com
Signatures
-
Formbook payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2984-2-0x0000000000400000-0x000000000042D000-memory.dmp formbook -
Suspicious use of SetThreadContext 1 IoCs
Processes:
2b57098751a9c78d2990b3050460d341_JaffaCakes118.exedescription pid process target process PID 1988 set thread context of 2984 1988 2b57098751a9c78d2990b3050460d341_JaffaCakes118.exe 2b57098751a9c78d2990b3050460d341_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
2b57098751a9c78d2990b3050460d341_JaffaCakes118.exe2b57098751a9c78d2990b3050460d341_JaffaCakes118.exepid process 1988 2b57098751a9c78d2990b3050460d341_JaffaCakes118.exe 2984 2b57098751a9c78d2990b3050460d341_JaffaCakes118.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
2b57098751a9c78d2990b3050460d341_JaffaCakes118.exepid process 1988 2b57098751a9c78d2990b3050460d341_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
2b57098751a9c78d2990b3050460d341_JaffaCakes118.exedescription pid process target process PID 1988 wrote to memory of 2984 1988 2b57098751a9c78d2990b3050460d341_JaffaCakes118.exe 2b57098751a9c78d2990b3050460d341_JaffaCakes118.exe PID 1988 wrote to memory of 2984 1988 2b57098751a9c78d2990b3050460d341_JaffaCakes118.exe 2b57098751a9c78d2990b3050460d341_JaffaCakes118.exe PID 1988 wrote to memory of 2984 1988 2b57098751a9c78d2990b3050460d341_JaffaCakes118.exe 2b57098751a9c78d2990b3050460d341_JaffaCakes118.exe PID 1988 wrote to memory of 2984 1988 2b57098751a9c78d2990b3050460d341_JaffaCakes118.exe 2b57098751a9c78d2990b3050460d341_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2b57098751a9c78d2990b3050460d341_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2b57098751a9c78d2990b3050460d341_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Users\Admin\AppData\Local\Temp\2b57098751a9c78d2990b3050460d341_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2b57098751a9c78d2990b3050460d341_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2984