Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10-05-2024 01:59
Static task
static1
Behavioral task
behavioral1
Sample
2cc9f4a819185333bc946cbe1c550210_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
2cc9f4a819185333bc946cbe1c550210_JaffaCakes118.exe
-
Size
910KB
-
MD5
2cc9f4a819185333bc946cbe1c550210
-
SHA1
6ce7d3ee1af2e3ec697dad4002d3b6e9110dba3d
-
SHA256
2ffe3df675a097fefad87b0c66d028ff6a732dbd67f4385777c4fb52a3e60994
-
SHA512
98d00d533510bad7fe70383733b90c82df1186871e03360480d5506111dee8b8bfe37844d880084af2d05624e0fcb22fd601a19bc53e6e30f340afdb09dd9856
-
SSDEEP
24576:oNHCmvI0fjnjOgYwC4U4o5EOYf4yI7OUcaY:wfRLNYwtUD7OKY
Malware Config
Extracted
formbook
4.1
te
sharjo-begir2.xyz
shroomsmy.com
citestpridom20200814092033.net
alemaruy.com
etong-tech.com
lomomofarm.com
elitenailsupplyva.com
thoughtfulbuddhist.online
therealtalkers.com
castleemerald.net
ysksafety.com
amazingrealtors.net
sourcesharp.com
commentorsint.com
alinement-solutions.info
expressivepins.com
americanbullylover.com
calerie.net
poamerican.com
epicoutreach.events
allnetamericas.com
bestbowrider.com
abelroofing.com
haraduda.com
planeta-ekb.com
aussieenjoyment.today
spreadalight.com
dgjinan.com
twincityradio.com
trimgarage.xyz
greeniemobiledetailing.com
paymentinformationcustsuprt.com
puredietaryketo.com
activateyoursuperpower.com
alrahmah.info
globalvitalsigns.com
hd627.com
smashcanceratlantis.com
shrtlnk.pro
advancemusclescience.com
jenhfuaksiea.com
mastekltd.com
qjcnnm.com
campusbuchs.com
giantsculpture.com
pbsadr.com
danielwk.net
womenofwatercolour.com
kaya-shop.com
nicholehwilliams.com
blushsocialmedia.com
sebastianobscura.com
soperlz.xyz
queenbeecarfinance.com
creatordemands.com
bolsolut.com
moderntravelgear.com
wchaycoffee.com
sacredartstv.com
trendycooljewels.com
panel.wiki
winlfcus.com
the941news.com
audiologiamallorca.com
tantitogeek.com
Signatures
-
Formbook payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2228-17-0x0000000000400000-0x000000000042E000-memory.dmp formbook -
Suspicious use of SetThreadContext 1 IoCs
Processes:
2cc9f4a819185333bc946cbe1c550210_JaffaCakes118.exedescription pid process target process PID 2328 set thread context of 2228 2328 2cc9f4a819185333bc946cbe1c550210_JaffaCakes118.exe 2cc9f4a819185333bc946cbe1c550210_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
2cc9f4a819185333bc946cbe1c550210_JaffaCakes118.exe2cc9f4a819185333bc946cbe1c550210_JaffaCakes118.exepid process 2328 2cc9f4a819185333bc946cbe1c550210_JaffaCakes118.exe 2328 2cc9f4a819185333bc946cbe1c550210_JaffaCakes118.exe 2328 2cc9f4a819185333bc946cbe1c550210_JaffaCakes118.exe 2228 2cc9f4a819185333bc946cbe1c550210_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
2cc9f4a819185333bc946cbe1c550210_JaffaCakes118.exedescription pid process Token: SeDebugPrivilege 2328 2cc9f4a819185333bc946cbe1c550210_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
2cc9f4a819185333bc946cbe1c550210_JaffaCakes118.exedescription pid process target process PID 2328 wrote to memory of 1632 2328 2cc9f4a819185333bc946cbe1c550210_JaffaCakes118.exe schtasks.exe PID 2328 wrote to memory of 1632 2328 2cc9f4a819185333bc946cbe1c550210_JaffaCakes118.exe schtasks.exe PID 2328 wrote to memory of 1632 2328 2cc9f4a819185333bc946cbe1c550210_JaffaCakes118.exe schtasks.exe PID 2328 wrote to memory of 1632 2328 2cc9f4a819185333bc946cbe1c550210_JaffaCakes118.exe schtasks.exe PID 2328 wrote to memory of 2228 2328 2cc9f4a819185333bc946cbe1c550210_JaffaCakes118.exe 2cc9f4a819185333bc946cbe1c550210_JaffaCakes118.exe PID 2328 wrote to memory of 2228 2328 2cc9f4a819185333bc946cbe1c550210_JaffaCakes118.exe 2cc9f4a819185333bc946cbe1c550210_JaffaCakes118.exe PID 2328 wrote to memory of 2228 2328 2cc9f4a819185333bc946cbe1c550210_JaffaCakes118.exe 2cc9f4a819185333bc946cbe1c550210_JaffaCakes118.exe PID 2328 wrote to memory of 2228 2328 2cc9f4a819185333bc946cbe1c550210_JaffaCakes118.exe 2cc9f4a819185333bc946cbe1c550210_JaffaCakes118.exe PID 2328 wrote to memory of 2228 2328 2cc9f4a819185333bc946cbe1c550210_JaffaCakes118.exe 2cc9f4a819185333bc946cbe1c550210_JaffaCakes118.exe PID 2328 wrote to memory of 2228 2328 2cc9f4a819185333bc946cbe1c550210_JaffaCakes118.exe 2cc9f4a819185333bc946cbe1c550210_JaffaCakes118.exe PID 2328 wrote to memory of 2228 2328 2cc9f4a819185333bc946cbe1c550210_JaffaCakes118.exe 2cc9f4a819185333bc946cbe1c550210_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2cc9f4a819185333bc946cbe1c550210_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2cc9f4a819185333bc946cbe1c550210_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aPoVrnLXZTfD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE58E.tmp"2⤵
- Creates scheduled task(s)
PID:1632 -
C:\Users\Admin\AppData\Local\Temp\2cc9f4a819185333bc946cbe1c550210_JaffaCakes118.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2228
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5d5be679df9b01b7d7a7bf44bbbf23012
SHA1ee1017fc2b25803c6f42d71d99ef3eac02cd44f7
SHA25691cdf81a88a3d7c327e7aff207b1e397983cb303298571c0d60c86c8186df863
SHA5126662c7fdfc0394fef103ad37a703500d9094a73d544b677fd9bc8b6cc96a857b84a5af734ca2e0f8d86e8da4f81b80a5cb8aac3f7b571cc2b988662be8872abf