Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
10-05-2024 01:59
Static task
static1
Behavioral task
behavioral1
Sample
2cc9f4a819185333bc946cbe1c550210_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
2cc9f4a819185333bc946cbe1c550210_JaffaCakes118.exe
-
Size
910KB
-
MD5
2cc9f4a819185333bc946cbe1c550210
-
SHA1
6ce7d3ee1af2e3ec697dad4002d3b6e9110dba3d
-
SHA256
2ffe3df675a097fefad87b0c66d028ff6a732dbd67f4385777c4fb52a3e60994
-
SHA512
98d00d533510bad7fe70383733b90c82df1186871e03360480d5506111dee8b8bfe37844d880084af2d05624e0fcb22fd601a19bc53e6e30f340afdb09dd9856
-
SSDEEP
24576:oNHCmvI0fjnjOgYwC4U4o5EOYf4yI7OUcaY:wfRLNYwtUD7OKY
Malware Config
Extracted
formbook
4.1
te
sharjo-begir2.xyz
shroomsmy.com
citestpridom20200814092033.net
alemaruy.com
etong-tech.com
lomomofarm.com
elitenailsupplyva.com
thoughtfulbuddhist.online
therealtalkers.com
castleemerald.net
ysksafety.com
amazingrealtors.net
sourcesharp.com
commentorsint.com
alinement-solutions.info
expressivepins.com
americanbullylover.com
calerie.net
poamerican.com
epicoutreach.events
allnetamericas.com
bestbowrider.com
abelroofing.com
haraduda.com
planeta-ekb.com
aussieenjoyment.today
spreadalight.com
dgjinan.com
twincityradio.com
trimgarage.xyz
greeniemobiledetailing.com
paymentinformationcustsuprt.com
puredietaryketo.com
activateyoursuperpower.com
alrahmah.info
globalvitalsigns.com
hd627.com
smashcanceratlantis.com
shrtlnk.pro
advancemusclescience.com
jenhfuaksiea.com
mastekltd.com
qjcnnm.com
campusbuchs.com
giantsculpture.com
pbsadr.com
danielwk.net
womenofwatercolour.com
kaya-shop.com
nicholehwilliams.com
blushsocialmedia.com
sebastianobscura.com
soperlz.xyz
queenbeecarfinance.com
creatordemands.com
bolsolut.com
moderntravelgear.com
wchaycoffee.com
sacredartstv.com
trendycooljewels.com
panel.wiki
winlfcus.com
the941news.com
audiologiamallorca.com
tantitogeek.com
Signatures
-
Formbook payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3384-15-0x0000000000400000-0x000000000042E000-memory.dmp formbook -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2cc9f4a819185333bc946cbe1c550210_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 2cc9f4a819185333bc946cbe1c550210_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
2cc9f4a819185333bc946cbe1c550210_JaffaCakes118.exedescription pid process target process PID 4532 set thread context of 3384 4532 2cc9f4a819185333bc946cbe1c550210_JaffaCakes118.exe 2cc9f4a819185333bc946cbe1c550210_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
2cc9f4a819185333bc946cbe1c550210_JaffaCakes118.exe2cc9f4a819185333bc946cbe1c550210_JaffaCakes118.exepid process 4532 2cc9f4a819185333bc946cbe1c550210_JaffaCakes118.exe 4532 2cc9f4a819185333bc946cbe1c550210_JaffaCakes118.exe 4532 2cc9f4a819185333bc946cbe1c550210_JaffaCakes118.exe 3384 2cc9f4a819185333bc946cbe1c550210_JaffaCakes118.exe 3384 2cc9f4a819185333bc946cbe1c550210_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
2cc9f4a819185333bc946cbe1c550210_JaffaCakes118.exedescription pid process Token: SeDebugPrivilege 4532 2cc9f4a819185333bc946cbe1c550210_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
2cc9f4a819185333bc946cbe1c550210_JaffaCakes118.exedescription pid process target process PID 4532 wrote to memory of 1104 4532 2cc9f4a819185333bc946cbe1c550210_JaffaCakes118.exe schtasks.exe PID 4532 wrote to memory of 1104 4532 2cc9f4a819185333bc946cbe1c550210_JaffaCakes118.exe schtasks.exe PID 4532 wrote to memory of 1104 4532 2cc9f4a819185333bc946cbe1c550210_JaffaCakes118.exe schtasks.exe PID 4532 wrote to memory of 3384 4532 2cc9f4a819185333bc946cbe1c550210_JaffaCakes118.exe 2cc9f4a819185333bc946cbe1c550210_JaffaCakes118.exe PID 4532 wrote to memory of 3384 4532 2cc9f4a819185333bc946cbe1c550210_JaffaCakes118.exe 2cc9f4a819185333bc946cbe1c550210_JaffaCakes118.exe PID 4532 wrote to memory of 3384 4532 2cc9f4a819185333bc946cbe1c550210_JaffaCakes118.exe 2cc9f4a819185333bc946cbe1c550210_JaffaCakes118.exe PID 4532 wrote to memory of 3384 4532 2cc9f4a819185333bc946cbe1c550210_JaffaCakes118.exe 2cc9f4a819185333bc946cbe1c550210_JaffaCakes118.exe PID 4532 wrote to memory of 3384 4532 2cc9f4a819185333bc946cbe1c550210_JaffaCakes118.exe 2cc9f4a819185333bc946cbe1c550210_JaffaCakes118.exe PID 4532 wrote to memory of 3384 4532 2cc9f4a819185333bc946cbe1c550210_JaffaCakes118.exe 2cc9f4a819185333bc946cbe1c550210_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2cc9f4a819185333bc946cbe1c550210_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2cc9f4a819185333bc946cbe1c550210_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aPoVrnLXZTfD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB7.tmp"2⤵
- Creates scheduled task(s)
PID:1104 -
C:\Users\Admin\AppData\Local\Temp\2cc9f4a819185333bc946cbe1c550210_JaffaCakes118.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3384
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD588f6e47b0f3f9736b361f47193a35c66
SHA11b4519832f5f58fc4b3cbeff8ee6c65eb66a494d
SHA256b906832c47ab8d2bb9199ee0d1fa2e380e5ed3009a849ab7b4f8621bf6a3741d
SHA5123988918506cb1a8c3eeceb3d2ab42ade8a1cc4e19b9eeab7a516922454380ae80d552d6e64e861327b84a23a40a8333614e4b1d45a197fdd2ca8f70d72cbcc76