Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
13-05-2024 07:44
Static task
static1
Behavioral task
behavioral1
Sample
3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe
-
Size
440KB
-
MD5
3e6cb6a5af5ecb01dbd56fe6c33a22ea
-
SHA1
e3404f90c9e5599d32707ea9ec2cf28b425ca09d
-
SHA256
a84082ae91276ae65520f597253a8b7c1d0756bd0818ba4f50a986b716fa356a
-
SHA512
2a2b8eb22b46fb3e527cf0ac73d419da4d45f09f15e8b74b3d0a5b7640e7a26da8bb1b409984975c40d6a0936b4bb11ad0aef510c6b4ccc2f40ba6938f25659b
-
SSDEEP
6144:4Ik+g+ykKrPe+SNbvEMdJJ+iYieQi2COv8XmTjkLm8nfsxF7wjimU9:4P9BDSNb9+iYZQD82vkLnfOOim
Malware Config
Extracted
formbook
3.8
h318
peertopeerleasing.com
asiatrianda.com
kingcredit2015.com
louzanabayas.info
winstoncabinets.com
6thcenter.com
bidrooom.com
artanova-horst.com
sssav13131.com
gurunanak.site
dondizitextile.com
srooapc.com
brandolphia.com
guild9gaming.com
opusalloysshireinquiry.com
ivsicongress2019.info
botgiatzeo.com
2sstoreusa.com
smkinc.net
ebook-discount.com
xn--sm2bu3ao8um7jeyb.com
zoomsunsetdeals.com
jyzd888.com
eroeselszantsag.net
henevenghinsuhap.info
proficient-healing.com
asdtu.cymru
russellcountytourismboard.info
calamorosporrera.com
showertraysuk.com
xn--fiq8k45atpn8o7wd.net
spunk365.com
ejovencitasgratis.party
theapexguys.com
yama-dc.com
locomeo.info
vsols.info
amazondirectpay.info
rgs-int.net
kenko-coffee.com
passtheaplus.com
zhirenzhimian.net
swimic.com
doamininabove.win
belimobil-honda.com
dynamicrow.com
sobqwn.men
ayuanma.com
ksxjsj.com
australia-rpl.com
storiesfromthelibrary.com
cutshort.download
pointonation.info
katajuma.com
hipcute.com
newbeemovie.com
bittrxe.com
fcprotection.com
recruitacoach.com
cnortop.com
tokenblockx.com
1718info.group
tyrianlodge.com
553514.top
crakom.com
Signatures
-
Detect ZGRat V1 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1660-2-0x0000000000570000-0x0000000000598000-memory.dmp family_zgrat_v1 -
Formbook payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/3048-10-0x0000000000400000-0x000000000042A000-memory.dmp formbook -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/1660-2-0x0000000000570000-0x0000000000598000-memory.dmp agile_net -
Suspicious use of SetThreadContext 1 IoCs
Processes:
3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exedescription pid process target process PID 1660 set thread context of 3048 1660 3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe 3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2604 3048 WerFault.exe 3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exedescription pid process Token: SeDebugPrivilege 1660 3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exedescription pid process target process PID 1660 wrote to memory of 3048 1660 3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe 3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe PID 1660 wrote to memory of 3048 1660 3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe 3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe PID 1660 wrote to memory of 3048 1660 3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe 3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe PID 1660 wrote to memory of 3048 1660 3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe 3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe PID 1660 wrote to memory of 3048 1660 3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe 3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe PID 1660 wrote to memory of 3048 1660 3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe 3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe PID 1660 wrote to memory of 3048 1660 3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe 3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe PID 3048 wrote to memory of 2604 3048 3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe WerFault.exe PID 3048 wrote to memory of 2604 3048 3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe WerFault.exe PID 3048 wrote to memory of 2604 3048 3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe WerFault.exe PID 3048 wrote to memory of 2604 3048 3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 363⤵
- Program crash
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1660-0-0x0000000074A2E000-0x0000000074A2F000-memory.dmpFilesize
4KB
-
memory/1660-1-0x0000000001390000-0x0000000001404000-memory.dmpFilesize
464KB
-
memory/1660-2-0x0000000000570000-0x0000000000598000-memory.dmpFilesize
160KB
-
memory/1660-3-0x0000000074A20000-0x000000007510E000-memory.dmpFilesize
6.9MB
-
memory/1660-4-0x0000000074A20000-0x000000007510E000-memory.dmpFilesize
6.9MB
-
memory/1660-11-0x0000000074A20000-0x000000007510E000-memory.dmpFilesize
6.9MB
-
memory/3048-5-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/3048-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/3048-7-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/3048-10-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB