Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13-05-2024 07:44
Static task
static1
Behavioral task
behavioral1
Sample
3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe
-
Size
440KB
-
MD5
3e6cb6a5af5ecb01dbd56fe6c33a22ea
-
SHA1
e3404f90c9e5599d32707ea9ec2cf28b425ca09d
-
SHA256
a84082ae91276ae65520f597253a8b7c1d0756bd0818ba4f50a986b716fa356a
-
SHA512
2a2b8eb22b46fb3e527cf0ac73d419da4d45f09f15e8b74b3d0a5b7640e7a26da8bb1b409984975c40d6a0936b4bb11ad0aef510c6b4ccc2f40ba6938f25659b
-
SSDEEP
6144:4Ik+g+ykKrPe+SNbvEMdJJ+iYieQi2COv8XmTjkLm8nfsxF7wjimU9:4P9BDSNb9+iYZQD82vkLnfOOim
Malware Config
Extracted
formbook
3.8
h318
peertopeerleasing.com
asiatrianda.com
kingcredit2015.com
louzanabayas.info
winstoncabinets.com
6thcenter.com
bidrooom.com
artanova-horst.com
sssav13131.com
gurunanak.site
dondizitextile.com
srooapc.com
brandolphia.com
guild9gaming.com
opusalloysshireinquiry.com
ivsicongress2019.info
botgiatzeo.com
2sstoreusa.com
smkinc.net
ebook-discount.com
xn--sm2bu3ao8um7jeyb.com
zoomsunsetdeals.com
jyzd888.com
eroeselszantsag.net
henevenghinsuhap.info
proficient-healing.com
asdtu.cymru
russellcountytourismboard.info
calamorosporrera.com
showertraysuk.com
xn--fiq8k45atpn8o7wd.net
spunk365.com
ejovencitasgratis.party
theapexguys.com
yama-dc.com
locomeo.info
vsols.info
amazondirectpay.info
rgs-int.net
kenko-coffee.com
passtheaplus.com
zhirenzhimian.net
swimic.com
doamininabove.win
belimobil-honda.com
dynamicrow.com
sobqwn.men
ayuanma.com
ksxjsj.com
australia-rpl.com
storiesfromthelibrary.com
cutshort.download
pointonation.info
katajuma.com
hipcute.com
newbeemovie.com
bittrxe.com
fcprotection.com
recruitacoach.com
cnortop.com
tokenblockx.com
1718info.group
tyrianlodge.com
553514.top
crakom.com
Signatures
-
Detect ZGRat V1 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4160-2-0x0000000002AB0000-0x0000000002AD8000-memory.dmp family_zgrat_v1 -
Formbook payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4148-7-0x0000000000400000-0x000000000042A000-memory.dmp formbook -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral2/memory/4160-2-0x0000000002AB0000-0x0000000002AD8000-memory.dmp agile_net -
Suspicious use of SetThreadContext 1 IoCs
Processes:
3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exedescription pid process target process PID 4160 set thread context of 4148 4160 3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe 3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exepid process 4148 3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe 4148 3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exedescription pid process Token: SeDebugPrivilege 4160 3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exedescription pid process target process PID 4160 wrote to memory of 4148 4160 3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe 3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe PID 4160 wrote to memory of 4148 4160 3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe 3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe PID 4160 wrote to memory of 4148 4160 3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe 3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe PID 4160 wrote to memory of 4148 4160 3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe 3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe PID 4160 wrote to memory of 4148 4160 3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe 3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe PID 4160 wrote to memory of 4148 4160 3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe 3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3e6cb6a5af5ecb01dbd56fe6c33a22ea_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4148-7-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/4148-10-0x00000000016E0000-0x0000000001A2A000-memory.dmpFilesize
3.3MB
-
memory/4160-0-0x0000000074AEE000-0x0000000074AEF000-memory.dmpFilesize
4KB
-
memory/4160-1-0x00000000005E0000-0x0000000000654000-memory.dmpFilesize
464KB
-
memory/4160-2-0x0000000002AB0000-0x0000000002AD8000-memory.dmpFilesize
160KB
-
memory/4160-3-0x0000000005710000-0x0000000005CB4000-memory.dmpFilesize
5.6MB
-
memory/4160-4-0x0000000005160000-0x00000000051F2000-memory.dmpFilesize
584KB
-
memory/4160-5-0x0000000074AE0000-0x0000000075290000-memory.dmpFilesize
7.7MB
-
memory/4160-6-0x0000000005620000-0x00000000056BC000-memory.dmpFilesize
624KB
-
memory/4160-9-0x0000000074AE0000-0x0000000075290000-memory.dmpFilesize
7.7MB