Analysis
-
max time kernel
120s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16-05-2024 10:05
Static task
static1
Behavioral task
behavioral1
Sample
4a88ef067c92ec50842f31d0cd49ceee_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
4a88ef067c92ec50842f31d0cd49ceee_JaffaCakes118.exe
-
Size
715KB
-
MD5
4a88ef067c92ec50842f31d0cd49ceee
-
SHA1
fca2bb6c3785c7d786a5c13d05043ce004a9b618
-
SHA256
5c08d875ce6e830acd443b62b7db10aac4d335afcee20423a703ea0c15b36368
-
SHA512
25b17a4f0b1bd202cd53f8f98ec4f96cb477386abe1f84081f1a98c0a0d3f97101a0907c7f276e0894a1b0c5b5a3877b362d89f82a48930dbbdf8a21a088a988
-
SSDEEP
12288:Q2m9mygck7g4++RWR7imOxL80hHtlY6k3B0G/DV7HU+javpV2g:/2TgBtmRfOV3Htm6k3mGhHU+jaxA
Malware Config
Extracted
formbook
3.9
d003
grupojcs.com
sdiezk.com
crazycravecosmetics.com
addison.site
gaziantepcicekal.com
globetrotterscourier.online
ppluav69.com
desanitarium.com
jiuxutang.net
rennaidangpu.com
wkc365.com
meanfarmer.net
yeosuchonnom.com
9876n.com
aesthetics-academy.com
chaoyumoju.com
tuscoordenadas.com
diveregalos.com
bombougeral.info
roxfranzhoerspringstzer.win
cinemavfxplus.com
centre-expertise-cognitive.com
yuanchengshixian.com
lagolasconsults.com
trusteer.group
tommymccarthycomedy.com
resleep.win
fengxingyizhan.com
thetreeteamhouston.com
monkmatcha.com
strakemotors.com
digitalassetsforumexchanges.com
azcoverage.net
americaevolved.com
bridgewaylegalprocess.com
leicestershiremarqueehire.com
jeweldots.com
bildhq.com
theswans.date
imnnn.com
limesodabeachfrontresort.com
tinyserversunited.com
ippuku.style
kheironconsulting.com
jedomproperties.com
stephkeepslos.win
myfreerainbow.com
usinamontealegre.com
077398.com
0310100.com
acbti.com
roamixmusical.net
jennifergillespiecoaching.com
usabusiness.directory
tv17849.info
arthausak.com
zyecar.com
kenbikouboh.com
worldbeebank.com
bloggergoogle.net
shu-health.com
providencetowing.com
studiowonderful.com
gzbns.com
allixanes.com
Signatures
-
Formbook payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2356-5-0x0000000000400000-0x000000000042A000-memory.dmp formbook -
Suspicious use of SetThreadContext 1 IoCs
Processes:
4a88ef067c92ec50842f31d0cd49ceee_JaffaCakes118.exedescription pid process target process PID 2756 set thread context of 2356 2756 4a88ef067c92ec50842f31d0cd49ceee_JaffaCakes118.exe 4a88ef067c92ec50842f31d0cd49ceee_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
4a88ef067c92ec50842f31d0cd49ceee_JaffaCakes118.exe4a88ef067c92ec50842f31d0cd49ceee_JaffaCakes118.exepid process 2756 4a88ef067c92ec50842f31d0cd49ceee_JaffaCakes118.exe 2356 4a88ef067c92ec50842f31d0cd49ceee_JaffaCakes118.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
4a88ef067c92ec50842f31d0cd49ceee_JaffaCakes118.exepid process 2756 4a88ef067c92ec50842f31d0cd49ceee_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
4a88ef067c92ec50842f31d0cd49ceee_JaffaCakes118.exedescription pid process target process PID 2756 wrote to memory of 2356 2756 4a88ef067c92ec50842f31d0cd49ceee_JaffaCakes118.exe 4a88ef067c92ec50842f31d0cd49ceee_JaffaCakes118.exe PID 2756 wrote to memory of 2356 2756 4a88ef067c92ec50842f31d0cd49ceee_JaffaCakes118.exe 4a88ef067c92ec50842f31d0cd49ceee_JaffaCakes118.exe PID 2756 wrote to memory of 2356 2756 4a88ef067c92ec50842f31d0cd49ceee_JaffaCakes118.exe 4a88ef067c92ec50842f31d0cd49ceee_JaffaCakes118.exe PID 2756 wrote to memory of 2356 2756 4a88ef067c92ec50842f31d0cd49ceee_JaffaCakes118.exe 4a88ef067c92ec50842f31d0cd49ceee_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a88ef067c92ec50842f31d0cd49ceee_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4a88ef067c92ec50842f31d0cd49ceee_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Users\Admin\AppData\Local\Temp\4a88ef067c92ec50842f31d0cd49ceee_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4a88ef067c92ec50842f31d0cd49ceee_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2356
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2356-5-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/2756-0-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/2756-1-0x00000000002B0000-0x00000000002C3000-memory.dmpFilesize
76KB
-
memory/2756-4-0x0000000000400000-0x00000000004B9000-memory.dmpFilesize
740KB
-
memory/2756-2-0x00000000002D0000-0x00000000002D1000-memory.dmpFilesize
4KB