formbook | 1bd1c6bae8d74df3a44a814fa9f81f1988334317602c2d5f6d468617a14817ed

General

Target

6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
Size

410KB
MD5

6d376f79e076fe8e311efac7bbc5499a
SHA1

2193c942e7d02b4627aa0802fb0107dba9b0068f
SHA256

1bd1c6bae8d74df3a44a814fa9f81f1988334317602c2d5f6d468617a14817ed
SHA512

c122aee705ae255855eacf61043969990e33fdeb7188356432e67bea2b1b983c485dd3b4a426bded895d4837785687242a5a3c242e2a45fe31abe05accfbd937
SSDEEP

12288:z4/ucsCfrLEnFHncFQhNe0GM1s65FHbLiSvU6Oui4am3YaCYmO2VdjVTfPKkD0Qs:z4/uY4nlcWNe0KOg2

Score

10^/10

formbook jo agilenet rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

jo

Decoy

udcrpf.win

bionicsvr.com

mitesserentferner.com

testtestsmbretail9517.info

wapatvvivolntrernet.com

tribemembers.com

buildings.exchange

progaero.com

aquifuera.com

unglockinge.com

theeoschronicles.com

xn--910ba670d24ddupq1a.com

nihalin.com

indivisiblesb.info

talitagustosa.com

zblogasp.com

shanshanjiu.com

clevel-executive-mail-suite.net

cover-necessary.com

devfunportal.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/924-8-0x0000000000400000-0x000000000042A000-memory.dmp	formbook

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/2212-3-0x0000000000BE0000-0x0000000000C3C000-memory.dmp	agile_net

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 3 IoCs

Processes:

6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exevbc.exeraserver.exe

description	pid	process	target process
PID 2212 set thread context of 924	2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe	vbc.exe
PID 924 set thread context of 1208	924	vbc.exe	Explorer.EXE
PID 1496 set thread context of 1208	1496	raserver.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe

pid	process
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe

Suspicious behavior: MapViewOfSection 64 IoCs

Processes:

6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe

pid	process
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exevbc.exeraserver.exe

description	pid	process
Token: SeDebugPrivilege	2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
Token: SeDebugPrivilege	924	vbc.exe
Token: SeDebugPrivilege	1496	raserver.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe

description	pid	process	target process
PID 2212 wrote to memory of 2904	2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe	vbc.exe
PID 2212 wrote to memory of 2904	2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe	vbc.exe
PID 2212 wrote to memory of 2904	2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe	vbc.exe
PID 2212 wrote to memory of 2904	2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe	vbc.exe
PID 2212 wrote to memory of 1836	2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe	vbc.exe
PID 2212 wrote to memory of 1836	2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe	vbc.exe
PID 2212 wrote to memory of 1836	2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe	vbc.exe
PID 2212 wrote to memory of 1836	2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe	vbc.exe
PID 2212 wrote to memory of 772	2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe	vbc.exe
PID 2212 wrote to memory of 772	2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe	vbc.exe
PID 2212 wrote to memory of 772	2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe	vbc.exe
PID 2212 wrote to memory of 772	2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe	vbc.exe
PID 2212 wrote to memory of 280	2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe	vbc.exe
PID 2212 wrote to memory of 280	2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe	vbc.exe
PID 2212 wrote to memory of 280	2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe	vbc.exe
PID 2212 wrote to memory of 280	2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe	vbc.exe
PID 2212 wrote to memory of 1796	2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe	vbc.exe
PID 2212 wrote to memory of 1796	2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe	vbc.exe
PID 2212 wrote to memory of 1796	2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe	vbc.exe
PID 2212 wrote to memory of 1796	2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe	vbc.exe
PID 2212 wrote to memory of 2032	2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe	vbc.exe
PID 2212 wrote to memory of 2032	2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe	vbc.exe
PID 2212 wrote to memory of 2032	2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe	vbc.exe
PID 2212 wrote to memory of 2032	2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe	vbc.exe
PID 2212 wrote to memory of 2012	2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe	vbc.exe
PID 2212 wrote to memory of 2012	2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe	vbc.exe
PID 2212 wrote to memory of 2012	2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe	vbc.exe
PID 2212 wrote to memory of 2012	2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe	vbc.exe
PID 2212 wrote to memory of 2372	2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe	vbc.exe
PID 2212 wrote to memory of 2372	2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe	vbc.exe
PID 2212 wrote to memory of 2372	2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe	vbc.exe
PID 2212 wrote to memory of 2372	2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe	vbc.exe
PID 2212 wrote to memory of 2900	2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe	vbc.exe
PID 2212 wrote to memory of 2900	2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe	vbc.exe
PID 2212 wrote to memory of 2900	2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe	vbc.exe
PID 2212 wrote to memory of 2900	2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe	vbc.exe
PID 2212 wrote to memory of 2104	2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe	vbc.exe
PID 2212 wrote to memory of 2104	2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe	vbc.exe
PID 2212 wrote to memory of 2104	2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe	vbc.exe
PID 2212 wrote to memory of 2104	2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe	vbc.exe
PID 2212 wrote to memory of 2544	2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe	vbc.exe
PID 2212 wrote to memory of 2544	2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe	vbc.exe
PID 2212 wrote to memory of 2544	2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe	vbc.exe
PID 2212 wrote to memory of 2544	2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe	vbc.exe
PID 2212 wrote to memory of 2328	2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe	vbc.exe
PID 2212 wrote to memory of 2328	2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe	vbc.exe
PID 2212 wrote to memory of 2328	2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe	vbc.exe
PID 2212 wrote to memory of 2328	2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe	vbc.exe
PID 2212 wrote to memory of 2596	2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe	vbc.exe
PID 2212 wrote to memory of 2596	2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe	vbc.exe
PID 2212 wrote to memory of 2596	2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe	vbc.exe
PID 2212 wrote to memory of 2596	2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe	vbc.exe
PID 2212 wrote to memory of 2644	2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe	vbc.exe
PID 2212 wrote to memory of 2644	2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe	vbc.exe
PID 2212 wrote to memory of 2644	2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe	vbc.exe
PID 2212 wrote to memory of 2644	2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe	vbc.exe
PID 2212 wrote to memory of 2660	2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe	vbc.exe
PID 2212 wrote to memory of 2660	2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe	vbc.exe
PID 2212 wrote to memory of 2660	2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe	vbc.exe
PID 2212 wrote to memory of 2660	2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe	vbc.exe
PID 2212 wrote to memory of 2664	2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe	vbc.exe
PID 2212 wrote to memory of 2664	2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe	vbc.exe
PID 2212 wrote to memory of 2664	2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe	vbc.exe
PID 2212 wrote to memory of 2664	2212	6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe	vbc.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208

C:\Users\Admin\AppData\Local\Temp\6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6d376f79e076fe8e311efac7bbc5499a_JaffaCakes118.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:2904

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1836

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:280

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:2032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:2012

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:2372

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:2900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:2104

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:2544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:2328

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:2596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:2644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:2660

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:2664

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:2672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:2684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:2648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:2608

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:2580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:2168

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:2576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:2584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:2116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:2688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:2448

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:2484

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:2524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:2572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:3024

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1348

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:2096

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:2624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:3020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:3068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:2696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:2724

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:2792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1448

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:2876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:3044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:3000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:2852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:2740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:2804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:2844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:2808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:2824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:2836

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:2848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:2896

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:2984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:2692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:2768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:2428

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:2856

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1976

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:2864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:3004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:2996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:3048

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:2988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:3028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:2180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:2732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:2248

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:2036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1716

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:2548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1432

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:2392

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1308

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:2356

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:2004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:2352

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:2200

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1720

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:2412

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:324

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:340

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:924

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1496

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1388

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/924-8-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1208-10-0x0000000003D20000-0x0000000003E20000-memory.dmp

Filesize
1024KB

Download
memory/1496-11-0x0000000000C00000-0x0000000000C1C000-memory.dmp

Filesize
112KB

Download
memory/2212-3-0x0000000000BE0000-0x0000000000C3C000-memory.dmp

Filesize
368KB

Download
memory/2212-4-0x00000000749D0000-0x00000000750BE000-memory.dmp

Filesize
6.9MB

Download
memory/2212-5-0x00000000003E0000-0x0000000000410000-memory.dmp

Filesize
192KB

Download
memory/2212-7-0x00000000749D0000-0x00000000750BE000-memory.dmp

Filesize
6.9MB

Download
memory/2212-0-0x00000000749DE000-0x00000000749DF000-memory.dmp

Filesize
4KB

Download
memory/2212-2-0x0000000000340000-0x0000000000348000-memory.dmp

Filesize
32KB

Download
memory/2212-1-0x0000000000E40000-0x0000000000EAC000-memory.dmp

Filesize
432KB

Download
memory/2212-14-0x00000000749DE000-0x00000000749DF000-memory.dmp

Filesize
4KB

Download
memory/2212-16-0x00000000749D0000-0x00000000750BE000-memory.dmp

Filesize
6.9MB

Download
memory/2212-17-0x00000000749D0000-0x00000000750BE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads