Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
24-05-2024 03:04
Static task
static1
Behavioral task
behavioral1
Sample
6d2331c2b272fbe95d77250c47b37e71_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
6d2331c2b272fbe95d77250c47b37e71_JaffaCakes118.exe
-
Size
472KB
-
MD5
6d2331c2b272fbe95d77250c47b37e71
-
SHA1
e70258580bda815758bef6386b0d64bfbde24ff6
-
SHA256
58be60f2549f4c7093fcb9fdc050154389d02b4ad7b60439122de5bf02865074
-
SHA512
150d69d9815c8e3b9a8331cfd7eb46aedc21b6f4c8c2ff45f717bba143bd6d90d02e342d20dc78c1e78e431f7a69ee03c60da564d5ea826a9358f40921e49961
-
SSDEEP
6144:cmrL7bOr2xYboL9br/U+e/HQL3dZ655y8Yvl/oHzUmaIv7:cm7GEYmnU+aHQTm5gdvl4Q1y
Malware Config
Extracted
formbook
3.9
tg
xn--wmq267cvp4asgh.com
herunyunshang.com
fulhdmovie.cymru
runforabetterlifecoaching.com
www58978www.com
gachtiendat.com
turkico.com
jetlinefountain.com
mybabycool.com
housebuyinginlosangeles.info
tatreggyprismnimbles.win
moa397.com
thestrangerthings.com
kreditpintar.com
luggagelockercompany.com
xczcefmdsz.info
51linhu.com
zoodmal.com
bizrver.com
bostonrefinanceglobal.com
suabiensaigon.com
wwwamjs607.com
cryptocoinminingpool.com
destinosperfectos.com
tudito.com
tongyilube.com
dierfysiotherapie.amsterdam
businessstudiesqa.com
gwaloj.info
michaelsway.store
hamannamerica.com
rheumiesinlove.com
fuenferrada.net
pinnaclepeakmailboxes.com
lifewayfoodsfuck.com
nightmarehoodies.com
sunrisecityyenbai.com
pokerjackking.com
sainttoi.com
yoyoyon.com
youbanduk.com
baxterinnovationlab.com
long8-9166.com
pacificinertial.com
aaacharterschool.com
chin24news.com
minerace.com
familycourthelp.info
piabetuyelik.net
wearewildly.com
whatalie.com
jaewonmall.com
letterawe.com
scuke.com
planningapplicationslondon.com
mogharabian.com
koreapoker.com
l2entretenimentos.com
atune.me
universal-invest.com
glgoster.com
jade.exchange
wwwvnsr1155.com
ilinea1.com
apevy.com
Signatures
-
Formbook payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2100-6-0x0000000000400000-0x000000000042A000-memory.dmp formbook -
Suspicious use of SetThreadContext 1 IoCs
Processes:
6d2331c2b272fbe95d77250c47b37e71_JaffaCakes118.exedescription pid process target process PID 2328 set thread context of 2100 2328 6d2331c2b272fbe95d77250c47b37e71_JaffaCakes118.exe 6d2331c2b272fbe95d77250c47b37e71_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
6d2331c2b272fbe95d77250c47b37e71_JaffaCakes118.exepid process 2100 6d2331c2b272fbe95d77250c47b37e71_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
6d2331c2b272fbe95d77250c47b37e71_JaffaCakes118.exepid process 2328 6d2331c2b272fbe95d77250c47b37e71_JaffaCakes118.exe 2328 6d2331c2b272fbe95d77250c47b37e71_JaffaCakes118.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
6d2331c2b272fbe95d77250c47b37e71_JaffaCakes118.exepid process 2328 6d2331c2b272fbe95d77250c47b37e71_JaffaCakes118.exe 2328 6d2331c2b272fbe95d77250c47b37e71_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
6d2331c2b272fbe95d77250c47b37e71_JaffaCakes118.exepid process 2328 6d2331c2b272fbe95d77250c47b37e71_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
6d2331c2b272fbe95d77250c47b37e71_JaffaCakes118.exedescription pid process target process PID 2328 wrote to memory of 2100 2328 6d2331c2b272fbe95d77250c47b37e71_JaffaCakes118.exe 6d2331c2b272fbe95d77250c47b37e71_JaffaCakes118.exe PID 2328 wrote to memory of 2100 2328 6d2331c2b272fbe95d77250c47b37e71_JaffaCakes118.exe 6d2331c2b272fbe95d77250c47b37e71_JaffaCakes118.exe PID 2328 wrote to memory of 2100 2328 6d2331c2b272fbe95d77250c47b37e71_JaffaCakes118.exe 6d2331c2b272fbe95d77250c47b37e71_JaffaCakes118.exe PID 2328 wrote to memory of 2100 2328 6d2331c2b272fbe95d77250c47b37e71_JaffaCakes118.exe 6d2331c2b272fbe95d77250c47b37e71_JaffaCakes118.exe PID 2328 wrote to memory of 2100 2328 6d2331c2b272fbe95d77250c47b37e71_JaffaCakes118.exe 6d2331c2b272fbe95d77250c47b37e71_JaffaCakes118.exe PID 2328 wrote to memory of 2100 2328 6d2331c2b272fbe95d77250c47b37e71_JaffaCakes118.exe 6d2331c2b272fbe95d77250c47b37e71_JaffaCakes118.exe PID 2328 wrote to memory of 2100 2328 6d2331c2b272fbe95d77250c47b37e71_JaffaCakes118.exe 6d2331c2b272fbe95d77250c47b37e71_JaffaCakes118.exe PID 2328 wrote to memory of 2100 2328 6d2331c2b272fbe95d77250c47b37e71_JaffaCakes118.exe 6d2331c2b272fbe95d77250c47b37e71_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6d2331c2b272fbe95d77250c47b37e71_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6d2331c2b272fbe95d77250c47b37e71_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\6d2331c2b272fbe95d77250c47b37e71_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6d2331c2b272fbe95d77250c47b37e71_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2100-6-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/2100-8-0x00000000771F0000-0x0000000077399000-memory.dmpFilesize
1.7MB
-
memory/2100-11-0x00000000006E0000-0x00000000009E3000-memory.dmpFilesize
3.0MB
-
memory/2328-4-0x00000000771F1000-0x00000000772F2000-memory.dmpFilesize
1.0MB
-
memory/2328-5-0x00000000771F0000-0x0000000077399000-memory.dmpFilesize
1.7MB