Analysis
-
max time kernel
141s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 03:04
Static task
static1
Behavioral task
behavioral1
Sample
6d2331c2b272fbe95d77250c47b37e71_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
6d2331c2b272fbe95d77250c47b37e71_JaffaCakes118.exe
-
Size
472KB
-
MD5
6d2331c2b272fbe95d77250c47b37e71
-
SHA1
e70258580bda815758bef6386b0d64bfbde24ff6
-
SHA256
58be60f2549f4c7093fcb9fdc050154389d02b4ad7b60439122de5bf02865074
-
SHA512
150d69d9815c8e3b9a8331cfd7eb46aedc21b6f4c8c2ff45f717bba143bd6d90d02e342d20dc78c1e78e431f7a69ee03c60da564d5ea826a9358f40921e49961
-
SSDEEP
6144:cmrL7bOr2xYboL9br/U+e/HQL3dZ655y8Yvl/oHzUmaIv7:cm7GEYmnU+aHQTm5gdvl4Q1y
Malware Config
Extracted
formbook
3.9
tg
xn--wmq267cvp4asgh.com
herunyunshang.com
fulhdmovie.cymru
runforabetterlifecoaching.com
www58978www.com
gachtiendat.com
turkico.com
jetlinefountain.com
mybabycool.com
housebuyinginlosangeles.info
tatreggyprismnimbles.win
moa397.com
thestrangerthings.com
kreditpintar.com
luggagelockercompany.com
xczcefmdsz.info
51linhu.com
zoodmal.com
bizrver.com
bostonrefinanceglobal.com
suabiensaigon.com
wwwamjs607.com
cryptocoinminingpool.com
destinosperfectos.com
tudito.com
tongyilube.com
dierfysiotherapie.amsterdam
businessstudiesqa.com
gwaloj.info
michaelsway.store
hamannamerica.com
rheumiesinlove.com
fuenferrada.net
pinnaclepeakmailboxes.com
lifewayfoodsfuck.com
nightmarehoodies.com
sunrisecityyenbai.com
pokerjackking.com
sainttoi.com
yoyoyon.com
youbanduk.com
baxterinnovationlab.com
long8-9166.com
pacificinertial.com
aaacharterschool.com
chin24news.com
minerace.com
familycourthelp.info
piabetuyelik.net
wearewildly.com
whatalie.com
jaewonmall.com
letterawe.com
scuke.com
planningapplicationslondon.com
mogharabian.com
koreapoker.com
l2entretenimentos.com
atune.me
universal-invest.com
glgoster.com
jade.exchange
wwwvnsr1155.com
ilinea1.com
apevy.com
Signatures
-
Formbook payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3396-5-0x0000000000400000-0x000000000042A000-memory.dmp formbook -
Suspicious use of SetThreadContext 1 IoCs
Processes:
6d2331c2b272fbe95d77250c47b37e71_JaffaCakes118.exedescription pid process target process PID 4296 set thread context of 3396 4296 6d2331c2b272fbe95d77250c47b37e71_JaffaCakes118.exe 6d2331c2b272fbe95d77250c47b37e71_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
6d2331c2b272fbe95d77250c47b37e71_JaffaCakes118.exepid process 3396 6d2331c2b272fbe95d77250c47b37e71_JaffaCakes118.exe 3396 6d2331c2b272fbe95d77250c47b37e71_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
6d2331c2b272fbe95d77250c47b37e71_JaffaCakes118.exepid process 4296 6d2331c2b272fbe95d77250c47b37e71_JaffaCakes118.exe 4296 6d2331c2b272fbe95d77250c47b37e71_JaffaCakes118.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
6d2331c2b272fbe95d77250c47b37e71_JaffaCakes118.exepid process 4296 6d2331c2b272fbe95d77250c47b37e71_JaffaCakes118.exe 4296 6d2331c2b272fbe95d77250c47b37e71_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
6d2331c2b272fbe95d77250c47b37e71_JaffaCakes118.exepid process 4296 6d2331c2b272fbe95d77250c47b37e71_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
6d2331c2b272fbe95d77250c47b37e71_JaffaCakes118.exedescription pid process target process PID 4296 wrote to memory of 3396 4296 6d2331c2b272fbe95d77250c47b37e71_JaffaCakes118.exe 6d2331c2b272fbe95d77250c47b37e71_JaffaCakes118.exe PID 4296 wrote to memory of 3396 4296 6d2331c2b272fbe95d77250c47b37e71_JaffaCakes118.exe 6d2331c2b272fbe95d77250c47b37e71_JaffaCakes118.exe PID 4296 wrote to memory of 3396 4296 6d2331c2b272fbe95d77250c47b37e71_JaffaCakes118.exe 6d2331c2b272fbe95d77250c47b37e71_JaffaCakes118.exe PID 4296 wrote to memory of 3396 4296 6d2331c2b272fbe95d77250c47b37e71_JaffaCakes118.exe 6d2331c2b272fbe95d77250c47b37e71_JaffaCakes118.exe PID 4296 wrote to memory of 3396 4296 6d2331c2b272fbe95d77250c47b37e71_JaffaCakes118.exe 6d2331c2b272fbe95d77250c47b37e71_JaffaCakes118.exe PID 4296 wrote to memory of 3396 4296 6d2331c2b272fbe95d77250c47b37e71_JaffaCakes118.exe 6d2331c2b272fbe95d77250c47b37e71_JaffaCakes118.exe PID 4296 wrote to memory of 3396 4296 6d2331c2b272fbe95d77250c47b37e71_JaffaCakes118.exe 6d2331c2b272fbe95d77250c47b37e71_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6d2331c2b272fbe95d77250c47b37e71_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6d2331c2b272fbe95d77250c47b37e71_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\6d2331c2b272fbe95d77250c47b37e71_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6d2331c2b272fbe95d77250c47b37e71_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1028 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:81⤵