Analysis
-
max time kernel
150s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
27-05-2024 07:58
Static task
static1
Behavioral task
behavioral1
Sample
786f7116b110303287aed5571dad3789_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
786f7116b110303287aed5571dad3789_JaffaCakes118.exe
-
Size
403KB
-
MD5
786f7116b110303287aed5571dad3789
-
SHA1
1ac724333f61654bb7560721e6420c014bcba932
-
SHA256
704e900ae3d5645795927711e8f35d8b424ffcbbc4535f71346ea0feafebf14a
-
SHA512
5f5f22b55fe1014217fe3a258797c9c77cfca47aa278893eae2cf2ea9037c06df54d9a6a39ff1b3d12d3369b328518ef33da7b1850157c0b0a4c1854f24a88a5
-
SSDEEP
12288:sJixv2zv1grMilAdAYyI2QbWk/NEoQI4shdPYJdBJ:Gi42RlafyIhN/yo9vhuJLJ
Malware Config
Extracted
formbook
4.1
aa3
dorzi.xyz
twentysx.net
myvoteatwork.com
linaje-escogido.com
godgunsncountry.com
bagudangtarung01.net
gemwalljewelry.com
orchidiris.com
opticalucy.com
yoniathome.com
tgg-iris.com
kyjade.com
smtfarming.com
diavacations.com
createkillerproducts.com
mydiscountexpress.com
yangshuotuozhan.com
architecture53seven.com
afitnessdiary.com
baobabusa.com
orgonut.com
dominoperformanceplus.com
greenbanc.info
etop80.com
drramkishorchoudhary.com
ameliyatsizomuztedavisi.com
translationsforyou.com
louiesluncheonette.com
daytradingllc.com
seattleinteriordecorator.com
nordstromcolumbia.com
instateangles.com
ynsteknoloji.xyz
sherepix.info
liwanwu.com
btc631.com
worldofcomicstaan.com
tubingmill.com
yummierpro.com
potatosroleplay.com
louisevictoriafurnishings.com
elitevendo.com
galancadenasabogados.com
kileyjecha.com
xn--80aeingrcwdeeaee.xn--p1acf
therecspot.info
footesfarmsupply.com
vm-partnering.com
westfalen-edelmetalle.com
inspiredearthgoddess.com
passession.club
noodlierry.com
benlolli.com
dickclock.com
fayumei.com
ryukrbajn.icu
haloedge.com
americanmousegoestoitaly.com
bright-cosmetics.com
konzeptware.com
azadari.network
besuper.group
thelostyouthes.com
qqemp.com
chucks3.online
Signatures
-
Formbook payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3400-15-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral2/memory/3400-20-0x0000000000400000-0x000000000042E000-memory.dmp formbook -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
msdt.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\K4RDYDMXCNY = "C:\\Program Files (x86)\\Anpih\\02svrm.exe" msdt.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
786f7116b110303287aed5571dad3789_JaffaCakes118.exeRegSvcs.exemsdt.exedescription pid process target process PID 5040 set thread context of 3400 5040 786f7116b110303287aed5571dad3789_JaffaCakes118.exe RegSvcs.exe PID 3400 set thread context of 3524 3400 RegSvcs.exe Explorer.EXE PID 3380 set thread context of 3524 3380 msdt.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
msdt.exedescription ioc process File opened for modification C:\Program Files (x86)\Anpih\02svrm.exe msdt.exe -
Processes:
msdt.exedescription ioc process Key created \Registry\User\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 msdt.exe -
Suspicious behavior: EnumeratesProcesses 44 IoCs
Processes:
786f7116b110303287aed5571dad3789_JaffaCakes118.exeRegSvcs.exemsdt.exepid process 5040 786f7116b110303287aed5571dad3789_JaffaCakes118.exe 5040 786f7116b110303287aed5571dad3789_JaffaCakes118.exe 5040 786f7116b110303287aed5571dad3789_JaffaCakes118.exe 5040 786f7116b110303287aed5571dad3789_JaffaCakes118.exe 5040 786f7116b110303287aed5571dad3789_JaffaCakes118.exe 5040 786f7116b110303287aed5571dad3789_JaffaCakes118.exe 3400 RegSvcs.exe 3400 RegSvcs.exe 3400 RegSvcs.exe 3400 RegSvcs.exe 3400 RegSvcs.exe 3400 RegSvcs.exe 3380 msdt.exe 3380 msdt.exe 3380 msdt.exe 3380 msdt.exe 3380 msdt.exe 3380 msdt.exe 3380 msdt.exe 3380 msdt.exe 3380 msdt.exe 3380 msdt.exe 3380 msdt.exe 3380 msdt.exe 3380 msdt.exe 3380 msdt.exe 3380 msdt.exe 3380 msdt.exe 3380 msdt.exe 3380 msdt.exe 3380 msdt.exe 3380 msdt.exe 3380 msdt.exe 3380 msdt.exe 3380 msdt.exe 3380 msdt.exe 3380 msdt.exe 3380 msdt.exe 3380 msdt.exe 3380 msdt.exe 3380 msdt.exe 3380 msdt.exe 3380 msdt.exe 3380 msdt.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
RegSvcs.exemsdt.exepid process 3400 RegSvcs.exe 3400 RegSvcs.exe 3400 RegSvcs.exe 3380 msdt.exe 3380 msdt.exe 3380 msdt.exe 3380 msdt.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
786f7116b110303287aed5571dad3789_JaffaCakes118.exeRegSvcs.exemsdt.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 5040 786f7116b110303287aed5571dad3789_JaffaCakes118.exe Token: SeDebugPrivilege 3400 RegSvcs.exe Token: SeDebugPrivilege 3380 msdt.exe Token: SeShutdownPrivilege 3524 Explorer.EXE Token: SeCreatePagefilePrivilege 3524 Explorer.EXE Token: SeShutdownPrivilege 3524 Explorer.EXE Token: SeCreatePagefilePrivilege 3524 Explorer.EXE Token: SeShutdownPrivilege 3524 Explorer.EXE Token: SeCreatePagefilePrivilege 3524 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3524 Explorer.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
786f7116b110303287aed5571dad3789_JaffaCakes118.exeExplorer.EXEmsdt.exedescription pid process target process PID 5040 wrote to memory of 5032 5040 786f7116b110303287aed5571dad3789_JaffaCakes118.exe RegSvcs.exe PID 5040 wrote to memory of 5032 5040 786f7116b110303287aed5571dad3789_JaffaCakes118.exe RegSvcs.exe PID 5040 wrote to memory of 5032 5040 786f7116b110303287aed5571dad3789_JaffaCakes118.exe RegSvcs.exe PID 5040 wrote to memory of 3248 5040 786f7116b110303287aed5571dad3789_JaffaCakes118.exe RegSvcs.exe PID 5040 wrote to memory of 3248 5040 786f7116b110303287aed5571dad3789_JaffaCakes118.exe RegSvcs.exe PID 5040 wrote to memory of 3248 5040 786f7116b110303287aed5571dad3789_JaffaCakes118.exe RegSvcs.exe PID 5040 wrote to memory of 3400 5040 786f7116b110303287aed5571dad3789_JaffaCakes118.exe RegSvcs.exe PID 5040 wrote to memory of 3400 5040 786f7116b110303287aed5571dad3789_JaffaCakes118.exe RegSvcs.exe PID 5040 wrote to memory of 3400 5040 786f7116b110303287aed5571dad3789_JaffaCakes118.exe RegSvcs.exe PID 5040 wrote to memory of 3400 5040 786f7116b110303287aed5571dad3789_JaffaCakes118.exe RegSvcs.exe PID 5040 wrote to memory of 3400 5040 786f7116b110303287aed5571dad3789_JaffaCakes118.exe RegSvcs.exe PID 5040 wrote to memory of 3400 5040 786f7116b110303287aed5571dad3789_JaffaCakes118.exe RegSvcs.exe PID 3524 wrote to memory of 3380 3524 Explorer.EXE msdt.exe PID 3524 wrote to memory of 3380 3524 Explorer.EXE msdt.exe PID 3524 wrote to memory of 3380 3524 Explorer.EXE msdt.exe PID 3380 wrote to memory of 1716 3380 msdt.exe cmd.exe PID 3380 wrote to memory of 1716 3380 msdt.exe cmd.exe PID 3380 wrote to memory of 1716 3380 msdt.exe cmd.exe PID 3380 wrote to memory of 2428 3380 msdt.exe cmd.exe PID 3380 wrote to memory of 2428 3380 msdt.exe cmd.exe PID 3380 wrote to memory of 2428 3380 msdt.exe cmd.exe PID 3380 wrote to memory of 4056 3380 msdt.exe Firefox.exe PID 3380 wrote to memory of 4056 3380 msdt.exe Firefox.exe PID 3380 wrote to memory of 4056 3380 msdt.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\786f7116b110303287aed5571dad3789_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\786f7116b110303287aed5571dad3789_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\msdt.exe"C:\Windows\SysWOW64\msdt.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exeC:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3416,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=4312 /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\DB1Filesize
46KB
MD58f5942354d3809f865f9767eddf51314
SHA120be11c0d42fc0cef53931ea9152b55082d1a11e
SHA256776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea
SHA512fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218
-
C:\Users\Admin\AppData\Roaming\L-R5B4EQ\L-Rlogim.jpegFilesize
75KB
MD5efa55d1921d0c963ad33b10f8d3e8f2d
SHA13d26824d3d29cf8b2a90f4ba3dcd964c9cc29ab3
SHA25666cb0948d6e46c00e31bbdad1948d1de95596d221091379fa3ada86e2b514a17
SHA512cde04bd58ec940cd590762540197279d8395562d3956e47effa767dfdab179671634d070c4910ff89cdea00d7273966ff5b1d74b6812f30ff54b7753f90c1986
-
C:\Users\Admin\AppData\Roaming\L-R5B4EQ\L-Rlogrf.iniFilesize
40B
MD52f245469795b865bdd1b956c23d7893d
SHA16ad80b974d3808f5a20ea1e766c7d2f88b9e5895
SHA2561662d01a2d47b875a34fc7a8cd92e78cb2ba7f34023c7fd2639cbb10b8d94361
SHA512909f189846a5d2db208a5eb2e7cb3042c0f164caf437e2b1b6de608c0a70e4f3510b81b85753dbeec1e211e6a83e6ea8c96aff896e9b6e8ed42014473a54dc4f
-
C:\Users\Admin\AppData\Roaming\L-R5B4EQ\L-Rlogrg.iniFilesize
38B
MD54aadf49fed30e4c9b3fe4a3dd6445ebe
SHA11e332822167c6f351b99615eada2c30a538ff037
SHA25675034beb7bded9aeab5748f4592b9e1419256caec474065d43e531ec5cc21c56
SHA512eb5b3908d5e7b43ba02165e092f05578f45f15a148b4c3769036aa542c23a0f7cd2bc2770cf4119a7e437de3f681d9e398511f69f66824c516d9b451bb95f945
-
C:\Users\Admin\AppData\Roaming\L-R5B4EQ\L-Rlogri.iniFilesize
40B
MD5d63a82e5d81e02e399090af26db0b9cb
SHA191d0014c8f54743bba141fd60c9d963f869d76c9
SHA256eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae
SHA51238afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad
-
C:\Users\Admin\AppData\Roaming\L-R5B4EQ\L-Rlogrv.iniFilesize
872B
MD5bbc41c78bae6c71e63cb544a6a284d94
SHA133f2c1d9fa0e9c99b80bc2500621e95af38b1f9a
SHA256ee83c6bcea9353c74bfc0a7e739f3c4a765ace894470e09cdcdebba700b8d4cb
SHA5120aea424b57adae3e14ad6491cab585f554b4dffe601b5a17bad6ee6177d2f0f995e419cde576e2d1782b9bddc0661aada11a2c9f1454ae625d9e3223635ec9f4
-
memory/3380-24-0x00000000009A0000-0x00000000009F7000-memory.dmpFilesize
348KB
-
memory/3380-23-0x00000000009A0000-0x00000000009F7000-memory.dmpFilesize
348KB
-
memory/3400-15-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/3400-20-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/3400-21-0x0000000000D20000-0x0000000000D34000-memory.dmpFilesize
80KB
-
memory/3400-19-0x00000000012D0000-0x000000000161A000-memory.dmpFilesize
3.3MB
-
memory/3524-29-0x00000000085B0000-0x00000000086B4000-memory.dmpFilesize
1.0MB
-
memory/3524-26-0x0000000007FA0000-0x0000000008111000-memory.dmpFilesize
1.4MB
-
memory/3524-22-0x0000000007FA0000-0x0000000008111000-memory.dmpFilesize
1.4MB
-
memory/3848-7-0x00007FF842490000-0x00007FF842E31000-memory.dmpFilesize
9.6MB
-
memory/3848-9-0x00007FF842490000-0x00007FF842E31000-memory.dmpFilesize
9.6MB
-
memory/3848-3-0x00007FF842745000-0x00007FF842746000-memory.dmpFilesize
4KB
-
memory/3848-13-0x00007FF842490000-0x00007FF842E31000-memory.dmpFilesize
9.6MB
-
memory/3848-12-0x00007FF842745000-0x00007FF842746000-memory.dmpFilesize
4KB
-
memory/3848-4-0x00000000011F0000-0x0000000001210000-memory.dmpFilesize
128KB
-
memory/3848-5-0x00007FF842490000-0x00007FF842E31000-memory.dmpFilesize
9.6MB
-
memory/3848-6-0x000000001A930000-0x000000001AD04000-memory.dmpFilesize
3.8MB
-
memory/3848-8-0x000000001AFF0000-0x000000001B126000-memory.dmpFilesize
1.2MB
-
memory/5040-0-0x0000000075382000-0x0000000075383000-memory.dmpFilesize
4KB
-
memory/5040-17-0x0000000075380000-0x0000000075931000-memory.dmpFilesize
5.7MB
-
memory/5040-10-0x0000000075382000-0x0000000075383000-memory.dmpFilesize
4KB
-
memory/5040-11-0x0000000075380000-0x0000000075931000-memory.dmpFilesize
5.7MB
-
memory/5040-14-0x0000000001340000-0x0000000001350000-memory.dmpFilesize
64KB
-
memory/5040-2-0x0000000075380000-0x0000000075931000-memory.dmpFilesize
5.7MB
-
memory/5040-1-0x0000000075380000-0x0000000075931000-memory.dmpFilesize
5.7MB