Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
12-07-2024 03:33
Static task
static1
Behavioral task
behavioral1
Sample
3bd9315fa824d7f8351d858ca5c12629_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
3bd9315fa824d7f8351d858ca5c12629_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
3bd9315fa824d7f8351d858ca5c12629_JaffaCakes118.exe
-
Size
484KB
-
MD5
3bd9315fa824d7f8351d858ca5c12629
-
SHA1
a19b2e80a240452e4fe251a9299bd5d30b66d709
-
SHA256
20fd96b00deec9d95d0e251aa4c6885f85af415f8e776716399b4280ae8128f3
-
SHA512
6fc7405b19ae91a3ad96dc91918eb2e7c2da0e2265a79f17f096c8d2b348ede7df51e2d4a2db69e3bd5aba40ba94e52bf52b374de48c81e0566932983095b38d
-
SSDEEP
6144:Gbx0cXjCfjnhWQ+3HwOcc0WXJ4+5yk6kPFlom3iBX94AcGFCKrvvScZTHvxqVCHR:QOFPocc0WX64kmiqAcGXFZbAAt
Malware Config
Extracted
formbook
4.1
s3dy
ravlygte.info
marketnewsville.online
flooring-envy.com
flavourhouston.com
donghohanghieunam.com
globleitsolutions.com
digitalgraphicarts.com
cupidbeautybar.com
cannavybes.com
negative-dsp.com
littledali.com
meltwatersoftware.info
blackdogland.com
danasales.com
mississippiscorecard.com
mainesmoker.com
sirenxinlilzixun.com
tychehang.com
gentciu.com
weckloltd.com
posy-socks.com
smp2kroya.com
clientacceleratorchallenge.com
erlacollection.com
027tvs.com
thisdw.com
nonosmell-store.site
underadress.com
principal.properties
ministyles123.com
readtohappiness.com
roostercollection.com
veteransinfrastructureparks.com
theminiverse.com
auto-expresss.club
ciaokitchenandbath.com
sbsfresh.com
onesheart111.com
artofquiet.info
atecwtec.com
scars-finder.online
luckbaanasset.com
vegaguzmanstudio.com
destinedtowander.com
genesaloe.info
shirewindowcleaning.com
dwadawdf001.com
mividaurbana.com
outsiders.house
secondhandcare.club
1031exchangeintoreit.com
zenyoustore.com
bahissikayetvar.net
platforms.trade
dasmusstduhaben.com
frankplex.design
thesiblingsoiree.com
18sdsd.com
oneninelacrosse.com
hdsllawfirm.com
rawrequest.com
jetsetterlifestyle.luxury
karenmendell.com
aspydad.com
livelifevibrantcourse.com
Signatures
-
Formbook payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2828-13-0x0000000000400000-0x000000000042E000-memory.dmp formbook -
Suspicious use of SetThreadContext 1 IoCs
Processes:
3bd9315fa824d7f8351d858ca5c12629_JaffaCakes118.exedescription pid process target process PID 1436 set thread context of 2828 1436 3bd9315fa824d7f8351d858ca5c12629_JaffaCakes118.exe 3bd9315fa824d7f8351d858ca5c12629_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
3bd9315fa824d7f8351d858ca5c12629_JaffaCakes118.exepid process 2828 3bd9315fa824d7f8351d858ca5c12629_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
3bd9315fa824d7f8351d858ca5c12629_JaffaCakes118.exedescription pid process target process PID 1436 wrote to memory of 2828 1436 3bd9315fa824d7f8351d858ca5c12629_JaffaCakes118.exe 3bd9315fa824d7f8351d858ca5c12629_JaffaCakes118.exe PID 1436 wrote to memory of 2828 1436 3bd9315fa824d7f8351d858ca5c12629_JaffaCakes118.exe 3bd9315fa824d7f8351d858ca5c12629_JaffaCakes118.exe PID 1436 wrote to memory of 2828 1436 3bd9315fa824d7f8351d858ca5c12629_JaffaCakes118.exe 3bd9315fa824d7f8351d858ca5c12629_JaffaCakes118.exe PID 1436 wrote to memory of 2828 1436 3bd9315fa824d7f8351d858ca5c12629_JaffaCakes118.exe 3bd9315fa824d7f8351d858ca5c12629_JaffaCakes118.exe PID 1436 wrote to memory of 2828 1436 3bd9315fa824d7f8351d858ca5c12629_JaffaCakes118.exe 3bd9315fa824d7f8351d858ca5c12629_JaffaCakes118.exe PID 1436 wrote to memory of 2828 1436 3bd9315fa824d7f8351d858ca5c12629_JaffaCakes118.exe 3bd9315fa824d7f8351d858ca5c12629_JaffaCakes118.exe PID 1436 wrote to memory of 2828 1436 3bd9315fa824d7f8351d858ca5c12629_JaffaCakes118.exe 3bd9315fa824d7f8351d858ca5c12629_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3bd9315fa824d7f8351d858ca5c12629_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3bd9315fa824d7f8351d858ca5c12629_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Users\Admin\AppData\Local\Temp\3bd9315fa824d7f8351d858ca5c12629_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3bd9315fa824d7f8351d858ca5c12629_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2828