Analysis
-
max time kernel
93s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
13-07-2024 07:42
Static task
static1
Behavioral task
behavioral1
Sample
40c9b68553716171b9a74fa2785cb160_JaffaCakes118.exe
Resource
win7-20240704-en
General
-
Target
40c9b68553716171b9a74fa2785cb160_JaffaCakes118.exe
-
Size
809KB
-
MD5
40c9b68553716171b9a74fa2785cb160
-
SHA1
18ad06d12e92f1d7a61805d294bb2c5e048f3ec7
-
SHA256
41f081bd505403ec94e9ad6cf6e496e5347482ee8cc64b7e2304ca52f286e236
-
SHA512
fe3c76659fd0f274ae08c7c9de3dc81b7c573c4ed6cd051d55adda59c426a548901282ac33ae5661c2dfb4d48aa12e9c1ffd32f0b79c0422de94cc0fd2a44a46
-
SSDEEP
12288:aXBQSnZl+lZbAy/TYTXSjQlXkKuTLXF3ONP5nJyuEBwQrA6iQQR6PcvHQ9:aX18bHTcXSjQlUtXF3wKwQMP
Malware Config
Extracted
formbook
4.1
wgn
kokokara-life-blog.com
faswear.com
futureleadershiptoday.com
date4done.xyz
thecouponinn.com
bbeycarpetsf.com
propolisnasalspray.com
jinjudiamond.com
goodevectors.com
nehyam.com
evalinkapuppets.com
what-if-statistics.com
rateofrisk.com
impacttestonlinne.com
servis-kaydet.info
coloniacafe.com
marcemarketing.com
aarigging.com
goddesswitchery.com
jasqblo.icu
ballotlocations.com
opulentredesign.com
nicolakwan.com
timcarecskh.online
albertaeatsfood.com
impactnwf.com
transportersolutions.com
jkfdjkdjkfjkddre.com
haslvapps.com
oakhazelnut.com
jazzyfans.net
uklcp.com
genericfreeemailservice.com
jettbay.com
utahcommunitynewsnetwork.com
vinos-online.com
lafatime.com
2438kingsland.com
groovepags.com
locationwhiz.com
edu1center.com
chronic-trauma.com
ytr.xyz
airconacademy-courses.com
gawafeqauibne.com
flowcedure.com
bwproskill.com
woodenbros.com
thesearsgroupnc.com
whoaminot.com
addvations.com
fatboidonuts.com
mobileworkforcevpn.net
offto.site
tehospedamos.com
nadinerae.com
betherightcandidate.com
ethosgov.com
cgbaran.com
xynewadmrykaa.com
socialdistancing.cool
kedalamsapi.com
hendifishing.online
geniusprosolutions.com
aftabzahur.com
Signatures
-
Formbook payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2112-12-0x0000000000400000-0x000000000042E000-memory.dmp formbook -
Suspicious use of SetThreadContext 1 IoCs
Processes:
40c9b68553716171b9a74fa2785cb160_JaffaCakes118.exedescription pid process target process PID 1540 set thread context of 2112 1540 40c9b68553716171b9a74fa2785cb160_JaffaCakes118.exe 40c9b68553716171b9a74fa2785cb160_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
40c9b68553716171b9a74fa2785cb160_JaffaCakes118.exepid process 2112 40c9b68553716171b9a74fa2785cb160_JaffaCakes118.exe 2112 40c9b68553716171b9a74fa2785cb160_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
40c9b68553716171b9a74fa2785cb160_JaffaCakes118.exedescription pid process target process PID 1540 wrote to memory of 2112 1540 40c9b68553716171b9a74fa2785cb160_JaffaCakes118.exe 40c9b68553716171b9a74fa2785cb160_JaffaCakes118.exe PID 1540 wrote to memory of 2112 1540 40c9b68553716171b9a74fa2785cb160_JaffaCakes118.exe 40c9b68553716171b9a74fa2785cb160_JaffaCakes118.exe PID 1540 wrote to memory of 2112 1540 40c9b68553716171b9a74fa2785cb160_JaffaCakes118.exe 40c9b68553716171b9a74fa2785cb160_JaffaCakes118.exe PID 1540 wrote to memory of 2112 1540 40c9b68553716171b9a74fa2785cb160_JaffaCakes118.exe 40c9b68553716171b9a74fa2785cb160_JaffaCakes118.exe PID 1540 wrote to memory of 2112 1540 40c9b68553716171b9a74fa2785cb160_JaffaCakes118.exe 40c9b68553716171b9a74fa2785cb160_JaffaCakes118.exe PID 1540 wrote to memory of 2112 1540 40c9b68553716171b9a74fa2785cb160_JaffaCakes118.exe 40c9b68553716171b9a74fa2785cb160_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\40c9b68553716171b9a74fa2785cb160_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\40c9b68553716171b9a74fa2785cb160_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Users\Admin\AppData\Local\Temp\40c9b68553716171b9a74fa2785cb160_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\40c9b68553716171b9a74fa2785cb160_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2112