Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
13-07-2024 08:57
Static task
static1
Behavioral task
behavioral1
Sample
4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe
Resource
win7-20240705-en
General
-
Target
4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe
-
Size
956KB
-
MD5
4105b6a32b90180cd3dfe3c359061f46
-
SHA1
ea131838d1e1ed495d75c76b956c790f071e002e
-
SHA256
3f1f0dce8eb0b1a98912a8c08208c5d4425e013e20719aca1d14ca4924f841c6
-
SHA512
c7c039b347b1a1a0d63d3ab81a3024d7f7bd669325e341bf27d0b62960ddbd56f17b836e98d9cb78ce6feaaf1a7160d1613a4e57d634a712ee28a21683215bbb
-
SSDEEP
12288:fO4jeQ5jsruJH+ReJqvqfLRXwK4+HNONnvsyl5RODp2K046Mnq0UnsO5lJkKzUva:2HXRYFphm9vFrPMOiPRVZIRfBiBk
Malware Config
Extracted
formbook
4.1
rf3t
palmettohomeswakulla.com
sorelleapparel.com
abouttohour.com
ogrownhemp.com
themontagnard.com
zarioch.space
lty712.info
ajdstone.com
600plusgymspa.com
schmitzland.com
luhuigw.com
mysafeplacetoinsure.com
barkpark.club
investigation-science.com
sermonartnotes.net
gorgeousflippinllc.com
smarttrendshop.com
markusjungfoto.com
glyzaelbol.info
thewiseowl.art
ladycigarclub.com
compasschick.com
xrk72.xyz
mynextversion.com
stresimer.com
bugitee.com
tofigaming.com
themokyoco.com
rickysinmiami.com
terashun-shop.com
istanbulartroskopi.xyz
sleekrevenge.com
linqlax.com
scenic-usa.com
catnapupuncture.com
ioqoqoquyi.xyz
romantictravels.love
skillfulscooptoseetoday.info
eatonmilano.com
fhaonlinehomes.com
jumpmine.com
economybevmachinery.com
stereodeluxemusic.com
652ch.com
ecnomi.com
eastvalleyloanofficer.com
naytor.online
mpteaminc.com
ghalerodkhan.com
rentalpixels.com
jerrysmunchies.com
jackohoeg.com
haroldbrandon.com
sipsongpanna.biz
gooddeats.com
dtdfamily.com
metaphilestudios.net
bgari.com
sarsukeiw.xyz
brunsbouw.net
myfilthy.com
mcnallynd.xyz
corridapromocao.com
nishiawakura-rain.info
logjed063.xyz
Signatures
-
Formbook payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2876-17-0x0000000000400000-0x000000000042F000-memory.dmp formbook -
Suspicious use of SetThreadContext 1 IoCs
Processes:
4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exedescription pid process target process PID 2360 set thread context of 2876 2360 4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe 4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exepid process 2360 4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe 2876 4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exedescription pid process Token: SeDebugPrivilege 2360 4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exedescription pid process target process PID 2360 wrote to memory of 2736 2360 4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe schtasks.exe PID 2360 wrote to memory of 2736 2360 4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe schtasks.exe PID 2360 wrote to memory of 2736 2360 4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe schtasks.exe PID 2360 wrote to memory of 2736 2360 4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe schtasks.exe PID 2360 wrote to memory of 2876 2360 4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe 4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe PID 2360 wrote to memory of 2876 2360 4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe 4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe PID 2360 wrote to memory of 2876 2360 4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe 4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe PID 2360 wrote to memory of 2876 2360 4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe 4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe PID 2360 wrote to memory of 2876 2360 4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe 4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe PID 2360 wrote to memory of 2876 2360 4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe 4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe PID 2360 wrote to memory of 2876 2360 4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe 4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\flmLrvYnTWalZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3AB0.tmp"2⤵
- Scheduled Task/Job: Scheduled Task
PID:2736 -
C:\Users\Admin\AppData\Local\Temp\4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2876
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5341d911cfd524334372de4597433ba84
SHA112c761b75c8ad43f617b88f1c1f1cb05ec0256f9
SHA2566242174000e98b283f0de5d07da51cab1a7212fe6aaea1499765081683aad36a
SHA512c9e60103093343958e01e3b78701aa701a2ec3e4ce9ce45a0fcaada4519640757201ad6910c27c576bbda7d24ae7745ed85bbece04f313aa29b7cfbc792f4ce9