Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
13-07-2024 08:57
Static task
static1
Behavioral task
behavioral1
Sample
4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe
Resource
win7-20240705-en
General
-
Target
4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe
-
Size
956KB
-
MD5
4105b6a32b90180cd3dfe3c359061f46
-
SHA1
ea131838d1e1ed495d75c76b956c790f071e002e
-
SHA256
3f1f0dce8eb0b1a98912a8c08208c5d4425e013e20719aca1d14ca4924f841c6
-
SHA512
c7c039b347b1a1a0d63d3ab81a3024d7f7bd669325e341bf27d0b62960ddbd56f17b836e98d9cb78ce6feaaf1a7160d1613a4e57d634a712ee28a21683215bbb
-
SSDEEP
12288:fO4jeQ5jsruJH+ReJqvqfLRXwK4+HNONnvsyl5RODp2K046Mnq0UnsO5lJkKzUva:2HXRYFphm9vFrPMOiPRVZIRfBiBk
Malware Config
Extracted
formbook
4.1
rf3t
palmettohomeswakulla.com
sorelleapparel.com
abouttohour.com
ogrownhemp.com
themontagnard.com
zarioch.space
lty712.info
ajdstone.com
600plusgymspa.com
schmitzland.com
luhuigw.com
mysafeplacetoinsure.com
barkpark.club
investigation-science.com
sermonartnotes.net
gorgeousflippinllc.com
smarttrendshop.com
markusjungfoto.com
glyzaelbol.info
thewiseowl.art
ladycigarclub.com
compasschick.com
xrk72.xyz
mynextversion.com
stresimer.com
bugitee.com
tofigaming.com
themokyoco.com
rickysinmiami.com
terashun-shop.com
istanbulartroskopi.xyz
sleekrevenge.com
linqlax.com
scenic-usa.com
catnapupuncture.com
ioqoqoquyi.xyz
romantictravels.love
skillfulscooptoseetoday.info
eatonmilano.com
fhaonlinehomes.com
jumpmine.com
economybevmachinery.com
stereodeluxemusic.com
652ch.com
ecnomi.com
eastvalleyloanofficer.com
naytor.online
mpteaminc.com
ghalerodkhan.com
rentalpixels.com
jerrysmunchies.com
jackohoeg.com
haroldbrandon.com
sipsongpanna.biz
gooddeats.com
dtdfamily.com
metaphilestudios.net
bgari.com
sarsukeiw.xyz
brunsbouw.net
myfilthy.com
mcnallynd.xyz
corridapromocao.com
nishiawakura-rain.info
logjed063.xyz
Signatures
-
Formbook payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1896-17-0x0000000000400000-0x000000000042F000-memory.dmp formbook -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation 4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exedescription pid process target process PID 1272 set thread context of 1896 1272 4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe 4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exepid process 1272 4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe 1272 4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe 1272 4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe 1272 4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe 1272 4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe 1896 4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe 1896 4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exedescription pid process Token: SeDebugPrivilege 1272 4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exedescription pid process target process PID 1272 wrote to memory of 1556 1272 4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe schtasks.exe PID 1272 wrote to memory of 1556 1272 4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe schtasks.exe PID 1272 wrote to memory of 1556 1272 4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe schtasks.exe PID 1272 wrote to memory of 436 1272 4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe 4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe PID 1272 wrote to memory of 436 1272 4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe 4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe PID 1272 wrote to memory of 436 1272 4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe 4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe PID 1272 wrote to memory of 2924 1272 4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe 4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe PID 1272 wrote to memory of 2924 1272 4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe 4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe PID 1272 wrote to memory of 2924 1272 4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe 4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe PID 1272 wrote to memory of 1896 1272 4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe 4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe PID 1272 wrote to memory of 1896 1272 4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe 4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe PID 1272 wrote to memory of 1896 1272 4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe 4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe PID 1272 wrote to memory of 1896 1272 4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe 4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe PID 1272 wrote to memory of 1896 1272 4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe 4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe PID 1272 wrote to memory of 1896 1272 4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe 4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\flmLrvYnTWalZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF368.tmp"2⤵
- Scheduled Task/Job: Scheduled Task
PID:1556 -
C:\Users\Admin\AppData\Local\Temp\4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe"{path}"2⤵PID:436
-
C:\Users\Admin\AppData\Local\Temp\4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe"{path}"2⤵PID:2924
-
C:\Users\Admin\AppData\Local\Temp\4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1896
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c42a60f6bd6e5fcb220a8864cea53ce6
SHA129215c8925b758f45199ffcfc099b360a4c1a7d5
SHA25603987d2ca1693199fd018683256abb0669a441af23f57545302ddc8b60b24bc9
SHA512cdb1c44e9dd8a2006bba99caaa73aa89a493ccf2aac90ab6dd48f8ea5b7b9df005d89b271515f6b8f923f64d9e8b997fe680cc6fede265031f4cb82048c1e65b