Analysis Overview
SHA256
f786969468695b70b06cc87c4628d1c64888068a88007326376bfa977c887fe5
Threat Level: Known bad
The file 489a932f0f830c254f5985659d39c62e_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Formbook
Formbook payload
Checks computer location settings
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-15 06:28
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-15 06:28
Reported
2024-07-15 06:30
Platform
win7-20240708-en
Max time kernel
70s
Max time network
17s
Command Line
Signatures
Formbook
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3000 set thread context of 3068 | N/A | C:\Users\Admin\AppData\Local\Temp\489a932f0f830c254f5985659d39c62e_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\489a932f0f830c254f5985659d39c62e_JaffaCakes118.exe |
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\489a932f0f830c254f5985659d39c62e_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\489a932f0f830c254f5985659d39c62e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\489a932f0f830c254f5985659d39c62e_JaffaCakes118.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mwjzVbUGarqP" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9195.tmp"
C:\Users\Admin\AppData\Local\Temp\489a932f0f830c254f5985659d39c62e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\489a932f0f830c254f5985659d39c62e_JaffaCakes118.exe"
Network
Files
memory/3000-0-0x000000007499E000-0x000000007499F000-memory.dmp
memory/3000-1-0x00000000009C0000-0x0000000000AB6000-memory.dmp
memory/3000-2-0x00000000002B0000-0x00000000002BA000-memory.dmp
memory/3000-3-0x0000000074990000-0x000000007507E000-memory.dmp
memory/3000-4-0x000000007499E000-0x000000007499F000-memory.dmp
memory/3000-5-0x0000000074990000-0x000000007507E000-memory.dmp
memory/3000-6-0x00000000049C0000-0x0000000004A22000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp9195.tmp
| MD5 | 83e4d67b1787b1e5c2c0dc7377c38eea |
| SHA1 | cc90bcde8096056f059c2457cc2026c8aec8ce00 |
| SHA256 | e6a844cc7ee9a6ef6abad77bda21db87bdaba1521db6c69e0f655ba268cb3a69 |
| SHA512 | e45e225081c2fcd8f66c838c901e5e9fb3f695227f92f72b552c4dbc822fb4c1df95c34217c6959faff5037f2bb4aa29079877b93563735a44ad5a277da5c006 |
memory/3068-12-0x0000000000400000-0x000000000042E000-memory.dmp
memory/3068-16-0x0000000000400000-0x000000000042E000-memory.dmp
memory/3068-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/3068-13-0x0000000000400000-0x000000000042E000-memory.dmp
memory/3000-17-0x0000000074990000-0x000000007507E000-memory.dmp
memory/3068-18-0x0000000000AC0000-0x0000000000DC3000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-15 06:28
Reported
2024-07-15 06:30
Platform
win10v2004-20240709-en
Max time kernel
94s
Max time network
96s
Command Line
Signatures
Formbook
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\489a932f0f830c254f5985659d39c62e_JaffaCakes118.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 472 set thread context of 3368 | N/A | C:\Users\Admin\AppData\Local\Temp\489a932f0f830c254f5985659d39c62e_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\489a932f0f830c254f5985659d39c62e_JaffaCakes118.exe |
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\489a932f0f830c254f5985659d39c62e_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\489a932f0f830c254f5985659d39c62e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\489a932f0f830c254f5985659d39c62e_JaffaCakes118.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mwjzVbUGarqP" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC1F3.tmp"
C:\Users\Admin\AppData\Local\Temp\489a932f0f830c254f5985659d39c62e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\489a932f0f830c254f5985659d39c62e_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\489a932f0f830c254f5985659d39c62e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\489a932f0f830c254f5985659d39c62e_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\489a932f0f830c254f5985659d39c62e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\489a932f0f830c254f5985659d39c62e_JaffaCakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
memory/472-0-0x0000000074FDE000-0x0000000074FDF000-memory.dmp
memory/472-1-0x0000000000530000-0x0000000000626000-memory.dmp
memory/472-2-0x0000000005010000-0x00000000050AC000-memory.dmp
memory/472-3-0x0000000005660000-0x0000000005C04000-memory.dmp
memory/472-4-0x00000000050B0000-0x0000000005142000-memory.dmp
memory/472-6-0x00000000051B0000-0x0000000005206000-memory.dmp
memory/472-5-0x0000000004FE0000-0x0000000004FEA000-memory.dmp
memory/472-7-0x0000000074FD0000-0x0000000075780000-memory.dmp
memory/472-8-0x00000000053C0000-0x00000000053CA000-memory.dmp
memory/472-9-0x0000000074FDE000-0x0000000074FDF000-memory.dmp
memory/472-10-0x0000000074FD0000-0x0000000075780000-memory.dmp
memory/472-11-0x0000000000F50000-0x0000000000FB2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpC1F3.tmp
| MD5 | b80b97e2ab8bd34a7d23b7bc8eb22fb4 |
| SHA1 | be8dee108ac1349a641d228c583ad64e041c420a |
| SHA256 | 2d49dad9383e69e0eb799860a1477cf4c2b99e2583b9a30c9a36b3c745282adb |
| SHA512 | e3a1619c3d0b1f4780951d6a887efe02bf65245008aa31537f8b82cafc60e9ed4fc5746ca55f5389ac1865ae3f2b5b355d8f6b70964e524716aa8e6167e98ee1 |
memory/3368-17-0x0000000000400000-0x000000000042E000-memory.dmp
memory/472-19-0x0000000074FD0000-0x0000000075780000-memory.dmp
memory/3368-20-0x0000000001500000-0x000000000184A000-memory.dmp