Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
17-07-2024 13:16
Static task
static1
Behavioral task
behavioral1
Sample
53245472a694f3ad439287727b6de6f1_JaffaCakes118.exe
Resource
win7-20240705-en
General
-
Target
53245472a694f3ad439287727b6de6f1_JaffaCakes118.exe
-
Size
243KB
-
MD5
53245472a694f3ad439287727b6de6f1
-
SHA1
e91a72d96fdd5edd30364034d743293af0fc888e
-
SHA256
ea1c573cb646732f1c33cd0a4ce988e3c07e32d23ba8b69147904a9b86126e0e
-
SHA512
829dff63a8d563451e5bb10e5e092cea73b65f06356462184ddddbd4ca028f56e3d377b8eaf45453170eeb4555697e2ab481a49c760b3b19fc18d5544795d555
-
SSDEEP
3072:s4/x7UKhFLQQDxfTSEyaovphmd/h7u9q7vNkO0I7pOurg2f1o1BMwLk5nxpW:bx7UYLQQ9fTSAJu9q7eU1qXMwWxp
Malware Config
Extracted
formbook
4.1
c239
shareourjesus.com
lavictoriaesdetodos.com
helpfulproductions.com
waggonerplastics.com
skipouya.com
everyoneshoroscope.com
winterstokeview.com
gutsyhomemakers.com
redstatesdigital.com
themacmeliusshow.com
beautybarnantucket.com
wearetwo-a.com
thenutritionessentialist.com
tapsiwadhwa.com
jundicompany.net
gobocawest.com
woodking.space
elegantap.com
2ndoss.info
ebay1111.com
libloc.info
rembiu.com
myenterprisesdesk.com
advancedcaremedical.com
paintingservicespune.com
sz128129.com
projkles.com
hermonexgold.com
xn--1000-3ua.com
greatplainscoffeecraze.com
educoinxchange.com
elclubswinger.com
lacrimis.com
extendedsecurityservices.com
district9asda.com
weidianmc.com
richgladiator.com
babehou.com
fastoffer.house
ttxxremote.icu
naigves.com
kamalaharriswillneverbevp.com
programmerjobsnow.info
hezlee.com
zfstyz.com
weblovetn.xyz
comadison.com
bestpadelcourt.com
coviders19.com
takeandpressplay.com
mangajohosta.com
angelaahbzanderson.com
stanleywatches.com
studiobyshirls.com
cloudengineer360.com
heavenlybluepool.com
evargasdev.com
140b.xyz
michaelvancebromfield.com
emotionalgun.club
mocingbird.solutions
ace1inc.com
camwoobats.com
leadconverters.info
qatib.com
Signatures
-
Formbook payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1004-2-0x00000000008F0000-0x000000000091F000-memory.dmp formbook behavioral2/memory/596-3-0x0000000000400000-0x000000000042E000-memory.dmp formbook -
Suspicious use of SetThreadContext 1 IoCs
Processes:
53245472a694f3ad439287727b6de6f1_JaffaCakes118.exedescription pid process target process PID 1004 set thread context of 596 1004 53245472a694f3ad439287727b6de6f1_JaffaCakes118.exe 53245472a694f3ad439287727b6de6f1_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
53245472a694f3ad439287727b6de6f1_JaffaCakes118.exepid process 596 53245472a694f3ad439287727b6de6f1_JaffaCakes118.exe 596 53245472a694f3ad439287727b6de6f1_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
53245472a694f3ad439287727b6de6f1_JaffaCakes118.exedescription pid process target process PID 1004 wrote to memory of 596 1004 53245472a694f3ad439287727b6de6f1_JaffaCakes118.exe 53245472a694f3ad439287727b6de6f1_JaffaCakes118.exe PID 1004 wrote to memory of 596 1004 53245472a694f3ad439287727b6de6f1_JaffaCakes118.exe 53245472a694f3ad439287727b6de6f1_JaffaCakes118.exe PID 1004 wrote to memory of 596 1004 53245472a694f3ad439287727b6de6f1_JaffaCakes118.exe 53245472a694f3ad439287727b6de6f1_JaffaCakes118.exe PID 1004 wrote to memory of 596 1004 53245472a694f3ad439287727b6de6f1_JaffaCakes118.exe 53245472a694f3ad439287727b6de6f1_JaffaCakes118.exe PID 1004 wrote to memory of 596 1004 53245472a694f3ad439287727b6de6f1_JaffaCakes118.exe 53245472a694f3ad439287727b6de6f1_JaffaCakes118.exe PID 1004 wrote to memory of 596 1004 53245472a694f3ad439287727b6de6f1_JaffaCakes118.exe 53245472a694f3ad439287727b6de6f1_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\53245472a694f3ad439287727b6de6f1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\53245472a694f3ad439287727b6de6f1_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Users\Admin\AppData\Local\Temp\53245472a694f3ad439287727b6de6f1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\53245472a694f3ad439287727b6de6f1_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:596