Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02-10-2024 09:11
Static task
static1
Behavioral task
behavioral1
Sample
09ef9306539a1cd532d9985f3a2856a6_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
09ef9306539a1cd532d9985f3a2856a6_JaffaCakes118.exe
-
Size
726KB
-
MD5
09ef9306539a1cd532d9985f3a2856a6
-
SHA1
3b2c26fff9fbdd0f44eb7d06400c7b0db5c2241b
-
SHA256
9b47637ecdf8e69614cb8ab22f9bddc0cc1719eca7f6ae87b0e988b9fb1cfdce
-
SHA512
e25d7ac4323e52ad13e9f9729f3a626f2d325d5990a0687fd1f59b87e06b9bca107c2fe5ac12c3a7c1dd92342c2b0887271f101dfd721f862b83de1048c5960b
-
SSDEEP
12288:jXfpEdonTdVMYlCZ/PbrabB5wCeSS6l/r1HWW6uPh7zZh5:jXfpEdonTdu8a/PbrkB5wVSBl/r1HWWP
Malware Config
Extracted
formbook
3.8
private
evilunderworldmall.com
davidovicmirko.com
incrediblechildrenscostume.com
langsgo.com
ibex-japan.com
findhotel.coupons
logo8536.com
meyerparkdental.com
digitaltoken.exchange
chatramuetaiwan.com
yulibao.net
michaelandcolaw.com
sapeur-hairfactory.net
louisianamodernsmiles.com
finleighelderton.com
knlwpaj.download
directorionacionaldesalud.com
sdasdfasdfasdf45.com
hefeihuli.com
woxa.ltd
daisymejia.com
performiles.win
eldrqs.online
becharrisbasketball.com
khsalon.com
simplysassygifts.com
mobilitiamoci.com
tfcmag.com
nordicfurnituregroup.online
quotelotus.com
arte-busca.com
gutsonmarketing.com
aaronlosty.com
underfood.com
puyuanfabu.com
mindybrowndc.com
looimail.com
envycustomdesigns.com
tienmanhtien.com
texaspetpantry.info
thelouzanperfumes.com
winboxs.com
hydragrc.com
6462644.info
e01k0m.info
xmzytx.com
ohnm3.info
carental-ltd.com
phonecasery.com
eavanmcsweeney.com
psflowers1.com
adaione.com
zrvhfc.top
edjamesphotography.com
aidanpawson.com
shoeonlinestores.com
cuibida.net
bebidasaltoimpacto.com
ordosglrl.com
palatine.house
thosedirected.com
printerpoqe.men
tistory2.com
365lafei.com
lossubway.com
Signatures
-
Formbook payload 2 IoCs
resource yara_rule behavioral1/memory/1924-5-0x00000000004E0000-0x000000000050A000-memory.dmp formbook behavioral1/memory/1732-15-0x0000000000400000-0x000000000042A000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1924 set thread context of 1732 1924 09ef9306539a1cd532d9985f3a2856a6_JaffaCakes118.exe 30 PID 1732 set thread context of 1208 1732 RegAsm.exe 21 PID 2884 set thread context of 1208 2884 raserver.exe 21 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language raserver.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 09ef9306539a1cd532d9985f3a2856a6_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 34 IoCs
pid Process 1924 09ef9306539a1cd532d9985f3a2856a6_JaffaCakes118.exe 1924 09ef9306539a1cd532d9985f3a2856a6_JaffaCakes118.exe 1732 RegAsm.exe 1732 RegAsm.exe 2884 raserver.exe 2884 raserver.exe 2884 raserver.exe 2884 raserver.exe 2884 raserver.exe 2884 raserver.exe 2884 raserver.exe 2884 raserver.exe 2884 raserver.exe 2884 raserver.exe 2884 raserver.exe 2884 raserver.exe 2884 raserver.exe 2884 raserver.exe 2884 raserver.exe 2884 raserver.exe 2884 raserver.exe 2884 raserver.exe 2884 raserver.exe 2884 raserver.exe 2884 raserver.exe 2884 raserver.exe 2884 raserver.exe 2884 raserver.exe 2884 raserver.exe 2884 raserver.exe 2884 raserver.exe 2884 raserver.exe 2884 raserver.exe 2884 raserver.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 1732 RegAsm.exe 1732 RegAsm.exe 1732 RegAsm.exe 2884 raserver.exe 2884 raserver.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1924 09ef9306539a1cd532d9985f3a2856a6_JaffaCakes118.exe Token: SeDebugPrivilege 1732 RegAsm.exe Token: SeDebugPrivilege 2884 raserver.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1924 wrote to memory of 1732 1924 09ef9306539a1cd532d9985f3a2856a6_JaffaCakes118.exe 30 PID 1924 wrote to memory of 1732 1924 09ef9306539a1cd532d9985f3a2856a6_JaffaCakes118.exe 30 PID 1924 wrote to memory of 1732 1924 09ef9306539a1cd532d9985f3a2856a6_JaffaCakes118.exe 30 PID 1924 wrote to memory of 1732 1924 09ef9306539a1cd532d9985f3a2856a6_JaffaCakes118.exe 30 PID 1924 wrote to memory of 1732 1924 09ef9306539a1cd532d9985f3a2856a6_JaffaCakes118.exe 30 PID 1924 wrote to memory of 1732 1924 09ef9306539a1cd532d9985f3a2856a6_JaffaCakes118.exe 30 PID 1924 wrote to memory of 1732 1924 09ef9306539a1cd532d9985f3a2856a6_JaffaCakes118.exe 30 PID 1924 wrote to memory of 1732 1924 09ef9306539a1cd532d9985f3a2856a6_JaffaCakes118.exe 30 PID 1924 wrote to memory of 1732 1924 09ef9306539a1cd532d9985f3a2856a6_JaffaCakes118.exe 30 PID 1924 wrote to memory of 1732 1924 09ef9306539a1cd532d9985f3a2856a6_JaffaCakes118.exe 30 PID 1208 wrote to memory of 2884 1208 Explorer.EXE 61 PID 1208 wrote to memory of 2884 1208 Explorer.EXE 61 PID 1208 wrote to memory of 2884 1208 Explorer.EXE 61 PID 1208 wrote to memory of 2884 1208 Explorer.EXE 61 PID 2884 wrote to memory of 2684 2884 raserver.exe 62 PID 2884 wrote to memory of 2684 2884 raserver.exe 62 PID 2884 wrote to memory of 2684 2884 raserver.exe 62 PID 2884 wrote to memory of 2684 2884 raserver.exe 62
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Users\Admin\AppData\Local\Temp\09ef9306539a1cd532d9985f3a2856a6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\09ef9306539a1cd532d9985f3a2856a6_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"3⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1732
-
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:1724
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:2080
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:2924
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:2020
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:2308
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:2260
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:780
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:2288
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:2736
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:2768
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:2732
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:2776
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:2832
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:2836
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:2856
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:2900
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:3068
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:2780
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:3060
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:2860
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:2820
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:2756
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:2760
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:2096
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:2916
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:2744
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:2912
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:2800
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:2336
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:2892
-
-
C:\Windows\SysWOW64\raserver.exe"C:\Windows\SysWOW64\raserver.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"3⤵
- System Location Discovery: System Language Discovery
PID:2684
-
-