Analysis
-
max time kernel
46s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
30-10-2024 12:22
Static task
static1
Behavioral task
behavioral1
Sample
7f315c83910b3a196c1fb30475e5101b_JaffaCakes118.exe
Resource
win7-20241010-en
General
-
Target
7f315c83910b3a196c1fb30475e5101b_JaffaCakes118.exe
-
Size
1.5MB
-
MD5
7f315c83910b3a196c1fb30475e5101b
-
SHA1
899b5855776737ee0115da31a5b58a4f89bf73a8
-
SHA256
e759a4a906a9496f6b9f60b90e7ff49ef812090ce465108f08d32ac916e20cff
-
SHA512
c5c4a374e0039f45171927e3f795ecde401dfb268110f4ddef3c0f5fb32c564e60cee8c5273fb95522394ed584438abcf1c99fb710e382ad9a2fd0239940f178
-
SSDEEP
12288:FtxQ6oDjffKbuNb9UnYqmDNBoj28w1f2wt1SdnUtk4yQ6H+Uy1Susr8MmH3ja:honayx9UnQDDY2P7tsdUtkAZZS5R0
Malware Config
Extracted
formbook
4.1
m3n0
zhanyueyy.com
elsonidodelacalle.com
dsmyospv.icu
aapadukeshod.com
4980012550430251.info
abc23ltd.com
guifier.net
media-instagramform.store
votesandymurray.com
projectoctave.com
chrismacleodcontracting.com
interactivebroders.com
blackagendaagency.com
intravel.one
fitbirthday.com
berch.cloud
keepcalmpressedserum.com
conveniencestorelosangeles.com
bestgenuinelifesyle.com
searchnetshop.com
home880.com
fjadu.com
shipu199.com
izabelladubier.com
solevux.com
ubique.works
newyorkservicecompanies.com
samanufacturingsolutions.com
automobiliatint.com
homebeginnerguide.com
demenagements-rollin.com
suka1-akjsbdn.com
haru-rugby.com
solutioniron.com
iflawspective.com
youpornoflick.club
sugene-proloser.icu
elpasopassportagency.com
ecsspltracking.com
motherschoiceenterprises.com
bankwithbang.com
centurycovers.com
agenciarealestate.com
richardkbradley.com
directendocare.net
bigboypartypants.com
halalseller.com
halleracreative.com
karielyssatextileanddesign.com
jiajie51.com
takeoffsetsail.com
sellersfitness.com
rivoliunion.com
cinchforce.com
yourvert.com
0r2unt85.com
wearitlikethat.com
chicagoconcretepros.com
seeutec.com
radarrun.com
izastudioz.com
comunicados.online
wzocflfob.com
sofierceboutique.com
terrasombrafarms.com
Signatures
-
Formbook family
-
Formbook payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2812-12-0x0000000000400000-0x000000000042E000-memory.dmp formbook -
Suspicious use of SetThreadContext 1 IoCs
Processes:
7f315c83910b3a196c1fb30475e5101b_JaffaCakes118.exedescription pid Process procid_target PID 2076 set thread context of 2812 2076 7f315c83910b3a196c1fb30475e5101b_JaffaCakes118.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
7f315c83910b3a196c1fb30475e5101b_JaffaCakes118.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7f315c83910b3a196c1fb30475e5101b_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
7f315c83910b3a196c1fb30475e5101b_JaffaCakes118.exepid Process 2812 7f315c83910b3a196c1fb30475e5101b_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
7f315c83910b3a196c1fb30475e5101b_JaffaCakes118.exedescription pid Process procid_target PID 2076 wrote to memory of 2812 2076 7f315c83910b3a196c1fb30475e5101b_JaffaCakes118.exe 30 PID 2076 wrote to memory of 2812 2076 7f315c83910b3a196c1fb30475e5101b_JaffaCakes118.exe 30 PID 2076 wrote to memory of 2812 2076 7f315c83910b3a196c1fb30475e5101b_JaffaCakes118.exe 30 PID 2076 wrote to memory of 2812 2076 7f315c83910b3a196c1fb30475e5101b_JaffaCakes118.exe 30 PID 2076 wrote to memory of 2812 2076 7f315c83910b3a196c1fb30475e5101b_JaffaCakes118.exe 30 PID 2076 wrote to memory of 2812 2076 7f315c83910b3a196c1fb30475e5101b_JaffaCakes118.exe 30 PID 2076 wrote to memory of 2812 2076 7f315c83910b3a196c1fb30475e5101b_JaffaCakes118.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\7f315c83910b3a196c1fb30475e5101b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7f315c83910b3a196c1fb30475e5101b_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Users\Admin\AppData\Local\Temp\7f315c83910b3a196c1fb30475e5101b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7f315c83910b3a196c1fb30475e5101b_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2812
-