Analysis
-
max time kernel
48s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
31-10-2024 09:09
Static task
static1
Behavioral task
behavioral1
Sample
8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe
Resource
win7-20241023-en
General
-
Target
8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
8293cfc29278bb798485c76761a79e84
-
SHA1
4afbbf0994bf0147c8238dc2b7602728201bdd83
-
SHA256
f567b5072eeb0de2b0c5b921df391ff7ea75996450a39a9eb3202b3eeb33232f
-
SHA512
6e31a1738d94ec1a51497b67da05bc07aed569a7042ed4ab1ddcb295042db352c9500deeb2a7e7efe5be052bd7a7f700b133d4e50aeec25ba61114ee6b8d8a9b
-
SSDEEP
12288:WSNiWeZwuKkZbe5KJfD2VXmcjM1zz7bhnF5Y0NPM2yaUVKnp:mWeSdkxCjjMJz7bhnFm0NPoahp
Malware Config
Extracted
formbook
4.1
obow
hinetin.net
narrativebusters.com
jesusmusicatl.com
mywellnessbooking.com
830272.com
mainrein.com
kajeoneworld.com
directaccesss.com
igsecretos.com
campbone.com
socialvidiots.com
abditrade.com
purisopropyl.com
opticalapparatus.com
staveoffboredom.com
evinja.com
onlinebusinesstoolselector.com
todayonly2.info
elitedesign-dz.com
zgszgw.com
tttinytown.com
ivoms.net
jeanniewllghby.com
pcloanusa.com
jtlmeals.com
armodilla.com
remboflowers.com
ausibwxy.icu
srlnd.com
bodurm.com
experiencegoatmilksoap.com
cofreex.com
hotchkissenergysolutions.com
mviillustrations.com
47mainard.com
jiazhengfu.com
kosurvival.com
shahsygs.com
wanfuzhumu.com
youcapturedmyheart.com
goonanna.com
desmoinesobituaries.com
wynnjackets.com
rejuviglowskinspa.com
mousou19.com
devendrahospital.site
wqi2.com
amanahcarsales.com
eita-schneidercn.com
78500949.xyz
gilbert-volkswagen.com
tmpbuilders.com
soulwaves.info
essentialvibeslv.com
kuren.company
pavooq.com
robuxsgenerator.xyz
teenwishes.com
hempallianceghana.com
kuselfinancial.business
theshellmafia.com
lendermall.com
teachexel.com
gamerightsmarket.com
papablogzzi.com
Signatures
-
Formbook family
-
Formbook payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2588-25-0x0000000000400000-0x000000000042E000-memory.dmp formbook -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
8293cfc29278bb798485c76761a79e84_JaffaCakes118.exedescription ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions 8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepid Process 2848 powershell.exe 2712 powershell.exe 1948 powershell.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
8293cfc29278bb798485c76761a79e84_JaffaCakes118.exedescription ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools 8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
8293cfc29278bb798485c76761a79e84_JaffaCakes118.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
8293cfc29278bb798485c76761a79e84_JaffaCakes118.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
8293cfc29278bb798485c76761a79e84_JaffaCakes118.exedescription pid Process procid_target PID 2360 set thread context of 2588 2360 8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe 41 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
8293cfc29278bb798485c76761a79e84_JaffaCakes118.exepowershell.exepowershell.exeschtasks.exepowershell.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exe8293cfc29278bb798485c76761a79e84_JaffaCakes118.exepid Process 2848 powershell.exe 2712 powershell.exe 2360 8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe 2360 8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe 2360 8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exe8293cfc29278bb798485c76761a79e84_JaffaCakes118.exedescription pid Process Token: SeDebugPrivilege 2848 powershell.exe Token: SeDebugPrivilege 2712 powershell.exe Token: SeDebugPrivilege 2360 8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
8293cfc29278bb798485c76761a79e84_JaffaCakes118.exedescription pid Process procid_target PID 2360 wrote to memory of 2848 2360 8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe 31 PID 2360 wrote to memory of 2848 2360 8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe 31 PID 2360 wrote to memory of 2848 2360 8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe 31 PID 2360 wrote to memory of 2848 2360 8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe 31 PID 2360 wrote to memory of 2712 2360 8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe 34 PID 2360 wrote to memory of 2712 2360 8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe 34 PID 2360 wrote to memory of 2712 2360 8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe 34 PID 2360 wrote to memory of 2712 2360 8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe 34 PID 2360 wrote to memory of 2092 2360 8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe 36 PID 2360 wrote to memory of 2092 2360 8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe 36 PID 2360 wrote to memory of 2092 2360 8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe 36 PID 2360 wrote to memory of 2092 2360 8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe 36 PID 2360 wrote to memory of 1948 2360 8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe 38 PID 2360 wrote to memory of 1948 2360 8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe 38 PID 2360 wrote to memory of 1948 2360 8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe 38 PID 2360 wrote to memory of 1948 2360 8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe 38 PID 2360 wrote to memory of 1388 2360 8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe 40 PID 2360 wrote to memory of 1388 2360 8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe 40 PID 2360 wrote to memory of 1388 2360 8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe 40 PID 2360 wrote to memory of 1388 2360 8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe 40 PID 2360 wrote to memory of 2588 2360 8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe 41 PID 2360 wrote to memory of 2588 2360 8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe 41 PID 2360 wrote to memory of 2588 2360 8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe 41 PID 2360 wrote to memory of 2588 2360 8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe 41 PID 2360 wrote to memory of 2588 2360 8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe 41 PID 2360 wrote to memory of 2588 2360 8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe 41 PID 2360 wrote to memory of 2588 2360 8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2848
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\pEVQPWunBbZIyo.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pEVQPWunBbZIyo" /XML "C:\Users\Admin\AppData\Local\Temp\tmp87E5.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2092
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\pEVQPWunBbZIyo.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
PID:1948
-
-
C:\Users\Admin\AppData\Local\Temp\8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe"2⤵PID:1388
-
-
C:\Users\Admin\AppData\Local\Temp\8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe"2⤵PID:2588
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c565b2067a61c3f0edb38e4a239ade24
SHA1e6ae7d9dcc9f91297f5e12c3dbe29b5e975a914f
SHA256a3abbedc23c40262ddf143b1275937801b19bd5ef089abdeed5713064277195b
SHA5126870c445968ffac75b54ec872088edeffe31aaa8927cc41810903bad0e9c7c945cfd5a1ba5b574668300076fd4d07d2207d056c870dcd26f95fdee49c290f94e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD524397e374490d1185f14834c98becf20
SHA1df2b6b9aeee4e9f284b3cf1427ce40887e1d818d
SHA256d6bc9899c6ac6bf3f68ea02cef9babbe5d3bc731fb5b1d2b4d1b7910202f351c
SHA512de07fb570895e184dcad543c9e35d1a47ae73bf05426f525dd7e75746fc6c3b5e60781cf63fceea181b431051912097e358464c5409b119b0c1711f89b12c612