Analysis
-
max time kernel
56s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
31-10-2024 09:09
Static task
static1
Behavioral task
behavioral1
Sample
8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe
Resource
win7-20241023-en
General
-
Target
8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
8293cfc29278bb798485c76761a79e84
-
SHA1
4afbbf0994bf0147c8238dc2b7602728201bdd83
-
SHA256
f567b5072eeb0de2b0c5b921df391ff7ea75996450a39a9eb3202b3eeb33232f
-
SHA512
6e31a1738d94ec1a51497b67da05bc07aed569a7042ed4ab1ddcb295042db352c9500deeb2a7e7efe5be052bd7a7f700b133d4e50aeec25ba61114ee6b8d8a9b
-
SSDEEP
12288:WSNiWeZwuKkZbe5KJfD2VXmcjM1zz7bhnF5Y0NPM2yaUVKnp:mWeSdkxCjjMJz7bhnFm0NPoahp
Malware Config
Extracted
formbook
4.1
obow
hinetin.net
narrativebusters.com
jesusmusicatl.com
mywellnessbooking.com
830272.com
mainrein.com
kajeoneworld.com
directaccesss.com
igsecretos.com
campbone.com
socialvidiots.com
abditrade.com
purisopropyl.com
opticalapparatus.com
staveoffboredom.com
evinja.com
onlinebusinesstoolselector.com
todayonly2.info
elitedesign-dz.com
zgszgw.com
tttinytown.com
ivoms.net
jeanniewllghby.com
pcloanusa.com
jtlmeals.com
armodilla.com
remboflowers.com
ausibwxy.icu
srlnd.com
bodurm.com
experiencegoatmilksoap.com
cofreex.com
hotchkissenergysolutions.com
mviillustrations.com
47mainard.com
jiazhengfu.com
kosurvival.com
shahsygs.com
wanfuzhumu.com
youcapturedmyheart.com
goonanna.com
desmoinesobituaries.com
wynnjackets.com
rejuviglowskinspa.com
mousou19.com
devendrahospital.site
wqi2.com
amanahcarsales.com
eita-schneidercn.com
78500949.xyz
gilbert-volkswagen.com
tmpbuilders.com
soulwaves.info
essentialvibeslv.com
kuren.company
pavooq.com
robuxsgenerator.xyz
teenwishes.com
hempallianceghana.com
kuselfinancial.business
theshellmafia.com
lendermall.com
teachexel.com
gamerightsmarket.com
papablogzzi.com
Signatures
-
Formbook family
-
Formbook payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4528-39-0x0000000000400000-0x000000000042E000-memory.dmp formbook -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
8293cfc29278bb798485c76761a79e84_JaffaCakes118.exedescription ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions 8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepid Process 4488 powershell.exe 3456 powershell.exe 5060 powershell.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
8293cfc29278bb798485c76761a79e84_JaffaCakes118.exedescription ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools 8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
8293cfc29278bb798485c76761a79e84_JaffaCakes118.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
8293cfc29278bb798485c76761a79e84_JaffaCakes118.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
8293cfc29278bb798485c76761a79e84_JaffaCakes118.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
8293cfc29278bb798485c76761a79e84_JaffaCakes118.exedescription pid Process procid_target PID 3836 set thread context of 4528 3836 8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe 104 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
8293cfc29278bb798485c76761a79e84_JaffaCakes118.exepowershell.exepowershell.exeschtasks.exepowershell.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
powershell.exepowershell.exe8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe8293cfc29278bb798485c76761a79e84_JaffaCakes118.exepowershell.exepid Process 3456 powershell.exe 3456 powershell.exe 5060 powershell.exe 3836 8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe 4528 8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe 4528 8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe 4488 powershell.exe 5060 powershell.exe 4488 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exepowershell.exe8293cfc29278bb798485c76761a79e84_JaffaCakes118.exepowershell.exedescription pid Process Token: SeDebugPrivilege 3456 powershell.exe Token: SeDebugPrivilege 5060 powershell.exe Token: SeDebugPrivilege 3836 8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe Token: SeDebugPrivilege 4488 powershell.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
8293cfc29278bb798485c76761a79e84_JaffaCakes118.exedescription pid Process procid_target PID 3836 wrote to memory of 3456 3836 8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe 97 PID 3836 wrote to memory of 3456 3836 8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe 97 PID 3836 wrote to memory of 3456 3836 8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe 97 PID 3836 wrote to memory of 5060 3836 8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe 99 PID 3836 wrote to memory of 5060 3836 8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe 99 PID 3836 wrote to memory of 5060 3836 8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe 99 PID 3836 wrote to memory of 3048 3836 8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe 100 PID 3836 wrote to memory of 3048 3836 8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe 100 PID 3836 wrote to memory of 3048 3836 8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe 100 PID 3836 wrote to memory of 4488 3836 8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe 103 PID 3836 wrote to memory of 4488 3836 8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe 103 PID 3836 wrote to memory of 4488 3836 8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe 103 PID 3836 wrote to memory of 4528 3836 8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe 104 PID 3836 wrote to memory of 4528 3836 8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe 104 PID 3836 wrote to memory of 4528 3836 8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe 104 PID 3836 wrote to memory of 4528 3836 8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe 104 PID 3836 wrote to memory of 4528 3836 8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe 104 PID 3836 wrote to memory of 4528 3836 8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3456
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\pEVQPWunBbZIyo.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5060
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pEVQPWunBbZIyo" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5BD7.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3048
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\pEVQPWunBbZIyo.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4488
-
-
C:\Users\Admin\AppData\Local\Temp\8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4528
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
18KB
MD5826d57db2b1e45af1659aa751df381a6
SHA1a908e6c50348c5d8a052c16f1637f7d3459b05c1
SHA256c17e59e273293559b3938a519c848dd266aac56a4695a0b6f9c89940f2fd860e
SHA512ed150febb0046ea4848f8375ba7d17952b7803614b2b85ec71ffaae1c3090c28f25e1a585be50f7ca509c9a556897f09945de0b4138ccd14e070e0a0dc23a88f
-
Filesize
18KB
MD5dd2c5e9fa6eb866a111658dfb562fd2d
SHA1ebae7c32a6d59168cca1ed9ef7a5615744c4c20f
SHA25647e5444f891717a9c90e694b325561f9a6b59951a2a9a02592404eb76c50f6e7
SHA512fea08f2b75d9f9e624f291164a7837df64e51c56780f834dff54e2f0dbd586350789601f03e135a46e62d5b069f8b9f199f6dfc26e78660f4959b2fde020b845
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD5f0a10a9a27b08db4e35abd3aa8ba33c3
SHA1c05277b5a61b9a680842fcfb2f5be119b8dc9a37
SHA256fc053e648ca998c2d225889bd6d8779b179685b23e8b7627cab7d4902872cd38
SHA512c1a0748de07ab607476ff5282c90e4ff6ef222475c27026246f0a2d33151aa8f7ea59f81851c88ccbb882c63bc7a2b0ced1a79d0b7782f89b6c41dcb6c66c24d