Analysis
-
max time kernel
146s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04-12-2024 08:08
Static task
static1
Behavioral task
behavioral1
Sample
c1a1574f79de1b92dff600b93af4fb2e_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
c1a1574f79de1b92dff600b93af4fb2e_JaffaCakes118.exe
-
Size
788KB
-
MD5
c1a1574f79de1b92dff600b93af4fb2e
-
SHA1
fe900346d226cbd124005a96aaa30bab08da74fa
-
SHA256
5c35f2a71144607479cd3b69fad16d64f6714f36de7e380139d36ad74a29675b
-
SHA512
316afa911f4c9da7b520b82ce3843f5437a846568034249233b84f50dbf3f722460e281b9271ad592f3c577ec2c67b03533fc34fc39742bdb124f4bd96eb284d
-
SSDEEP
24576:ZzVvQ+qZALi2Mtv/qLyWcpIw2DUhcSuGsf:ZzVvpqZALgoObplWUhcSuG+
Malware Config
Extracted
formbook
4.1
vd9n
theunwrappedcollective.com
seckj-ic.com
tyresandover.com
thetrophyworld.com
fonggrconstruction.com
hopiproject.com
sktitle.com
charlotteobscurer.com
qjuhe.com
girlzglitter.com
createmylawn.com
hempcbgpill.com
zzdfdzkj.com
shreehariessential.com
226sm.com
getcupscall.com
neuralviolin.com
sanskaar.life
xn--fhqrm54yyukopc.com
togetherx4fantasy5star.today
buyonlinesaree.com
percyshandman.site
hatchethangout.com
rugpat.com
zen-gizmo.com
vipmomali.com
lacerasavall.cat
aqueouso.com
mkolgems.com
sevenhundredseventysix.fund
fotografhannaneret.com
mitravy.com
bmtrans.net
linterpreting.com
izquay.com
sawaturkey.com
marche-maman.com
eemygf.com
animenovel.com
travelssimply.com
montecitobutterfly.com
volebahis.com
daniela.red
ramseyedk12.com
leyterealestate.info
patriotstrong.net
vkgcrew.com
nadhiradeebaazkiya.online
hotelcarre.com
myfabulouscollection.com
stellantis-luxury-rent.com
hn2020.xyz
emilyscopes.com
lotosouq.com
lovecord.date
stconstant.online
volkite-culverin.net
allwaysautism.com
sheisnatashasimone.com
sepantaceram.com
ishopgrady.com
lifestorycard.com
sexybbwavailable.website
domainbaycapital.com
constructioncleanup.pro
Signatures
-
Formbook family
-
Formbook payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1980-19-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/1980-23-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/1980-27-0x0000000000400000-0x000000000042E000-memory.dmp formbook -
Suspicious use of SetThreadContext 4 IoCs
Processes:
c1a1574f79de1b92dff600b93af4fb2e_JaffaCakes118.exeRegSvcs.exechkdsk.exedescription pid Process procid_target PID 2320 set thread context of 1980 2320 c1a1574f79de1b92dff600b93af4fb2e_JaffaCakes118.exe 32 PID 1980 set thread context of 1216 1980 RegSvcs.exe 21 PID 1980 set thread context of 1216 1980 RegSvcs.exe 21 PID 1656 set thread context of 1216 1656 chkdsk.exe 21 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
c1a1574f79de1b92dff600b93af4fb2e_JaffaCakes118.exeschtasks.exechkdsk.execmd.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c1a1574f79de1b92dff600b93af4fb2e_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chkdsk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
chkdsk.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
RegSvcs.exechkdsk.exepid Process 1980 RegSvcs.exe 1980 RegSvcs.exe 1980 RegSvcs.exe 1656 chkdsk.exe 1656 chkdsk.exe 1656 chkdsk.exe 1656 chkdsk.exe 1656 chkdsk.exe 1656 chkdsk.exe 1656 chkdsk.exe 1656 chkdsk.exe 1656 chkdsk.exe 1656 chkdsk.exe 1656 chkdsk.exe 1656 chkdsk.exe 1656 chkdsk.exe 1656 chkdsk.exe 1656 chkdsk.exe 1656 chkdsk.exe 1656 chkdsk.exe 1656 chkdsk.exe 1656 chkdsk.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
RegSvcs.exechkdsk.exepid Process 1980 RegSvcs.exe 1980 RegSvcs.exe 1980 RegSvcs.exe 1980 RegSvcs.exe 1656 chkdsk.exe 1656 chkdsk.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
RegSvcs.exechkdsk.exedescription pid Process Token: SeDebugPrivilege 1980 RegSvcs.exe Token: SeDebugPrivilege 1656 chkdsk.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
c1a1574f79de1b92dff600b93af4fb2e_JaffaCakes118.exeExplorer.EXEchkdsk.exedescription pid Process procid_target PID 2320 wrote to memory of 2516 2320 c1a1574f79de1b92dff600b93af4fb2e_JaffaCakes118.exe 30 PID 2320 wrote to memory of 2516 2320 c1a1574f79de1b92dff600b93af4fb2e_JaffaCakes118.exe 30 PID 2320 wrote to memory of 2516 2320 c1a1574f79de1b92dff600b93af4fb2e_JaffaCakes118.exe 30 PID 2320 wrote to memory of 2516 2320 c1a1574f79de1b92dff600b93af4fb2e_JaffaCakes118.exe 30 PID 2320 wrote to memory of 1980 2320 c1a1574f79de1b92dff600b93af4fb2e_JaffaCakes118.exe 32 PID 2320 wrote to memory of 1980 2320 c1a1574f79de1b92dff600b93af4fb2e_JaffaCakes118.exe 32 PID 2320 wrote to memory of 1980 2320 c1a1574f79de1b92dff600b93af4fb2e_JaffaCakes118.exe 32 PID 2320 wrote to memory of 1980 2320 c1a1574f79de1b92dff600b93af4fb2e_JaffaCakes118.exe 32 PID 2320 wrote to memory of 1980 2320 c1a1574f79de1b92dff600b93af4fb2e_JaffaCakes118.exe 32 PID 2320 wrote to memory of 1980 2320 c1a1574f79de1b92dff600b93af4fb2e_JaffaCakes118.exe 32 PID 2320 wrote to memory of 1980 2320 c1a1574f79de1b92dff600b93af4fb2e_JaffaCakes118.exe 32 PID 2320 wrote to memory of 1980 2320 c1a1574f79de1b92dff600b93af4fb2e_JaffaCakes118.exe 32 PID 2320 wrote to memory of 1980 2320 c1a1574f79de1b92dff600b93af4fb2e_JaffaCakes118.exe 32 PID 2320 wrote to memory of 1980 2320 c1a1574f79de1b92dff600b93af4fb2e_JaffaCakes118.exe 32 PID 1216 wrote to memory of 1656 1216 Explorer.EXE 34 PID 1216 wrote to memory of 1656 1216 Explorer.EXE 34 PID 1216 wrote to memory of 1656 1216 Explorer.EXE 34 PID 1216 wrote to memory of 1656 1216 Explorer.EXE 34 PID 1656 wrote to memory of 2588 1656 chkdsk.exe 35 PID 1656 wrote to memory of 2588 1656 chkdsk.exe 35 PID 1656 wrote to memory of 2588 1656 chkdsk.exe 35 PID 1656 wrote to memory of 2588 1656 chkdsk.exe 35
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Users\Admin\AppData\Local\Temp\c1a1574f79de1b92dff600b93af4fb2e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c1a1574f79de1b92dff600b93af4fb2e_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sqswrvwVUHAy" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2868.tmp"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2516
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1980
-
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:376
-
-
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- System Location Discovery: System Language Discovery
PID:2588
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5adec5f38ace367820bc5fd911abd2b29
SHA15edc70fae9920f58ea93dd629291796939bd4a48
SHA2566322c039992598c908685bf5b18d1b1acc2bbdc19eff7aed667dc92790f8c34b
SHA51214bfebceb32b468878859bfaa4b2a666fab326e68281e772846e6ec224a00ec611c61bdc82f586edd7ed6dba8d6992fa51647360b81083c2ad46e18b32aad403