Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-12-2024 08:08
Static task
static1
Behavioral task
behavioral1
Sample
c1a1574f79de1b92dff600b93af4fb2e_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
c1a1574f79de1b92dff600b93af4fb2e_JaffaCakes118.exe
-
Size
788KB
-
MD5
c1a1574f79de1b92dff600b93af4fb2e
-
SHA1
fe900346d226cbd124005a96aaa30bab08da74fa
-
SHA256
5c35f2a71144607479cd3b69fad16d64f6714f36de7e380139d36ad74a29675b
-
SHA512
316afa911f4c9da7b520b82ce3843f5437a846568034249233b84f50dbf3f722460e281b9271ad592f3c577ec2c67b03533fc34fc39742bdb124f4bd96eb284d
-
SSDEEP
24576:ZzVvQ+qZALi2Mtv/qLyWcpIw2DUhcSuGsf:ZzVvpqZALgoObplWUhcSuG+
Malware Config
Extracted
formbook
4.1
vd9n
theunwrappedcollective.com
seckj-ic.com
tyresandover.com
thetrophyworld.com
fonggrconstruction.com
hopiproject.com
sktitle.com
charlotteobscurer.com
qjuhe.com
girlzglitter.com
createmylawn.com
hempcbgpill.com
zzdfdzkj.com
shreehariessential.com
226sm.com
getcupscall.com
neuralviolin.com
sanskaar.life
xn--fhqrm54yyukopc.com
togetherx4fantasy5star.today
buyonlinesaree.com
percyshandman.site
hatchethangout.com
rugpat.com
zen-gizmo.com
vipmomali.com
lacerasavall.cat
aqueouso.com
mkolgems.com
sevenhundredseventysix.fund
fotografhannaneret.com
mitravy.com
bmtrans.net
linterpreting.com
izquay.com
sawaturkey.com
marche-maman.com
eemygf.com
animenovel.com
travelssimply.com
montecitobutterfly.com
volebahis.com
daniela.red
ramseyedk12.com
leyterealestate.info
patriotstrong.net
vkgcrew.com
nadhiradeebaazkiya.online
hotelcarre.com
myfabulouscollection.com
stellantis-luxury-rent.com
hn2020.xyz
emilyscopes.com
lotosouq.com
lovecord.date
stconstant.online
volkite-culverin.net
allwaysautism.com
sheisnatashasimone.com
sepantaceram.com
ishopgrady.com
lifestorycard.com
sexybbwavailable.website
domainbaycapital.com
constructioncleanup.pro
Signatures
-
Formbook family
-
Formbook payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3508-18-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral2/memory/3508-23-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral2/memory/3508-27-0x0000000000400000-0x000000000042E000-memory.dmp formbook -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
c1a1574f79de1b92dff600b93af4fb2e_JaffaCakes118.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation c1a1574f79de1b92dff600b93af4fb2e_JaffaCakes118.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
c1a1574f79de1b92dff600b93af4fb2e_JaffaCakes118.exeRegSvcs.execmmon32.exedescription pid Process procid_target PID 3380 set thread context of 3508 3380 c1a1574f79de1b92dff600b93af4fb2e_JaffaCakes118.exe 93 PID 3508 set thread context of 3432 3508 RegSvcs.exe 56 PID 3508 set thread context of 3432 3508 RegSvcs.exe 56 PID 3660 set thread context of 3432 3660 cmmon32.exe 56 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
c1a1574f79de1b92dff600b93af4fb2e_JaffaCakes118.exeschtasks.execmmon32.execmd.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c1a1574f79de1b92dff600b93af4fb2e_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmmon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 42 IoCs
Processes:
RegSvcs.execmmon32.exepid Process 3508 RegSvcs.exe 3508 RegSvcs.exe 3508 RegSvcs.exe 3508 RegSvcs.exe 3508 RegSvcs.exe 3508 RegSvcs.exe 3660 cmmon32.exe 3660 cmmon32.exe 3660 cmmon32.exe 3660 cmmon32.exe 3660 cmmon32.exe 3660 cmmon32.exe 3660 cmmon32.exe 3660 cmmon32.exe 3660 cmmon32.exe 3660 cmmon32.exe 3660 cmmon32.exe 3660 cmmon32.exe 3660 cmmon32.exe 3660 cmmon32.exe 3660 cmmon32.exe 3660 cmmon32.exe 3660 cmmon32.exe 3660 cmmon32.exe 3660 cmmon32.exe 3660 cmmon32.exe 3660 cmmon32.exe 3660 cmmon32.exe 3660 cmmon32.exe 3660 cmmon32.exe 3660 cmmon32.exe 3660 cmmon32.exe 3660 cmmon32.exe 3660 cmmon32.exe 3660 cmmon32.exe 3660 cmmon32.exe 3660 cmmon32.exe 3660 cmmon32.exe 3660 cmmon32.exe 3660 cmmon32.exe 3660 cmmon32.exe 3660 cmmon32.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
RegSvcs.execmmon32.exepid Process 3508 RegSvcs.exe 3508 RegSvcs.exe 3508 RegSvcs.exe 3508 RegSvcs.exe 3660 cmmon32.exe 3660 cmmon32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
RegSvcs.execmmon32.exedescription pid Process Token: SeDebugPrivilege 3508 RegSvcs.exe Token: SeDebugPrivilege 3660 cmmon32.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
c1a1574f79de1b92dff600b93af4fb2e_JaffaCakes118.exeExplorer.EXEcmmon32.exedescription pid Process procid_target PID 3380 wrote to memory of 3024 3380 c1a1574f79de1b92dff600b93af4fb2e_JaffaCakes118.exe 91 PID 3380 wrote to memory of 3024 3380 c1a1574f79de1b92dff600b93af4fb2e_JaffaCakes118.exe 91 PID 3380 wrote to memory of 3024 3380 c1a1574f79de1b92dff600b93af4fb2e_JaffaCakes118.exe 91 PID 3380 wrote to memory of 3508 3380 c1a1574f79de1b92dff600b93af4fb2e_JaffaCakes118.exe 93 PID 3380 wrote to memory of 3508 3380 c1a1574f79de1b92dff600b93af4fb2e_JaffaCakes118.exe 93 PID 3380 wrote to memory of 3508 3380 c1a1574f79de1b92dff600b93af4fb2e_JaffaCakes118.exe 93 PID 3380 wrote to memory of 3508 3380 c1a1574f79de1b92dff600b93af4fb2e_JaffaCakes118.exe 93 PID 3380 wrote to memory of 3508 3380 c1a1574f79de1b92dff600b93af4fb2e_JaffaCakes118.exe 93 PID 3380 wrote to memory of 3508 3380 c1a1574f79de1b92dff600b93af4fb2e_JaffaCakes118.exe 93 PID 3432 wrote to memory of 3660 3432 Explorer.EXE 94 PID 3432 wrote to memory of 3660 3432 Explorer.EXE 94 PID 3432 wrote to memory of 3660 3432 Explorer.EXE 94 PID 3660 wrote to memory of 5104 3660 cmmon32.exe 95 PID 3660 wrote to memory of 5104 3660 cmmon32.exe 95 PID 3660 wrote to memory of 5104 3660 cmmon32.exe 95
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:3432 -
C:\Users\Admin\AppData\Local\Temp\c1a1574f79de1b92dff600b93af4fb2e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c1a1574f79de1b92dff600b93af4fb2e_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sqswrvwVUHAy" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6EF1.tmp"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3024
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3508
-
-
-
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3660 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- System Location Discovery: System Language Discovery
PID:5104
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b5f744a652742d2f585490d61a704dd8
SHA17b9742b08d883e176c5ff7dcbda32fa0e9be9281
SHA25675dd80e8dd63354f9fa6abe58eaef9e26f62548c7a3dc596f1903d7f556b71af
SHA5122ca66af3101520de0b566c9441d553250aaf5beb7868bb0d62575fdb11900808f528dbb922af948a19e1636ede31c16e6c96d4652fd802b616712f325e3248f6