Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13-12-2024 07:50
Static task
static1
Behavioral task
behavioral1
Sample
ea9f9fc409b8e70415b11bfcf37e09e1_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
ea9f9fc409b8e70415b11bfcf37e09e1_JaffaCakes118.exe
-
Size
557KB
-
MD5
ea9f9fc409b8e70415b11bfcf37e09e1
-
SHA1
13fe23e9334428c7898657f094db5cb234000ac6
-
SHA256
43391d3abc411fd3198710c32127898396759f1372ee99fb3aea8efd8e50d086
-
SHA512
e1c78808853ed762730895295ec6e775287de98c4f797da134cc45315d9b3b67059f7e4b96ec9d6581f7545887b5cf566b12df9e894c657637601661edbd419f
-
SSDEEP
12288:Ya2DLn2MOytQK+HUdA0Y56roAC+tgy/UbJs42AvTR9Tn2HW13A:ODq5ytQeSZaoW4xRJn2oA
Malware Config
Extracted
formbook
4.1
z8bb
bg0bpz.xyz
heelncheel.com
full-port.com
77se999.xyz
kentaa.xyz
nemsdumbloser.com
xn--par-tma.art
basculasonline.com
brt-cloud.com
ankesolutions.com
cappersacces.com
lessonsdrums.com
tastygentleman.com
yuzhou.plus
cursando-online.com
comfortzone-frankfurt.com
natesmining.com
logjec070.xyz
manualidadesencasa.net
rowdyravers.club
11210forestheights.com
qsshcw.com
greecerealty.com
rvcementicios.com
ratrural.com
mariels.art
dyzawsm.com
complex-verlenging-24.xyz
portusd.xyz
reedsweeds.net
1679txpzmu5qvxhovfk5156.com
rememberthehammers.com
nextflix-restriction.com
vaughnacademy.com
linkonair.net
exitemii.com
isaacebooker.com
interconnectsolutions.net
marketplace-cloud.com
easeshop.xyz
quayimaging.com
bulgnj.com
jtonai.com
campvaxordie.com
lasprimerasdelsur.com
cultivateag.net
thursdaynightthriller.com
syfbusinessgroup.com
xronos.space
deldisposal.com
msywl.site
clsshoes.com
bannekers.onl
gvcadvisory.com
powersafebatteries.com
blockchain-assist.com
makeithugenow.com
livesex2.net
f-fred.info
phonerenoveapp.com
nwfhomes.info
oxfordtaxes.com
myfamilygroutpump.com
888ilucky88.com
sh-bingo.com
Signatures
-
Formbook family
-
Formbook payload 2 IoCs
resource yara_rule behavioral1/memory/2220-12-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2220-15-0x00000000009E0000-0x0000000000CE3000-memory.dmp formbook -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2616 set thread context of 2220 2616 ea9f9fc409b8e70415b11bfcf37e09e1_JaffaCakes118.exe 31 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ea9f9fc409b8e70415b11bfcf37e09e1_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 2616 ea9f9fc409b8e70415b11bfcf37e09e1_JaffaCakes118.exe 2616 ea9f9fc409b8e70415b11bfcf37e09e1_JaffaCakes118.exe 2616 ea9f9fc409b8e70415b11bfcf37e09e1_JaffaCakes118.exe 2616 ea9f9fc409b8e70415b11bfcf37e09e1_JaffaCakes118.exe 2616 ea9f9fc409b8e70415b11bfcf37e09e1_JaffaCakes118.exe 2616 ea9f9fc409b8e70415b11bfcf37e09e1_JaffaCakes118.exe 2220 ea9f9fc409b8e70415b11bfcf37e09e1_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2616 ea9f9fc409b8e70415b11bfcf37e09e1_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2616 wrote to memory of 2220 2616 ea9f9fc409b8e70415b11bfcf37e09e1_JaffaCakes118.exe 31 PID 2616 wrote to memory of 2220 2616 ea9f9fc409b8e70415b11bfcf37e09e1_JaffaCakes118.exe 31 PID 2616 wrote to memory of 2220 2616 ea9f9fc409b8e70415b11bfcf37e09e1_JaffaCakes118.exe 31 PID 2616 wrote to memory of 2220 2616 ea9f9fc409b8e70415b11bfcf37e09e1_JaffaCakes118.exe 31 PID 2616 wrote to memory of 2220 2616 ea9f9fc409b8e70415b11bfcf37e09e1_JaffaCakes118.exe 31 PID 2616 wrote to memory of 2220 2616 ea9f9fc409b8e70415b11bfcf37e09e1_JaffaCakes118.exe 31 PID 2616 wrote to memory of 2220 2616 ea9f9fc409b8e70415b11bfcf37e09e1_JaffaCakes118.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\ea9f9fc409b8e70415b11bfcf37e09e1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ea9f9fc409b8e70415b11bfcf37e09e1_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Users\Admin\AppData\Local\Temp\ea9f9fc409b8e70415b11bfcf37e09e1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ea9f9fc409b8e70415b11bfcf37e09e1_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2220
-