Analysis
-
max time kernel
149s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17-12-2024 22:57
Static task
static1
Behavioral task
behavioral1
Sample
f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118.exe
-
Size
734KB
-
MD5
f92d115c8a7e6a38aade6aad038c49dd
-
SHA1
81aed899b36ca58821b3c7b06ea56a0e8942a433
-
SHA256
003516e2f71004adc351d3d03f41c642c5f56f9ea1ac4d3369ec51550e69e0f1
-
SHA512
f2d643ca42490584364dda4610aedb21a7f872f09cdddb9aef43117a61c296f67128314df532ca9360fcb88435ee4e985634c72e29a6767c33b378eefcc1755e
-
SSDEEP
12288:5N+NSn2iNeHK7zatLJ8FebazVp5VKhsA1dsGlnVIaVr3ySCp1W9+RP:5NMk1b2l4ebaHnKv3sqIaVr4I+
Malware Config
Extracted
formbook
4.1
xgmi
ivouty.icu
bgilroy.com
dgden.com
grosse-schware.com
mandos.tech
deedv.com
the724lab.com
dulcepicor.com
cupsandkids.com
albertafutsal.com
ponthierandson.com
tiendaewin.com
200garden.com
f9753.com
cognitivehearingspecialist.com
pikypets.com
dimestorecowgirlscompany.com
reefervannetwork.com
umf2.com
yoniwater.com
everypottery.com
fedcoinconverter.com
bahisevarmisin.com
psm-gen.com
poweredbymoffitt.com
inbalitz.com
xjrfl.net
newski.info
advertisewithkhia.com
mygloryicon.com
virtual-hub.site
ibrahimkhalifullah.info
tommyohagan.com
sqlnasnuvens.com
saltmarsh.farm
blunetbilisim.xyz
zubat5.xyz
imxiaoanag.club
jahnanshajahan.com
bigdippergift.com
taviegroup.com
xn--h1asdr2a.xn--p1acf
reyexotics.com
themuslimlifecoach.com
performaedu.com
kystores.com
exileakira-ralphscoffee-a.com
enviegal.com
hediyeetbeni.com
weilbaron.com
littlebagsofsunshine.com
reves-rever.info
matchpointents.com
financialfreedom4families.com
stoplamont.com
mrtacobell.com
neatandrocks.com
tridentpeople.com
myblucare.com
easzybreath.info
discountwheelauto.com
poolsnation.com
fletex.express
goodteattirerebates.com
hotbootcampboca.com
Signatures
-
Formbook family
-
Formbook payload 2 IoCs
resource yara_rule behavioral1/memory/1488-30-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/1772-34-0x00000000000D0000-0x00000000000FE000-memory.dmp formbook -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2848 powershell.exe 2624 powershell.exe 824 powershell.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2384 set thread context of 1488 2384 f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118.exe 40 PID 1488 set thread context of 1192 1488 RegSvcs.exe 21 PID 1772 set thread context of 1192 1772 raserver.exe 21 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language raserver.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2664 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 2848 powershell.exe 2624 powershell.exe 824 powershell.exe 1488 RegSvcs.exe 1488 RegSvcs.exe 1772 raserver.exe 1772 raserver.exe 1772 raserver.exe 1772 raserver.exe 1772 raserver.exe 1772 raserver.exe 1772 raserver.exe 1772 raserver.exe 1772 raserver.exe 1772 raserver.exe 1772 raserver.exe 1772 raserver.exe 1772 raserver.exe 1772 raserver.exe 1772 raserver.exe 1772 raserver.exe 1772 raserver.exe 1772 raserver.exe 1772 raserver.exe 1772 raserver.exe 1772 raserver.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 1488 RegSvcs.exe 1488 RegSvcs.exe 1488 RegSvcs.exe 1772 raserver.exe 1772 raserver.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2848 powershell.exe Token: SeDebugPrivilege 2624 powershell.exe Token: SeDebugPrivilege 824 powershell.exe Token: SeDebugPrivilege 1488 RegSvcs.exe Token: SeDebugPrivilege 1772 raserver.exe -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 2384 wrote to memory of 2848 2384 f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118.exe 31 PID 2384 wrote to memory of 2848 2384 f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118.exe 31 PID 2384 wrote to memory of 2848 2384 f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118.exe 31 PID 2384 wrote to memory of 2848 2384 f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118.exe 31 PID 2384 wrote to memory of 2624 2384 f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118.exe 34 PID 2384 wrote to memory of 2624 2384 f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118.exe 34 PID 2384 wrote to memory of 2624 2384 f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118.exe 34 PID 2384 wrote to memory of 2624 2384 f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118.exe 34 PID 2384 wrote to memory of 2664 2384 f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118.exe 35 PID 2384 wrote to memory of 2664 2384 f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118.exe 35 PID 2384 wrote to memory of 2664 2384 f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118.exe 35 PID 2384 wrote to memory of 2664 2384 f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118.exe 35 PID 2384 wrote to memory of 824 2384 f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118.exe 38 PID 2384 wrote to memory of 824 2384 f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118.exe 38 PID 2384 wrote to memory of 824 2384 f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118.exe 38 PID 2384 wrote to memory of 824 2384 f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118.exe 38 PID 2384 wrote to memory of 1488 2384 f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118.exe 40 PID 2384 wrote to memory of 1488 2384 f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118.exe 40 PID 2384 wrote to memory of 1488 2384 f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118.exe 40 PID 2384 wrote to memory of 1488 2384 f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118.exe 40 PID 2384 wrote to memory of 1488 2384 f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118.exe 40 PID 2384 wrote to memory of 1488 2384 f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118.exe 40 PID 2384 wrote to memory of 1488 2384 f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118.exe 40 PID 2384 wrote to memory of 1488 2384 f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118.exe 40 PID 2384 wrote to memory of 1488 2384 f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118.exe 40 PID 2384 wrote to memory of 1488 2384 f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118.exe 40 PID 1192 wrote to memory of 1772 1192 Explorer.EXE 41 PID 1192 wrote to memory of 1772 1192 Explorer.EXE 41 PID 1192 wrote to memory of 1772 1192 Explorer.EXE 41 PID 1192 wrote to memory of 1772 1192 Explorer.EXE 41 PID 1772 wrote to memory of 1120 1772 raserver.exe 42 PID 1772 wrote to memory of 1120 1772 raserver.exe 42 PID 1772 wrote to memory of 1120 1772 raserver.exe 42 PID 1772 wrote to memory of 1120 1772 raserver.exe 42
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Users\Admin\AppData\Local\Temp\f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118.exe"2⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2848
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\XmlcHWnTkL.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2624
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XmlcHWnTkL" /XML "C:\Users\Admin\AppData\Local\Temp\tmp55FC.tmp"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2664
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\XmlcHWnTkL.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:824
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1488
-
-
-
C:\Windows\SysWOW64\raserver.exe"C:\Windows\SysWOW64\raserver.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- System Location Discovery: System Language Discovery
PID:1120
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5305526e6ae4635cc48a5f1b07219e929
SHA1093c5eff7b86692857c6b461d54b1c7b0d6183fa
SHA2565d0067b14f49117b0ec5b9682066fd12e5138998838add9478af404e00319e9d
SHA512470403b01e2eaca48d5b39a6011f07ab6599ee8afb5ebd45b944588fd671216c078689c2bcfe5072e7732027383b45cffd03fbe599910427026ff273712ade32
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5f63b560215f925c30496a4297e71c180
SHA13c7c110d84c7f350f4000171ae26be0dce3a8daf
SHA256014233685e79486ed3e9c112757cdc150035b8b4ed129cbdfd8213cd87641259
SHA51297b6f878242fe5209e3f084769ec101bcf1a74855a878235ac585383428892988755f91c156cc5dbdb435d1db056ad812b7577f08269661d13235390e691793d