Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-12-2024 22:57
Static task
static1
Behavioral task
behavioral1
Sample
f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118.exe
-
Size
734KB
-
MD5
f92d115c8a7e6a38aade6aad038c49dd
-
SHA1
81aed899b36ca58821b3c7b06ea56a0e8942a433
-
SHA256
003516e2f71004adc351d3d03f41c642c5f56f9ea1ac4d3369ec51550e69e0f1
-
SHA512
f2d643ca42490584364dda4610aedb21a7f872f09cdddb9aef43117a61c296f67128314df532ca9360fcb88435ee4e985634c72e29a6767c33b378eefcc1755e
-
SSDEEP
12288:5N+NSn2iNeHK7zatLJ8FebazVp5VKhsA1dsGlnVIaVr3ySCp1W9+RP:5NMk1b2l4ebaHnKv3sqIaVr4I+
Malware Config
Extracted
formbook
4.1
xgmi
ivouty.icu
bgilroy.com
dgden.com
grosse-schware.com
mandos.tech
deedv.com
the724lab.com
dulcepicor.com
cupsandkids.com
albertafutsal.com
ponthierandson.com
tiendaewin.com
200garden.com
f9753.com
cognitivehearingspecialist.com
pikypets.com
dimestorecowgirlscompany.com
reefervannetwork.com
umf2.com
yoniwater.com
everypottery.com
fedcoinconverter.com
bahisevarmisin.com
psm-gen.com
poweredbymoffitt.com
inbalitz.com
xjrfl.net
newski.info
advertisewithkhia.com
mygloryicon.com
virtual-hub.site
ibrahimkhalifullah.info
tommyohagan.com
sqlnasnuvens.com
saltmarsh.farm
blunetbilisim.xyz
zubat5.xyz
imxiaoanag.club
jahnanshajahan.com
bigdippergift.com
taviegroup.com
xn--h1asdr2a.xn--p1acf
reyexotics.com
themuslimlifecoach.com
performaedu.com
kystores.com
exileakira-ralphscoffee-a.com
enviegal.com
hediyeetbeni.com
weilbaron.com
littlebagsofsunshine.com
reves-rever.info
matchpointents.com
financialfreedom4families.com
stoplamont.com
mrtacobell.com
neatandrocks.com
tridentpeople.com
myblucare.com
easzybreath.info
discountwheelauto.com
poolsnation.com
fletex.express
goodteattirerebates.com
hotbootcampboca.com
Signatures
-
Formbook family
-
Formbook payload 3 IoCs
resource yara_rule behavioral2/memory/2636-44-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral2/memory/2636-109-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral2/memory/4488-111-0x0000000000330000-0x000000000035E000-memory.dmp formbook -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4280 powershell.exe 1688 powershell.exe 2704 powershell.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 1916 set thread context of 2636 1916 f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118.exe 98 PID 2636 set thread context of 3420 2636 RegSvcs.exe 56 PID 2636 set thread context of 3420 2636 RegSvcs.exe 56 PID 4488 set thread context of 3420 4488 ipconfig.exe 56 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 4488 ipconfig.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3616 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 49 IoCs
pid Process 4280 powershell.exe 1688 powershell.exe 4280 powershell.exe 1916 f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118.exe 2636 RegSvcs.exe 2636 RegSvcs.exe 2636 RegSvcs.exe 2636 RegSvcs.exe 2704 powershell.exe 1688 powershell.exe 2704 powershell.exe 2636 RegSvcs.exe 2636 RegSvcs.exe 4488 ipconfig.exe 4488 ipconfig.exe 4488 ipconfig.exe 4488 ipconfig.exe 4488 ipconfig.exe 4488 ipconfig.exe 4488 ipconfig.exe 4488 ipconfig.exe 4488 ipconfig.exe 4488 ipconfig.exe 4488 ipconfig.exe 4488 ipconfig.exe 4488 ipconfig.exe 4488 ipconfig.exe 4488 ipconfig.exe 4488 ipconfig.exe 4488 ipconfig.exe 4488 ipconfig.exe 4488 ipconfig.exe 4488 ipconfig.exe 4488 ipconfig.exe 4488 ipconfig.exe 4488 ipconfig.exe 4488 ipconfig.exe 4488 ipconfig.exe 4488 ipconfig.exe 4488 ipconfig.exe 4488 ipconfig.exe 4488 ipconfig.exe 4488 ipconfig.exe 4488 ipconfig.exe 4488 ipconfig.exe 4488 ipconfig.exe 4488 ipconfig.exe 4488 ipconfig.exe 4488 ipconfig.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 2636 RegSvcs.exe 2636 RegSvcs.exe 2636 RegSvcs.exe 2636 RegSvcs.exe 4488 ipconfig.exe 4488 ipconfig.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeDebugPrivilege 4280 powershell.exe Token: SeDebugPrivilege 1688 powershell.exe Token: SeDebugPrivilege 1916 f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118.exe Token: SeDebugPrivilege 2636 RegSvcs.exe Token: SeDebugPrivilege 2704 powershell.exe Token: SeShutdownPrivilege 3420 Explorer.EXE Token: SeCreatePagefilePrivilege 3420 Explorer.EXE Token: SeShutdownPrivilege 3420 Explorer.EXE Token: SeCreatePagefilePrivilege 3420 Explorer.EXE Token: SeShutdownPrivilege 3420 Explorer.EXE Token: SeCreatePagefilePrivilege 3420 Explorer.EXE Token: SeDebugPrivilege 4488 ipconfig.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1916 wrote to memory of 4280 1916 f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118.exe 91 PID 1916 wrote to memory of 4280 1916 f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118.exe 91 PID 1916 wrote to memory of 4280 1916 f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118.exe 91 PID 1916 wrote to memory of 1688 1916 f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118.exe 93 PID 1916 wrote to memory of 1688 1916 f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118.exe 93 PID 1916 wrote to memory of 1688 1916 f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118.exe 93 PID 1916 wrote to memory of 3616 1916 f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118.exe 95 PID 1916 wrote to memory of 3616 1916 f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118.exe 95 PID 1916 wrote to memory of 3616 1916 f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118.exe 95 PID 1916 wrote to memory of 2704 1916 f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118.exe 97 PID 1916 wrote to memory of 2704 1916 f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118.exe 97 PID 1916 wrote to memory of 2704 1916 f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118.exe 97 PID 1916 wrote to memory of 2636 1916 f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118.exe 98 PID 1916 wrote to memory of 2636 1916 f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118.exe 98 PID 1916 wrote to memory of 2636 1916 f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118.exe 98 PID 1916 wrote to memory of 2636 1916 f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118.exe 98 PID 1916 wrote to memory of 2636 1916 f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118.exe 98 PID 1916 wrote to memory of 2636 1916 f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118.exe 98 PID 3420 wrote to memory of 4488 3420 Explorer.EXE 100 PID 3420 wrote to memory of 4488 3420 Explorer.EXE 100 PID 3420 wrote to memory of 4488 3420 Explorer.EXE 100 PID 4488 wrote to memory of 1292 4488 ipconfig.exe 101 PID 4488 wrote to memory of 1292 4488 ipconfig.exe 101 PID 4488 wrote to memory of 1292 4488 ipconfig.exe 101
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3420 -
C:\Users\Admin\AppData\Local\Temp\f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118.exe"2⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4280
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\XmlcHWnTkL.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1688
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XmlcHWnTkL" /XML "C:\Users\Admin\AppData\Local\Temp\tmp54A3.tmp"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3616
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\XmlcHWnTkL.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2704
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2636
-
-
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\SysWOW64\ipconfig.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- System Location Discovery: System Language Discovery
PID:1292
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
Filesize
18KB
MD5fa47e5a630bcc5d03fbe924d22edfbbc
SHA1e15872ae7ebb6ede62d7b35f0aa0b94933326d5a
SHA256dee7b2255648b6e8cf1231d460d440dc1c2cd96bd8729be510ae9f2595916497
SHA51226fe1f87bb9da4c3100e39c5f68a757d5dcf82456713ac301d8fd848a2f3828bb282d346351e5d2423810296315c0a2048214c905474d704f16842fc0417ed99
-
Filesize
18KB
MD5b765765d77a17ac7d5d209c9a69c4184
SHA18d2ac409db9aedd41621a8ac8d63e288d7bf5045
SHA2562c2e2e0bd63aa2496ccb32b1604d5a270f8e631399241e66a863ae7e042ad479
SHA5129536afa7e86f261f945f3510287f9d0dc2be98e5ac1719a7e97c4a1245bf43434e5045e020fd0ec179f9274fd4686493626e11d423bd7953b0958ce9379e8e98
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD531fd755c01b651ebbd4b425600d945b2
SHA132e1e11007d6a26f6174d68d47e20b880347cf08
SHA256cbe976d76e39a1f35cbed43fea01d51fc482b4696c8cef088ded25827a36d76a
SHA512a08fba5cd594426032f7badea46219b775426799c96815be342f181b21940e86516a5895c480955b53187618ae5012be4ed9961af1f13aa82eeb40dec3a2fa6b