Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18-12-2024 15:40
Static task
static1
Behavioral task
behavioral1
Sample
fc2310dcaf93e7b285f5ce26db6f774f_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
fc2310dcaf93e7b285f5ce26db6f774f_JaffaCakes118.exe
-
Size
1.5MB
-
MD5
fc2310dcaf93e7b285f5ce26db6f774f
-
SHA1
07f489074f56e64a791e75dd7905b41f2a000153
-
SHA256
4b1dcf9d1e2518e912abcee672aadcaed51f1aa435e3dc1b3fb43d047ec24f1e
-
SHA512
28e29d023235af90019d4977dd2fb7889d1116d7346deb6a3357e92ef205cd3f943bc9aed291af3fe40c89e7ca0bac3740f3b4db59185c81cf075b86a0aedd69
-
SSDEEP
12288:egcKmNgis3mLyCMfv9VPtes6y/Q68trI+ePV3tebVpqU5RaT2fX/AZrSmXKz0tYw:iKhis3mgfv9VtPojINV9JgaT2fXjvOf
Malware Config
Extracted
formbook
4.1
wt5i
mydreamct.com
vadicore.com
choicemango.com
projectsolutionspro.com
ncg.xyz
goio.digital
ee-secure-account.com
criminalstudy.com
fsjuanzhi.com
pont-travaux-public.com
agencepartenaire.com
jlsyzm.com
prosselius.com
woodendgroups.com
thereproducts.site
sigmagrupo.net
chelseagracia.com
fusosstore.com
chrissypips.trade
mvlxplcswa.com
sneguard.com
travellingcomet.com
ledbydesign.asia
yaysondaj.com
recoverydharma.guide
peak8000.com
alltranslation.xyz
igorkozel.com
x-box2send.club
campgoodco.com
arrowinvestments-technology.com
naturally-preserved.com
vk-authorization.site
xn--12cfjb7d8dd4ftb6cr0g5e.net
losjazminesdelamolina.com
farmaciamoyatoledo134fmas.com
sgainme.com
corcoran.network
nestarchitectural.com
nnltsy.com
wyoming-interactive.net
laomao.site
qiwuwenhua.com
conectals.com
wanggou0579.com
nanmedia.info
kindredheatrsteam.com
passiveincomeincubator.com
eletroclimaks.com
getbackmode.com
clearvuetaxadvisors.com
pick-assiette.com
tribelinx.com
1bodymobile.com
united-for-humanity.net
hoatao.xyz
isbpestcontrol.com
nieght.com
pinoyhoustontv.com
bloochy.com
greatestpotever.com
onikidil.com
inspirainstitute.com
yourcariq.com
nouolive.com
Signatures
-
Formbook family
-
Formbook payload 1 IoCs
resource yara_rule behavioral1/memory/2764-13-0x0000000000400000-0x000000000042E000-memory.dmp formbook -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1908 set thread context of 2764 1908 fc2310dcaf93e7b285f5ce26db6f774f_JaffaCakes118.exe 31 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fc2310dcaf93e7b285f5ce26db6f774f_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2764 fc2310dcaf93e7b285f5ce26db6f774f_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1908 wrote to memory of 2764 1908 fc2310dcaf93e7b285f5ce26db6f774f_JaffaCakes118.exe 31 PID 1908 wrote to memory of 2764 1908 fc2310dcaf93e7b285f5ce26db6f774f_JaffaCakes118.exe 31 PID 1908 wrote to memory of 2764 1908 fc2310dcaf93e7b285f5ce26db6f774f_JaffaCakes118.exe 31 PID 1908 wrote to memory of 2764 1908 fc2310dcaf93e7b285f5ce26db6f774f_JaffaCakes118.exe 31 PID 1908 wrote to memory of 2764 1908 fc2310dcaf93e7b285f5ce26db6f774f_JaffaCakes118.exe 31 PID 1908 wrote to memory of 2764 1908 fc2310dcaf93e7b285f5ce26db6f774f_JaffaCakes118.exe 31 PID 1908 wrote to memory of 2764 1908 fc2310dcaf93e7b285f5ce26db6f774f_JaffaCakes118.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc2310dcaf93e7b285f5ce26db6f774f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fc2310dcaf93e7b285f5ce26db6f774f_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Users\Admin\AppData\Local\Temp\fc2310dcaf93e7b285f5ce26db6f774f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fc2310dcaf93e7b285f5ce26db6f774f_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2764
-