Analysis
-
max time kernel
60s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
19-12-2024 04:33
Static task
static1
Behavioral task
behavioral1
Sample
fe740e7999ea046c611b6af048228301_JaffaCakes118.exe
Resource
win7-20241010-en
General
-
Target
fe740e7999ea046c611b6af048228301_JaffaCakes118.exe
-
Size
846KB
-
MD5
fe740e7999ea046c611b6af048228301
-
SHA1
b11b855d1328255503fd2e3d86260293af0fef8a
-
SHA256
e53afd0b5fd432a725fce3ee514f9bf7e58b54b06c096640c0672faf7eb209b5
-
SHA512
c6eef694077d945c92dab79d1f99b349d71fa65f0a9dbece5a86f9e400e85c9c6b0ffd8d2236e4cde1ab97728762262bc6e2272a33e9f561418d3c56ce16f617
-
SSDEEP
24576:AAsnEguXVgHgteHLHyLWf6A1Ti2KIzoGsrq34MeWjc:3tFWfV4MeWj
Malware Config
Extracted
formbook
4.1
qg0x
guruguyd.com
martiallawtcg.com
minervamerch.com
websiteseotools.net
productionsrassembleurs.com
tarcanlaroto.com
zoloftmusic.com
waseet.club
mtelphinstonemasonicsociety.com
indertechstore.com
iostdefi.net
juxrams.info
magwearhouse.com
ellerey.com
jointhekkk.com
wednesdaytravel.com
nineban.icu
westcoastk95.com
parkcityruthschris.com
monicarodri.design
mouthfulofmumurs.com
brandspade.com
ttjxgs.com
rakmetrocarservices.com
reservepet.com
fs2020addons.com
fgxrmyy.net
lovethepupyourewith.com
dongocly.com
ooper.net
packdesignerbr.com
minimalistcycling.com
ihatebrooklyn.com
goodamazonagency.com
mz700.com
thetexantech.com
sfqp28.com
fleek.today
studentsafetysheild.info
tgsei-df-03.com
samanthaandpeter.com
multiplarity.com
riverfoodsinc.com
panpomen.com
blalion.com
fyjhl.com
pyittineaung.com
growscienes.com
reoimwyhhxoadfcm.com
texasboilerpart.com
valhallaplus.net
whoartsau.com
thesimpleprogrammer.com
bagodaycrochetandmore.com
jyejee.com
tssep.info
dsdbrgj.icu
s2n-search.com
jiachenwenhua.com
japansurvivalstore.com
mentalaltitudebook.com
releviumchiro.com
voltagefinancellc.com
xn--balkesirilaclama-cqc.com
yogamatde.online
Signatures
-
Formbook family
-
Formbook payload 1 IoCs
resource yara_rule behavioral1/memory/1692-26-0x0000000000400000-0x000000000042E000-memory.dmp formbook -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions fe740e7999ea046c611b6af048228301_JaffaCakes118.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2916 powershell.exe 2304 powershell.exe 1260 powershell.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools fe740e7999ea046c611b6af048228301_JaffaCakes118.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion fe740e7999ea046c611b6af048228301_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion fe740e7999ea046c611b6af048228301_JaffaCakes118.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 fe740e7999ea046c611b6af048228301_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum fe740e7999ea046c611b6af048228301_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1084 set thread context of 1692 1084 fe740e7999ea046c611b6af048228301_JaffaCakes118.exe 38 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fe740e7999ea046c611b6af048228301_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1572 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2916 powershell.exe 2304 powershell.exe 1084 fe740e7999ea046c611b6af048228301_JaffaCakes118.exe 1260 powershell.exe 1692 fe740e7999ea046c611b6af048228301_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2916 powershell.exe Token: SeDebugPrivilege 2304 powershell.exe Token: SeDebugPrivilege 1084 fe740e7999ea046c611b6af048228301_JaffaCakes118.exe Token: SeDebugPrivilege 1260 powershell.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 1084 wrote to memory of 2916 1084 fe740e7999ea046c611b6af048228301_JaffaCakes118.exe 30 PID 1084 wrote to memory of 2916 1084 fe740e7999ea046c611b6af048228301_JaffaCakes118.exe 30 PID 1084 wrote to memory of 2916 1084 fe740e7999ea046c611b6af048228301_JaffaCakes118.exe 30 PID 1084 wrote to memory of 2916 1084 fe740e7999ea046c611b6af048228301_JaffaCakes118.exe 30 PID 1084 wrote to memory of 2304 1084 fe740e7999ea046c611b6af048228301_JaffaCakes118.exe 33 PID 1084 wrote to memory of 2304 1084 fe740e7999ea046c611b6af048228301_JaffaCakes118.exe 33 PID 1084 wrote to memory of 2304 1084 fe740e7999ea046c611b6af048228301_JaffaCakes118.exe 33 PID 1084 wrote to memory of 2304 1084 fe740e7999ea046c611b6af048228301_JaffaCakes118.exe 33 PID 1084 wrote to memory of 1572 1084 fe740e7999ea046c611b6af048228301_JaffaCakes118.exe 35 PID 1084 wrote to memory of 1572 1084 fe740e7999ea046c611b6af048228301_JaffaCakes118.exe 35 PID 1084 wrote to memory of 1572 1084 fe740e7999ea046c611b6af048228301_JaffaCakes118.exe 35 PID 1084 wrote to memory of 1572 1084 fe740e7999ea046c611b6af048228301_JaffaCakes118.exe 35 PID 1084 wrote to memory of 1260 1084 fe740e7999ea046c611b6af048228301_JaffaCakes118.exe 37 PID 1084 wrote to memory of 1260 1084 fe740e7999ea046c611b6af048228301_JaffaCakes118.exe 37 PID 1084 wrote to memory of 1260 1084 fe740e7999ea046c611b6af048228301_JaffaCakes118.exe 37 PID 1084 wrote to memory of 1260 1084 fe740e7999ea046c611b6af048228301_JaffaCakes118.exe 37 PID 1084 wrote to memory of 1692 1084 fe740e7999ea046c611b6af048228301_JaffaCakes118.exe 38 PID 1084 wrote to memory of 1692 1084 fe740e7999ea046c611b6af048228301_JaffaCakes118.exe 38 PID 1084 wrote to memory of 1692 1084 fe740e7999ea046c611b6af048228301_JaffaCakes118.exe 38 PID 1084 wrote to memory of 1692 1084 fe740e7999ea046c611b6af048228301_JaffaCakes118.exe 38 PID 1084 wrote to memory of 1692 1084 fe740e7999ea046c611b6af048228301_JaffaCakes118.exe 38 PID 1084 wrote to memory of 1692 1084 fe740e7999ea046c611b6af048228301_JaffaCakes118.exe 38 PID 1084 wrote to memory of 1692 1084 fe740e7999ea046c611b6af048228301_JaffaCakes118.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe740e7999ea046c611b6af048228301_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fe740e7999ea046c611b6af048228301_JaffaCakes118.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\fe740e7999ea046c611b6af048228301_JaffaCakes118.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2916
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\hfeCcdsnBnrre.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2304
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hfeCcdsnBnrre" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9953.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1572
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\hfeCcdsnBnrre.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1260
-
-
C:\Users\Admin\AppData\Local\Temp\fe740e7999ea046c611b6af048228301_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fe740e7999ea046c611b6af048228301_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1692
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD528f99a246822d4a3b45f46b91fb89f69
SHA164c971880cb81c4995f547815a198d1a3572ff09
SHA2569e4322fb720c22960f75bb91cf309a86d45d28835e12718650758a2fc17662a3
SHA512b7b7d9e63d9a3aa72dea76889c2aef5ee6985fb387b9c2449ed07c00f64a71b262db724c04b7d2724a99c8197e9c7aac08aa87d8e06e9b950cd6fe04e5b49cec
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD535afbed0637fbcca78a49b295dda99a3
SHA1c4df1a0ccce3eed8bc55d3948746c4c049ed0e65
SHA2569e42c8d036703af9a93442bb70b90a0b192eaf365731d519bf61fb6ab629ccf2
SHA512c768d24a0427c857a19dc9a584436bf8594eae6c39d5e608accc93bb314d10baee5d1a3f288b1ce7d5374c4e107ee4f769859248cc8efc245c6f01912f58cb23