Analysis
-
max time kernel
119s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
14-05-2024 22:58
Static task
static1
Behavioral task
behavioral1
Sample
4372c18fbe734ef31fffe8fbde52adda_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
4372c18fbe734ef31fffe8fbde52adda_JaffaCakes118.exe
-
Size
355KB
-
MD5
4372c18fbe734ef31fffe8fbde52adda
-
SHA1
4b65e3ea741ba115088ffd0915e7f1963c4d91bc
-
SHA256
f5fa18d39f0b842d6a142a8c6da920bc494e880b5909b196fa68e7e6ffe4604c
-
SHA512
f906dfc4ae493b57c974770b1f2dc9d00a1c8a69e1e1eb625ef5eecc67fb385b1b68d4d0547d2aa6a195b4a6a4348a3919338d41511e9f83e9b243fd14e182d9
-
SSDEEP
6144:l9m82gw6NuqWzgETzScJHGfX80mzZPN/Wbt/jOXTTwhA4rdr:XKSuqWqcJmf8FxhWFjOXvkr
Malware Config
Extracted
formbook
3.9
po
toptravelbox.com
564manbetx.com
rainmakerfreedom.com
caobi954.com
vananhhandmade.com
reisengeniessen.net
milan000.com
opebet181.com
betshoppersparadise.com
zersenengineering.com
www4021166.com
itgifbhfhfg.online
wagertoken.com
casinomansions.net
gabiethiagomendes.com
com-services-secure-id.info
workdigitalmarketing.com
housesforcashpros.link
redsealdigital.com
hj1986.com
plantbasedlovean.com
spm-team.net
sweetkeisha.com
voiceid.info
zelnorm-recall.com
herebefour.com
ho-o.com
zy2ten.loan
reworxeco.com
08iub4eyhb3bkjg.info
186flw.com
atthejam.com
tikteq.com
congregatehealth.com
accesoriospielmexico.com
cabansiegel.net
scjynmy.com
smoontal.net
taxigid.com
teaingredientsjps.online
thefitdynasty.com
forestgravity.win
blick-zukunft.com
believers.press
whirlwindwanderersblog.com
vimexx.support
retailercloud.net
thebabygiant.info
lubb89891.com
ursweetpea.com
restaurantsat.com
alttilsykkelen.com
hahsmj.com
ja6five.loan
ormaisialors.com
thelagoshustler.com
whitsundaysbnbretreat.com
beaware.live
deine-sofortkauf.win
circumstancedistillery.net
test-gk2585.tech
vojo.ltd
578364.com
caps-mail.net
bvasetro.com
Signatures
-
Detect ZGRat V1 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2524-3-0x00000000001F0000-0x000000000021C000-memory.dmp family_zgrat_v1 -
Formbook payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2644-8-0x0000000000400000-0x000000000042A000-memory.dmp formbook -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/2524-3-0x00000000001F0000-0x000000000021C000-memory.dmp agile_net -
Suspicious use of SetThreadContext 1 IoCs
Processes:
4372c18fbe734ef31fffe8fbde52adda_JaffaCakes118.exedescription pid process target process PID 2524 set thread context of 2644 2524 4372c18fbe734ef31fffe8fbde52adda_JaffaCakes118.exe 4372c18fbe734ef31fffe8fbde52adda_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
4372c18fbe734ef31fffe8fbde52adda_JaffaCakes118.exepid process 2644 4372c18fbe734ef31fffe8fbde52adda_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
4372c18fbe734ef31fffe8fbde52adda_JaffaCakes118.exedescription pid process Token: SeDebugPrivilege 2524 4372c18fbe734ef31fffe8fbde52adda_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
4372c18fbe734ef31fffe8fbde52adda_JaffaCakes118.exedescription pid process target process PID 2524 wrote to memory of 2644 2524 4372c18fbe734ef31fffe8fbde52adda_JaffaCakes118.exe 4372c18fbe734ef31fffe8fbde52adda_JaffaCakes118.exe PID 2524 wrote to memory of 2644 2524 4372c18fbe734ef31fffe8fbde52adda_JaffaCakes118.exe 4372c18fbe734ef31fffe8fbde52adda_JaffaCakes118.exe PID 2524 wrote to memory of 2644 2524 4372c18fbe734ef31fffe8fbde52adda_JaffaCakes118.exe 4372c18fbe734ef31fffe8fbde52adda_JaffaCakes118.exe PID 2524 wrote to memory of 2644 2524 4372c18fbe734ef31fffe8fbde52adda_JaffaCakes118.exe 4372c18fbe734ef31fffe8fbde52adda_JaffaCakes118.exe PID 2524 wrote to memory of 2644 2524 4372c18fbe734ef31fffe8fbde52adda_JaffaCakes118.exe 4372c18fbe734ef31fffe8fbde52adda_JaffaCakes118.exe PID 2524 wrote to memory of 2644 2524 4372c18fbe734ef31fffe8fbde52adda_JaffaCakes118.exe 4372c18fbe734ef31fffe8fbde52adda_JaffaCakes118.exe PID 2524 wrote to memory of 2644 2524 4372c18fbe734ef31fffe8fbde52adda_JaffaCakes118.exe 4372c18fbe734ef31fffe8fbde52adda_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4372c18fbe734ef31fffe8fbde52adda_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4372c18fbe734ef31fffe8fbde52adda_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\4372c18fbe734ef31fffe8fbde52adda_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4372c18fbe734ef31fffe8fbde52adda_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2524-0-0x000000007406E000-0x000000007406F000-memory.dmpFilesize
4KB
-
memory/2524-1-0x0000000000360000-0x00000000003C2000-memory.dmpFilesize
392KB
-
memory/2524-2-0x0000000000620000-0x0000000000680000-memory.dmpFilesize
384KB
-
memory/2524-3-0x00000000001F0000-0x000000000021C000-memory.dmpFilesize
176KB
-
memory/2524-4-0x0000000074060000-0x000000007474E000-memory.dmpFilesize
6.9MB
-
memory/2524-5-0x000000007406E000-0x000000007406F000-memory.dmpFilesize
4KB
-
memory/2524-6-0x0000000074060000-0x000000007474E000-memory.dmpFilesize
6.9MB
-
memory/2524-7-0x0000000074060000-0x000000007474E000-memory.dmpFilesize
6.9MB
-
memory/2524-9-0x0000000074060000-0x000000007474E000-memory.dmpFilesize
6.9MB
-
memory/2644-8-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/2644-10-0x00000000009E0000-0x0000000000CE3000-memory.dmpFilesize
3.0MB
-
memory/2644-11-0x00000000009E0000-0x0000000000CE3000-memory.dmpFilesize
3.0MB