Analysis
-
max time kernel
147s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
14-06-2024 22:47
Static task
static1
Behavioral task
behavioral1
Sample
abd70ec006fec754f2776d7b847c8a6e_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
abd70ec006fec754f2776d7b847c8a6e_JaffaCakes118.exe
-
Size
388KB
-
MD5
abd70ec006fec754f2776d7b847c8a6e
-
SHA1
ec54aab238e3caddede09c41bad1d0a6aa29477c
-
SHA256
930ef88b7c7cfeaaa14f83875ae550193ed4067b6d118833f94cd2e14c5e47e2
-
SHA512
18d2629b921ca2be364a5ed8aecb16281431bdbde21d6c762a85709afb8471267eb66b41aca75480fc76636aa7b1933c092f7eb4ce5f7c49045b6ed9ef8b58f2
-
SSDEEP
6144:uMTP1YPuOZt036C5+GcMxWxSQvkYmlJ5KdsMH3soCzaauK2O0z/Pks:uUmWOZt0fcM8xT0l/+KzdH2OSk
Malware Config
Extracted
formbook
3.9
ma
sbo8et.online
cignapathtowellness.com
vanysiaestetica.com
medusmart.com
cttexpresso33347896.site
appleid-verify-signin.com
azumama.com
avarts.studio
jmartinchico.info
8827vvvv.com
affiliates.group
cepsubekur.com
quanyinmami.com
xn----f66bs48bj6k.com
bettyscountrycabin.com
adrianamilne.com
lesfleursdeleonore.com
wwwwz520520.com
yourhomegardensource.com
honaleighceramics.com
influcoins.com
kingswayestatesspain.net
owcoo.com
smokysblackbear.com
thegalaxys8.win
golfeetbaie.immo
tianjianby.com
thedameranch.com
22battalionroad.com
millennialadult.com
tona.ltd
bilingadoctor.com
xc552.com
grimes.cloud
laxpagents.com
entreprisegautier.com
naturheilpraxis-volksdorf.com
shizuquanxie.com
roth.gallery
youyalisi.com
lyfogp.com
removiestream.info
hananredha.com
mingcihang.com
thattechfriend.com
filmmakersatmines.com
doemountainproductions.net
qmzmx.com
inssoft.info
transmission-products.com
gownlink.com
instockminers.com
caroliniservices.com
marthapullenco.com
peliculaslatino.online
diasurgemedicalfze.com
waitingtobezapped.com
sallyhardwick.com
thaiclassiads.com
lusao50501.com
16900.net
gmjev.info
alcluster.com
cdbe2oo1z.online
bonzaj.com
Signatures
-
Formbook payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1668-19-0x0000000000400000-0x000000000042A000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
Processes:
winlog.exewinlog.exepid process 2636 winlog.exe 1668 winlog.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 2528 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
winlog.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogs = "C:\\Users\\Admin\\AppData\\Local\\winlog.exe -boot" winlog.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
winlog.exewinlog.exeNETSTAT.EXEdescription pid process target process PID 2636 set thread context of 1668 2636 winlog.exe winlog.exe PID 1668 set thread context of 1188 1668 winlog.exe Explorer.EXE PID 2004 set thread context of 1188 2004 NETSTAT.EXE Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEpid process 2004 NETSTAT.EXE -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
winlog.exeNETSTAT.EXEpid process 1668 winlog.exe 1668 winlog.exe 2004 NETSTAT.EXE 2004 NETSTAT.EXE 2004 NETSTAT.EXE 2004 NETSTAT.EXE 2004 NETSTAT.EXE 2004 NETSTAT.EXE 2004 NETSTAT.EXE 2004 NETSTAT.EXE 2004 NETSTAT.EXE 2004 NETSTAT.EXE 2004 NETSTAT.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
winlog.exeNETSTAT.EXEpid process 1668 winlog.exe 1668 winlog.exe 1668 winlog.exe 2004 NETSTAT.EXE 2004 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
abd70ec006fec754f2776d7b847c8a6e_JaffaCakes118.exewinlog.exewinlog.exeNETSTAT.EXEdescription pid process Token: SeDebugPrivilege 2416 abd70ec006fec754f2776d7b847c8a6e_JaffaCakes118.exe Token: SeDebugPrivilege 2636 winlog.exe Token: SeDebugPrivilege 1668 winlog.exe Token: SeDebugPrivilege 2004 NETSTAT.EXE -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
abd70ec006fec754f2776d7b847c8a6e_JaffaCakes118.execmd.exewinlog.exeExplorer.EXENETSTAT.EXEdescription pid process target process PID 2416 wrote to memory of 2656 2416 abd70ec006fec754f2776d7b847c8a6e_JaffaCakes118.exe cmd.exe PID 2416 wrote to memory of 2656 2416 abd70ec006fec754f2776d7b847c8a6e_JaffaCakes118.exe cmd.exe PID 2416 wrote to memory of 2656 2416 abd70ec006fec754f2776d7b847c8a6e_JaffaCakes118.exe cmd.exe PID 2416 wrote to memory of 2656 2416 abd70ec006fec754f2776d7b847c8a6e_JaffaCakes118.exe cmd.exe PID 2416 wrote to memory of 2528 2416 abd70ec006fec754f2776d7b847c8a6e_JaffaCakes118.exe cmd.exe PID 2416 wrote to memory of 2528 2416 abd70ec006fec754f2776d7b847c8a6e_JaffaCakes118.exe cmd.exe PID 2416 wrote to memory of 2528 2416 abd70ec006fec754f2776d7b847c8a6e_JaffaCakes118.exe cmd.exe PID 2416 wrote to memory of 2528 2416 abd70ec006fec754f2776d7b847c8a6e_JaffaCakes118.exe cmd.exe PID 2528 wrote to memory of 2636 2528 cmd.exe winlog.exe PID 2528 wrote to memory of 2636 2528 cmd.exe winlog.exe PID 2528 wrote to memory of 2636 2528 cmd.exe winlog.exe PID 2528 wrote to memory of 2636 2528 cmd.exe winlog.exe PID 2636 wrote to memory of 1668 2636 winlog.exe winlog.exe PID 2636 wrote to memory of 1668 2636 winlog.exe winlog.exe PID 2636 wrote to memory of 1668 2636 winlog.exe winlog.exe PID 2636 wrote to memory of 1668 2636 winlog.exe winlog.exe PID 2636 wrote to memory of 1668 2636 winlog.exe winlog.exe PID 2636 wrote to memory of 1668 2636 winlog.exe winlog.exe PID 2636 wrote to memory of 1668 2636 winlog.exe winlog.exe PID 1188 wrote to memory of 2004 1188 Explorer.EXE NETSTAT.EXE PID 1188 wrote to memory of 2004 1188 Explorer.EXE NETSTAT.EXE PID 1188 wrote to memory of 2004 1188 Explorer.EXE NETSTAT.EXE PID 1188 wrote to memory of 2004 1188 Explorer.EXE NETSTAT.EXE PID 2004 wrote to memory of 1036 2004 NETSTAT.EXE cmd.exe PID 2004 wrote to memory of 1036 2004 NETSTAT.EXE cmd.exe PID 2004 wrote to memory of 1036 2004 NETSTAT.EXE cmd.exe PID 2004 wrote to memory of 1036 2004 NETSTAT.EXE cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\abd70ec006fec754f2776d7b847c8a6e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\abd70ec006fec754f2776d7b847c8a6e_JaffaCakes118.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\abd70ec006fec754f2776d7b847c8a6e_JaffaCakes118.exe" "C:\Users\Admin\AppData\Local\winlog.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Local\winlog.exe"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\winlog.exe"C:\Users\Admin\AppData\Local\winlog.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\winlog.exe"C:\Users\Admin\AppData\Local\winlog.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\winlog.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\winlog.exeFilesize
388KB
MD5abd70ec006fec754f2776d7b847c8a6e
SHA1ec54aab238e3caddede09c41bad1d0a6aa29477c
SHA256930ef88b7c7cfeaaa14f83875ae550193ed4067b6d118833f94cd2e14c5e47e2
SHA51218d2629b921ca2be364a5ed8aecb16281431bdbde21d6c762a85709afb8471267eb66b41aca75480fc76636aa7b1933c092f7eb4ce5f7c49045b6ed9ef8b58f2
-
memory/1188-22-0x0000000005100000-0x0000000005200000-memory.dmpFilesize
1024KB
-
memory/1668-18-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1668-19-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1668-16-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1668-14-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/2004-23-0x0000000000940000-0x0000000000949000-memory.dmpFilesize
36KB
-
memory/2416-4-0x0000000000290000-0x000000000029C000-memory.dmpFilesize
48KB
-
memory/2416-13-0x00000000742E0000-0x00000000749CE000-memory.dmpFilesize
6.9MB
-
memory/2416-8-0x00000000742E0000-0x00000000749CE000-memory.dmpFilesize
6.9MB
-
memory/2416-7-0x00000000742EE000-0x00000000742EF000-memory.dmpFilesize
4KB
-
memory/2416-0-0x00000000742EE000-0x00000000742EF000-memory.dmpFilesize
4KB
-
memory/2416-3-0x00000000742E0000-0x00000000749CE000-memory.dmpFilesize
6.9MB
-
memory/2416-2-0x0000000000260000-0x0000000000280000-memory.dmpFilesize
128KB
-
memory/2416-1-0x00000000008C0000-0x0000000000928000-memory.dmpFilesize
416KB
-
memory/2636-12-0x0000000001030000-0x0000000001098000-memory.dmpFilesize
416KB