Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2024 20:20
Static task
static1
Behavioral task
behavioral1
Sample
ab494f466a82dd77680845c90d3d374d_JaffaCakes118.exe
Resource
win7-20231129-en
General
-
Target
ab494f466a82dd77680845c90d3d374d_JaffaCakes118.exe
-
Size
255KB
-
MD5
ab494f466a82dd77680845c90d3d374d
-
SHA1
557fddb9db8aa0f6e72644d0e26e5886930e2310
-
SHA256
9fe305213e6584a14e5d687540d178a989acb5de8ea5815dab4c262a4f4955da
-
SHA512
9432d3ea685d2a822aac09a52f6898bb542a95736f296aed43e2a3c1ca074df1c11d08ad99a90698f4b19bc08f85764cc1e57187bcbe90ddcd02991fb59f7565
-
SSDEEP
6144:8fTuKv/3or5iS1CtvHUC6SQFUZGd3kP+ILbqx6:aTubtL14PrJQuwd3YRL2x6
Malware Config
Extracted
formbook
3.8
wo
studentepd.network
skinsensemoreqe.com
egrevore.com
2xa01v.info
detoxqueen.com
lumiity.com
urbanned.store
appleclinicaltrials.com
bledfetneknauer.win
tdhonlineadv.com
trendcosmo.com
eulermedia.net
bluewatersinvestments.com
hebibafang.com
sacrpc-cad.com
involo.agency
cultivatingajoyfulhome.com
zilkinvestments.com
3taoquan.com
ipmi.group
bencotter.com
zspcw.com
bluewhalecreation.com
pretendsweet.win
saulgraves.com
unfolving.com
jamfabriek.com
stanford.school
ravkyplakat.com
bertsampson.com
ccc594.com
southlakeenergy.com
essentially-best.net
glisson-archery.net
le10cannes.com
bonusdetective.com
gaihaoqi.com
dressupacademy.com
calibratedisplay.com
ultrarunning.events
moraghanengpc.net
giqo.ltd
quest.business
hi-fu.com
tabletsellers.com
themildlyirked.com
753opebet.com
mondosport.click
ddttl.com
thelivelycollective.com
terrain-copponex.info
islom-karimov.partners
acumensolultions.com
vedezevanje.biz
hempworks4u.biz
youngandblue.com
bedroomentrepreneur.com
pay52990.com
jiko.ltd
0014aa.com
mototelecom.com
pripro.net
yuki-motor.com
31ricklanddrive.info
cahdtactycz.info
Signatures
-
Formbook payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4188-22-0x0000000005CB0000-0x0000000005CDA000-memory.dmp formbook behavioral2/memory/1016-27-0x0000000000400000-0x000000000042A000-memory.dmp formbook behavioral2/memory/1016-30-0x0000000000400000-0x000000000042A000-memory.dmp formbook -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 4 IoCs
Processes:
ab494f466a82dd77680845c90d3d374d_JaffaCakes118.exevbc.exemstsc.exedescription pid process target process PID 4188 set thread context of 1016 4188 ab494f466a82dd77680845c90d3d374d_JaffaCakes118.exe vbc.exe PID 1016 set thread context of 3460 1016 vbc.exe Explorer.EXE PID 1016 set thread context of 3460 1016 vbc.exe Explorer.EXE PID 2784 set thread context of 3460 2784 mstsc.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
ab494f466a82dd77680845c90d3d374d_JaffaCakes118.exevbc.exemstsc.exepid process 4188 ab494f466a82dd77680845c90d3d374d_JaffaCakes118.exe 4188 ab494f466a82dd77680845c90d3d374d_JaffaCakes118.exe 1016 vbc.exe 1016 vbc.exe 1016 vbc.exe 1016 vbc.exe 1016 vbc.exe 1016 vbc.exe 2784 mstsc.exe 2784 mstsc.exe 2784 mstsc.exe 2784 mstsc.exe 2784 mstsc.exe 2784 mstsc.exe 2784 mstsc.exe 2784 mstsc.exe 2784 mstsc.exe 2784 mstsc.exe 2784 mstsc.exe 2784 mstsc.exe 2784 mstsc.exe 2784 mstsc.exe 2784 mstsc.exe 2784 mstsc.exe 2784 mstsc.exe 2784 mstsc.exe 2784 mstsc.exe 2784 mstsc.exe 2784 mstsc.exe 2784 mstsc.exe 2784 mstsc.exe 2784 mstsc.exe 2784 mstsc.exe 2784 mstsc.exe 2784 mstsc.exe 2784 mstsc.exe 2784 mstsc.exe 2784 mstsc.exe 2784 mstsc.exe 2784 mstsc.exe 2784 mstsc.exe 2784 mstsc.exe 2784 mstsc.exe 2784 mstsc.exe 2784 mstsc.exe 2784 mstsc.exe 2784 mstsc.exe 2784 mstsc.exe 2784 mstsc.exe 2784 mstsc.exe 2784 mstsc.exe 2784 mstsc.exe 2784 mstsc.exe 2784 mstsc.exe 2784 mstsc.exe 2784 mstsc.exe 2784 mstsc.exe 2784 mstsc.exe 2784 mstsc.exe 2784 mstsc.exe 2784 mstsc.exe 2784 mstsc.exe 2784 mstsc.exe 2784 mstsc.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
vbc.exemstsc.exepid process 1016 vbc.exe 1016 vbc.exe 1016 vbc.exe 1016 vbc.exe 2784 mstsc.exe 2784 mstsc.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
ab494f466a82dd77680845c90d3d374d_JaffaCakes118.exevbc.exemstsc.exedescription pid process Token: SeDebugPrivilege 4188 ab494f466a82dd77680845c90d3d374d_JaffaCakes118.exe Token: SeDebugPrivilege 1016 vbc.exe Token: SeDebugPrivilege 2784 mstsc.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
Explorer.EXEpid process 3460 Explorer.EXE 3460 Explorer.EXE 3460 Explorer.EXE -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Explorer.EXEpid process 3460 Explorer.EXE 3460 Explorer.EXE 3460 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3460 Explorer.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
ab494f466a82dd77680845c90d3d374d_JaffaCakes118.execsc.exeExplorer.EXEmstsc.exedescription pid process target process PID 4188 wrote to memory of 1236 4188 ab494f466a82dd77680845c90d3d374d_JaffaCakes118.exe csc.exe PID 4188 wrote to memory of 1236 4188 ab494f466a82dd77680845c90d3d374d_JaffaCakes118.exe csc.exe PID 4188 wrote to memory of 1236 4188 ab494f466a82dd77680845c90d3d374d_JaffaCakes118.exe csc.exe PID 1236 wrote to memory of 4248 1236 csc.exe cvtres.exe PID 1236 wrote to memory of 4248 1236 csc.exe cvtres.exe PID 1236 wrote to memory of 4248 1236 csc.exe cvtres.exe PID 4188 wrote to memory of 1016 4188 ab494f466a82dd77680845c90d3d374d_JaffaCakes118.exe vbc.exe PID 4188 wrote to memory of 1016 4188 ab494f466a82dd77680845c90d3d374d_JaffaCakes118.exe vbc.exe PID 4188 wrote to memory of 1016 4188 ab494f466a82dd77680845c90d3d374d_JaffaCakes118.exe vbc.exe PID 4188 wrote to memory of 1016 4188 ab494f466a82dd77680845c90d3d374d_JaffaCakes118.exe vbc.exe PID 4188 wrote to memory of 1016 4188 ab494f466a82dd77680845c90d3d374d_JaffaCakes118.exe vbc.exe PID 4188 wrote to memory of 1016 4188 ab494f466a82dd77680845c90d3d374d_JaffaCakes118.exe vbc.exe PID 3460 wrote to memory of 2784 3460 Explorer.EXE mstsc.exe PID 3460 wrote to memory of 2784 3460 Explorer.EXE mstsc.exe PID 3460 wrote to memory of 2784 3460 Explorer.EXE mstsc.exe PID 2784 wrote to memory of 3260 2784 mstsc.exe cmd.exe PID 2784 wrote to memory of 3260 2784 mstsc.exe cmd.exe PID 2784 wrote to memory of 3260 2784 mstsc.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ab494f466a82dd77680845c90d3d374d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ab494f466a82dd77680845c90d3d374d_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ntooscit\ntooscit.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5B5E.tmp" "c:\Users\Admin\AppData\Local\Temp\ntooscit\CSC278CE189450C4205A6FBC56F51FB3F7D.TMP"4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\mstsc.exe"C:\Windows\SysWOW64\mstsc.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RES5B5E.tmpFilesize
1KB
MD5a5b2a1e8c841860826d39fab97448d3c
SHA15f0e0113dcf29ae210a365cc1d68dd1723c73fd7
SHA256cf3de572fceaf492ed7a7f91c9e6f9cbeeda43cc7c404627231973836c9f42f5
SHA51299751a2b4884ac0f053cf9401e506672a03f847562bec4b2c77c7619ba2efb04e0c2c9518aba203d2b5ec997d8732530ca40f4c7eb7dc1b740c6a777fa0f791e
-
C:\Users\Admin\AppData\Local\Temp\ntooscit\ntooscit.dllFilesize
11KB
MD5b251bc23de21bb27e804533c86435691
SHA1e8ea2b38cacc57e6ccc9c77330e10151b4df72c5
SHA2561d53dcb85f9538b2df4c1668b8f39e13932f72d0d15b01e1561986c2e0b1c4e5
SHA51269974c7a52b0147249e8ebeec7ad282f722a9b83cdcb34e96d8673ff11f0f180d1e8dbf70325948340f65d990681776bde186617e1eca5b31af7d6c60564f63d
-
C:\Users\Admin\AppData\Local\Temp\ntooscit\ntooscit.pdbFilesize
37KB
MD549cf50566a1e06f06a59e4edc2695c5d
SHA1c0ef38f8c388adee1fc5c9d296ca363e7c55fcbc
SHA256d3adb8af30f340185672e362ac2d0102893257bc3f7991a8804cc7a86b6fd986
SHA51269386c4d2a1c07461cec2732481aec2127a494cd0b7804e6bc6458f2f34abd3edbe43da7f0a361a6a3c6071f43040f06fe80446f6edcf2ab0e85569ae62ac4a4
-
\??\c:\Users\Admin\AppData\Local\Temp\ntooscit\CSC278CE189450C4205A6FBC56F51FB3F7D.TMPFilesize
1KB
MD53e73ee089221828ef3bdd53819baaef1
SHA19cd2708c96df8856717877e673723e99cef62607
SHA256d312a73552859ba9a2faa7505c715e6a282017446a7fdb88bdce602b32a38c6a
SHA5129d4b828580a4857d9be7819351fbf0d653afa84a9002cede25a961cf96f57c8b5526a8948c92c650f0c319cbe90738a9e9c6b6f85704a4eeddaa481dce2e38f2
-
\??\c:\Users\Admin\AppData\Local\Temp\ntooscit\ntooscit.0.csFilesize
17KB
MD5b7252c18bbd3a3e6d46029d8382ab393
SHA1501c7f88aec9f9f4538fa93bb54eae348480799a
SHA2564694c04c73c327d616a7f9c525eafebb3a067bcde43a3d9bc37dfda77d185d0d
SHA5123ae60e94fc7bd96e842f6926c7e6adeccde08b959b43bc8ae7163ec8ba7d83203e1a8269d4ea4f339040d6a65a08b3e2dbc1dcc854b9e6912e426897436dc071
-
\??\c:\Users\Admin\AppData\Local\Temp\ntooscit\ntooscit.cmdlineFilesize
312B
MD52c7780dab3b7e356945efcd2904f8220
SHA1075e45f6f4936c2bb2cf7a0b980bfd7c84047ad4
SHA256c68e0ca4967eb005a64571acaa3279b1b1493ac1aba7c5e5120b1eeb9321a9eb
SHA51283f92d2811fc7fbb218da5089505d460b0925f4da35d0f5609fc2ff0292467c1abe853442398f03c0be4195bedd61cf7360acaeb95f9b0c28d80f1c305c5edd2
-
memory/1016-30-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1016-27-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1016-32-0x0000000000430000-0x00000000004F9000-memory.dmpFilesize
804KB
-
memory/2784-33-0x0000000000FA0000-0x00000000010DA000-memory.dmpFilesize
1.2MB
-
memory/2784-36-0x0000000000FA0000-0x00000000010DA000-memory.dmpFilesize
1.2MB
-
memory/3460-28-0x00000000036D0000-0x0000000003813000-memory.dmpFilesize
1.3MB
-
memory/3460-42-0x0000000009340000-0x00000000093FE000-memory.dmpFilesize
760KB
-
memory/3460-40-0x0000000009620000-0x00000000097B2000-memory.dmpFilesize
1.6MB
-
memory/3460-39-0x00000000036D0000-0x0000000003813000-memory.dmpFilesize
1.3MB
-
memory/3460-31-0x0000000009620000-0x00000000097B2000-memory.dmpFilesize
1.6MB
-
memory/4188-0-0x000000007449E000-0x000000007449F000-memory.dmpFilesize
4KB
-
memory/4188-19-0x0000000005830000-0x00000000058C2000-memory.dmpFilesize
584KB
-
memory/4188-1-0x0000000000E00000-0x0000000000E44000-memory.dmpFilesize
272KB
-
memory/4188-5-0x0000000074490000-0x0000000074C40000-memory.dmpFilesize
7.7MB
-
memory/4188-17-0x00000000016E0000-0x00000000016EA000-memory.dmpFilesize
40KB
-
memory/4188-23-0x0000000005F30000-0x0000000005FCC000-memory.dmpFilesize
624KB
-
memory/4188-37-0x0000000074490000-0x0000000074C40000-memory.dmpFilesize
7.7MB
-
memory/4188-22-0x0000000005CB0000-0x0000000005CDA000-memory.dmpFilesize
168KB
-
memory/4188-21-0x0000000003320000-0x000000000332C000-memory.dmpFilesize
48KB
-
memory/4188-20-0x0000000005C70000-0x0000000005CAA000-memory.dmpFilesize
232KB