Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
16-06-2024 02:14
Static task
static1
Behavioral task
behavioral1
Sample
b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe
Resource
win7-20240611-en
General
-
Target
b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe
-
Size
803KB
-
MD5
b1476a5884e12126481a80a2342a71c5
-
SHA1
2e3d833cff9ce52aa215fbb3f05be770ccfaea8a
-
SHA256
40a35fc445ad1fc7075970dc0f3d650ca1acceda71bf4d882e7403e3ef2b2896
-
SHA512
660150236f91c95369f2fc9d1af3880d210512bacd9856c68a087ac24d15923a0a711413f068e1566617529656ad70e290f7d8f34fcfa92c9ca1354f817ae5db
-
SSDEEP
6144:EpEc6LLqTnBsutsDn4Bn0lJe38COv8XmTjkLm8nfsxF7wjim/vhcJvJwbZz:EyPL+D6700lWM82vkLnfOOim31bZ
Malware Config
Extracted
formbook
3.8
dg1
pilatesmania.life
5bcoin.com
ammowillcall.com
quickwinz.market
terigele.com
sohotoken.com
tielingwww.site
lz2b3.info
norisc.com
digitalkonsultan.com
925manbetx.com
laricipark.com
quantum7nutrition.com
xceedcg.com
hanagel.com
cane91.download
iotadocker.com
brackenupholstery.com
erfolg-sichern.online
bihuorg.com
julieannemonroe.com
plazalascanas.com
howtodobooks.com
tamsonphotography.city
come-and-read.com
greenbirdeventsnj.com
globalcurrency.money
sunflowersecrets.com
xishencun.com
marcjacobsoutletco.com
creep.directory
studionineyoga.com
yexe.ltd
yz330.com
style-still.com
htdxxv.info
desatlogoblitar.com
kaptenkerang.com
lgh-light.com
rapidproto-expert.com
nail-boo.info
tamvandatranghuy.com
lfmean.com
energgy.tech
vj8ehq.info
ucesi.com
allfiwaterjet.com
nfjqbgja.com
wwnjx.com
03k8qo.info
united-ush.com
www231789.com
ceips.info
888coins.info
tcamersfoorteemvallei.com
healthyphy.com
moisturemasks.com
skepscape.com
chameleon-storytelling.com
shopbrunchwiththegirls.com
swty00555.com
cyanoestudio.com
lcoise.men
seaholidays.info
elsbouse.com
Signatures
-
Formbook payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1800-11-0x0000000000080000-0x00000000000AA000-memory.dmp formbook -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/2032-2-0x00000000002B0000-0x00000000002D8000-memory.dmp agile_net -
Suspicious use of SetThreadContext 1 IoCs
Processes:
b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exedescription pid process target process PID 2032 set thread context of 1800 2032 b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exepid process 1800 b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exedescription pid process Token: SeDebugPrivilege 2032 b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exedescription pid process target process PID 2032 wrote to memory of 1800 2032 b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe PID 2032 wrote to memory of 1800 2032 b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe PID 2032 wrote to memory of 1800 2032 b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe PID 2032 wrote to memory of 1800 2032 b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe PID 2032 wrote to memory of 1800 2032 b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe PID 2032 wrote to memory of 1800 2032 b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe PID 2032 wrote to memory of 1800 2032 b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1800-6-0x0000000000080000-0x00000000000AA000-memory.dmpFilesize
168KB
-
memory/1800-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1800-8-0x0000000000080000-0x00000000000AA000-memory.dmpFilesize
168KB
-
memory/1800-11-0x0000000000080000-0x00000000000AA000-memory.dmpFilesize
168KB
-
memory/1800-14-0x0000000000AA0000-0x0000000000DA3000-memory.dmpFilesize
3.0MB
-
memory/2032-0-0x00000000744DE000-0x00000000744DF000-memory.dmpFilesize
4KB
-
memory/2032-1-0x0000000000360000-0x000000000042E000-memory.dmpFilesize
824KB
-
memory/2032-2-0x00000000002B0000-0x00000000002D8000-memory.dmpFilesize
160KB
-
memory/2032-3-0x00000000744D0000-0x0000000074BBE000-memory.dmpFilesize
6.9MB
-
memory/2032-4-0x00000000744D0000-0x0000000074BBE000-memory.dmpFilesize
6.9MB
-
memory/2032-13-0x00000000744D0000-0x0000000074BBE000-memory.dmpFilesize
6.9MB