Analysis
-
max time kernel
52s -
max time network
52s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
16-06-2024 02:14
Static task
static1
Behavioral task
behavioral1
Sample
b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe
Resource
win7-20240611-en
General
-
Target
b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe
-
Size
803KB
-
MD5
b1476a5884e12126481a80a2342a71c5
-
SHA1
2e3d833cff9ce52aa215fbb3f05be770ccfaea8a
-
SHA256
40a35fc445ad1fc7075970dc0f3d650ca1acceda71bf4d882e7403e3ef2b2896
-
SHA512
660150236f91c95369f2fc9d1af3880d210512bacd9856c68a087ac24d15923a0a711413f068e1566617529656ad70e290f7d8f34fcfa92c9ca1354f817ae5db
-
SSDEEP
6144:EpEc6LLqTnBsutsDn4Bn0lJe38COv8XmTjkLm8nfsxF7wjim/vhcJvJwbZz:EyPL+D6700lWM82vkLnfOOim31bZ
Malware Config
Extracted
formbook
3.8
dg1
pilatesmania.life
5bcoin.com
ammowillcall.com
quickwinz.market
terigele.com
sohotoken.com
tielingwww.site
lz2b3.info
norisc.com
digitalkonsultan.com
925manbetx.com
laricipark.com
quantum7nutrition.com
xceedcg.com
hanagel.com
cane91.download
iotadocker.com
brackenupholstery.com
erfolg-sichern.online
bihuorg.com
julieannemonroe.com
plazalascanas.com
howtodobooks.com
tamsonphotography.city
come-and-read.com
greenbirdeventsnj.com
globalcurrency.money
sunflowersecrets.com
xishencun.com
marcjacobsoutletco.com
creep.directory
studionineyoga.com
yexe.ltd
yz330.com
style-still.com
htdxxv.info
desatlogoblitar.com
kaptenkerang.com
lgh-light.com
rapidproto-expert.com
nail-boo.info
tamvandatranghuy.com
lfmean.com
energgy.tech
vj8ehq.info
ucesi.com
allfiwaterjet.com
nfjqbgja.com
wwnjx.com
03k8qo.info
united-ush.com
www231789.com
ceips.info
888coins.info
tcamersfoorteemvallei.com
healthyphy.com
moisturemasks.com
skepscape.com
chameleon-storytelling.com
shopbrunchwiththegirls.com
swty00555.com
cyanoestudio.com
lcoise.men
seaholidays.info
elsbouse.com
Signatures
-
Formbook payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/400-7-0x0000000000400000-0x000000000042A000-memory.dmp formbook -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral2/memory/3740-2-0x0000000002820000-0x0000000002848000-memory.dmp agile_net -
Suspicious use of SetThreadContext 1 IoCs
Processes:
b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exedescription pid process target process PID 3740 set thread context of 400 3740 b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exepid process 400 b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe 400 b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exedescription pid process Token: SeDebugPrivilege 3740 b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exedescription pid process target process PID 3740 wrote to memory of 400 3740 b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe PID 3740 wrote to memory of 400 3740 b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe PID 3740 wrote to memory of 400 3740 b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe PID 3740 wrote to memory of 400 3740 b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe PID 3740 wrote to memory of 400 3740 b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe PID 3740 wrote to memory of 400 3740 b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b1476a5884e12126481a80a2342a71c5_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/400-7-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/400-10-0x0000000001AA0000-0x0000000001DEA000-memory.dmpFilesize
3.3MB
-
memory/3740-0-0x000000007473E000-0x000000007473F000-memory.dmpFilesize
4KB
-
memory/3740-1-0x00000000004C0000-0x000000000058E000-memory.dmpFilesize
824KB
-
memory/3740-2-0x0000000002820000-0x0000000002848000-memory.dmpFilesize
160KB
-
memory/3740-3-0x00000000054C0000-0x0000000005A64000-memory.dmpFilesize
5.6MB
-
memory/3740-4-0x0000000005030000-0x00000000050C2000-memory.dmpFilesize
584KB
-
memory/3740-5-0x0000000074730000-0x0000000074EE0000-memory.dmpFilesize
7.7MB
-
memory/3740-6-0x0000000005A70000-0x0000000005B0C000-memory.dmpFilesize
624KB
-
memory/3740-9-0x0000000074730000-0x0000000074EE0000-memory.dmpFilesize
7.7MB