Analysis
-
max time kernel
138s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
17-06-2024 06:49
Static task
static1
Behavioral task
behavioral1
Sample
b745c75293702c7e47b3c1cafea29d65_JaffaCakes118.exe
Resource
win7-20240611-en
General
-
Target
b745c75293702c7e47b3c1cafea29d65_JaffaCakes118.exe
-
Size
578KB
-
MD5
b745c75293702c7e47b3c1cafea29d65
-
SHA1
51b09d18da82e065b48e79c8ca1a53a00219b62c
-
SHA256
76c5f5e72040b7558eb45e8bf87a551f7ccbd67440b4b7ede1a62e579f69f4de
-
SHA512
9eb5d3952a60e094fb370b9f479a6c1a7cdc7fe9d0f3ea445c4e76750f829b819e628c396b31343833e03584882ecfc0676ee3a9f92e90b53600cb5cde6ddc26
-
SSDEEP
12288:tS2a83T3IKwfUu2iKepGZIHsgEUkVyn3TcWItO:tVd3TYr6IpGJgTwynjcW8O
Malware Config
Extracted
formbook
3.8
el
visioncorp.biz
ligriefrelief.com
yadtika.com
tradiscovery.com
merrittandstyle.com
tongcheng.ltd
omclove.com
gronnbygg.com
mragenciesindia.com
14u4.com
thewatchmart.online
urlaubsvideos.net
fmud.ltd
500proxy.online
nisargsangitagrotourism.com
qyygame.com
childhaus.com
431opebet.com
nlpu4n8r41.biz
phoebus-tech.com
butlerboergoats.com
xiangyueba.com
ichirakus.com
agenlampulalulintas.com
263shop.com
5mzmy.com
hulanwang099.com
alexanderhaye.com
raccal.info
streetsurface.com
tenhofe.com
6582365.com
guratnqdk.com
support-secure-login.com
babyfeedingmats.com
sxlexue.com
porschespalette.com
sxxazs.com
thai-blogs.life
ituklifeinsuranceok.live
cdn-network26-server2.biz
6liuwei.site
oyku.online
goodcausetshirts.com
bbb703.com
tjfcjflaw.com
shape-magazine.site
isotecnik.com
divercode.com
dijongfood.com
italiacuoremio.com
ddiplomata.com
andalibh.com
jbwrfi.faith
additivepass.com
buildmeadream.com
pureandfriendly.com
rdv-oyats.com
heidis-reinigungsservicecom.com
hunli.ink
walnutcreekcalawservices.com
stayabovetheclouds.com
789899.net
xqrunr.com
aboutyd.com
Signatures
-
Formbook payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1544-8-0x0000000000400000-0x000000000042A000-memory.dmp formbook -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral2/memory/3832-6-0x0000000005900000-0x0000000005914000-memory.dmp agile_net -
Suspicious use of SetThreadContext 1 IoCs
Processes:
b745c75293702c7e47b3c1cafea29d65_JaffaCakes118.exedescription pid process target process PID 3832 set thread context of 1544 3832 b745c75293702c7e47b3c1cafea29d65_JaffaCakes118.exe b745c75293702c7e47b3c1cafea29d65_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
b745c75293702c7e47b3c1cafea29d65_JaffaCakes118.exepid process 1544 b745c75293702c7e47b3c1cafea29d65_JaffaCakes118.exe 1544 b745c75293702c7e47b3c1cafea29d65_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
b745c75293702c7e47b3c1cafea29d65_JaffaCakes118.exedescription pid process Token: SeDebugPrivilege 3832 b745c75293702c7e47b3c1cafea29d65_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
b745c75293702c7e47b3c1cafea29d65_JaffaCakes118.exedescription pid process target process PID 3832 wrote to memory of 1544 3832 b745c75293702c7e47b3c1cafea29d65_JaffaCakes118.exe b745c75293702c7e47b3c1cafea29d65_JaffaCakes118.exe PID 3832 wrote to memory of 1544 3832 b745c75293702c7e47b3c1cafea29d65_JaffaCakes118.exe b745c75293702c7e47b3c1cafea29d65_JaffaCakes118.exe PID 3832 wrote to memory of 1544 3832 b745c75293702c7e47b3c1cafea29d65_JaffaCakes118.exe b745c75293702c7e47b3c1cafea29d65_JaffaCakes118.exe PID 3832 wrote to memory of 1544 3832 b745c75293702c7e47b3c1cafea29d65_JaffaCakes118.exe b745c75293702c7e47b3c1cafea29d65_JaffaCakes118.exe PID 3832 wrote to memory of 1544 3832 b745c75293702c7e47b3c1cafea29d65_JaffaCakes118.exe b745c75293702c7e47b3c1cafea29d65_JaffaCakes118.exe PID 3832 wrote to memory of 1544 3832 b745c75293702c7e47b3c1cafea29d65_JaffaCakes118.exe b745c75293702c7e47b3c1cafea29d65_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b745c75293702c7e47b3c1cafea29d65_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b745c75293702c7e47b3c1cafea29d65_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b745c75293702c7e47b3c1cafea29d65_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b745c75293702c7e47b3c1cafea29d65_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1300,i,8660989700097327804,17931739887231169645,262144 --variations-seed-version --mojo-platform-channel-handle=4416 /prefetch:81⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1544-8-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1544-11-0x00000000012B0000-0x00000000015FA000-memory.dmpFilesize
3.3MB
-
memory/3832-0-0x0000000074C5E000-0x0000000074C5F000-memory.dmpFilesize
4KB
-
memory/3832-1-0x0000000000E90000-0x0000000000F26000-memory.dmpFilesize
600KB
-
memory/3832-2-0x0000000005E30000-0x00000000063D4000-memory.dmpFilesize
5.6MB
-
memory/3832-3-0x0000000005920000-0x00000000059B2000-memory.dmpFilesize
584KB
-
memory/3832-4-0x0000000074C50000-0x0000000075400000-memory.dmpFilesize
7.7MB
-
memory/3832-5-0x00000000058E0000-0x00000000058EA000-memory.dmpFilesize
40KB
-
memory/3832-6-0x0000000005900000-0x0000000005914000-memory.dmpFilesize
80KB
-
memory/3832-7-0x0000000006FF0000-0x000000000708C000-memory.dmpFilesize
624KB
-
memory/3832-10-0x0000000074C50000-0x0000000075400000-memory.dmpFilesize
7.7MB