Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26-06-2024 22:26
Static task
static1
Behavioral task
behavioral1
Sample
13b21115bd414b3cff0365351398e92a_JaffaCakes118.exe
Resource
win7-20231129-en
General
-
Target
13b21115bd414b3cff0365351398e92a_JaffaCakes118.exe
-
Size
823KB
-
MD5
13b21115bd414b3cff0365351398e92a
-
SHA1
8a017b7cfc0128c584b64cf8b531e9387a211858
-
SHA256
bf84393caee9b769b516681ec8998afe26c22255c405ea9a027608ccf38ea36b
-
SHA512
30681b65911dffd7091ef72e08f0e54197b4f153f89f77590e0d7f714b59066fb95e8861616f44cbcf01b15b148a69bf6dcb02207f73daf2a1ed0067fac0d309
-
SSDEEP
12288:oLXHsXw4voVatmZZgVm2WCDSZcWl76imBp4EmJi:QXHGTvcA4ZSm2ZymT4EmJi
Malware Config
Extracted
formbook
4.1
pep
whitelabelgraphics.pro
futureguidefilms.com
mission-duplex.com
rutherealty.com
acehardwaremall.com
potenb.com
tbhawt.com
momentum-ip.group
m8sr8s.com
cfwagner.com
umiyama-eri.com
klantenvinden.com
simplycasd.com
visionhomerecruiting.com
inkjet-material.com
banking-aib.com
fast1performance.com
eventsbyja.com
breuer.network
smartecelectronics.com
vtbunkie.com
lexingtonclarke.com
ayintapbaklava.com
sugarstyleearrings.com
caiyanxi.com
the2mblueprint.com
bakldx.com
7choicesar.com
jesusencounterminisries.com
lamptail.com
bobkeet.com
chasingplanet.com
obernix.com
managementgpus.mobi
tcunionnet.com
hydzonised.com
jennie-espy.com
animeinkcon.com
hesovery.cool
bvilifemagazine.com
medicareworldnewsreport.net
zdrowykon.com
atenmedilatam.com
dlasso.com
7si3.com
seasonedsupport.com
29essentials.com
cnpuhang.com
yyaa2.net
neocareadvisory.com
tblsportshoes.com
chohub.com
initiationpodcast.com
architex.info
jamietylerlee.com
diusae.com
sun-go24.com
rfeap.com
safunerepublic.com
juanluanzi.com
neptuneribs.com
defocasc.com
tatilingerie.com
all-env.com
triumphantlytransformedbk.com
Signatures
-
Formbook payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/860-21-0x0000000000530000-0x000000000055E000-memory.dmp formbook -
Executes dropped EXE 1 IoCs
Processes:
AddInProcess32.exepid process 860 AddInProcess32.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral2/memory/2632-7-0x00000000072A0000-0x00000000072C8000-memory.dmp agile_net -
Suspicious use of SetThreadContext 1 IoCs
Processes:
13b21115bd414b3cff0365351398e92a_JaffaCakes118.exedescription pid process target process PID 2632 set thread context of 860 2632 13b21115bd414b3cff0365351398e92a_JaffaCakes118.exe AddInProcess32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2896 860 WerFault.exe AddInProcess32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
13b21115bd414b3cff0365351398e92a_JaffaCakes118.exepid process 2632 13b21115bd414b3cff0365351398e92a_JaffaCakes118.exe 2632 13b21115bd414b3cff0365351398e92a_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
13b21115bd414b3cff0365351398e92a_JaffaCakes118.exedescription pid process Token: SeDebugPrivilege 2632 13b21115bd414b3cff0365351398e92a_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
13b21115bd414b3cff0365351398e92a_JaffaCakes118.exedescription pid process target process PID 2632 wrote to memory of 860 2632 13b21115bd414b3cff0365351398e92a_JaffaCakes118.exe AddInProcess32.exe PID 2632 wrote to memory of 860 2632 13b21115bd414b3cff0365351398e92a_JaffaCakes118.exe AddInProcess32.exe PID 2632 wrote to memory of 860 2632 13b21115bd414b3cff0365351398e92a_JaffaCakes118.exe AddInProcess32.exe PID 2632 wrote to memory of 860 2632 13b21115bd414b3cff0365351398e92a_JaffaCakes118.exe AddInProcess32.exe PID 2632 wrote to memory of 860 2632 13b21115bd414b3cff0365351398e92a_JaffaCakes118.exe AddInProcess32.exe PID 2632 wrote to memory of 860 2632 13b21115bd414b3cff0365351398e92a_JaffaCakes118.exe AddInProcess32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\13b21115bd414b3cff0365351398e92a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\13b21115bd414b3cff0365351398e92a_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 1843⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 860 -ip 8601⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exeFilesize
42KB
MD59827ff3cdf4b83f9c86354606736ca9c
SHA1e73d73f42bb2a310f03eb1bcbb22be2b8eb7c723
SHA256c1cf3dc8fa1c7fc00f88e07ad539979b3706ca8d69223cffd1d58bc8f521f63a
SHA5128261828d55f3b5134c0aeb98311c04e20c5395d4347251746f3be0fb854f36cc7e118713cd00c9867537e6e47d5e71f2b2384fc00c67f0ae1b285b8310321579
-
memory/860-21-0x0000000000530000-0x000000000055E000-memory.dmpFilesize
184KB
-
memory/2632-8-0x00000000075F0000-0x0000000007656000-memory.dmpFilesize
408KB
-
memory/2632-11-0x00000000749DE000-0x00000000749DF000-memory.dmpFilesize
4KB
-
memory/2632-4-0x0000000005A40000-0x0000000005D94000-memory.dmpFilesize
3.3MB
-
memory/2632-5-0x0000000005EB0000-0x0000000005F4C000-memory.dmpFilesize
624KB
-
memory/2632-6-0x00000000749D0000-0x0000000075180000-memory.dmpFilesize
7.7MB
-
memory/2632-7-0x00000000072A0000-0x00000000072C8000-memory.dmpFilesize
160KB
-
memory/2632-0-0x00000000749DE000-0x00000000749DF000-memory.dmpFilesize
4KB
-
memory/2632-9-0x00000000075B0000-0x00000000075D2000-memory.dmpFilesize
136KB
-
memory/2632-10-0x00000000749D0000-0x0000000075180000-memory.dmpFilesize
7.7MB
-
memory/2632-3-0x0000000005960000-0x00000000059F2000-memory.dmpFilesize
584KB
-
memory/2632-12-0x00000000749D0000-0x0000000075180000-memory.dmpFilesize
7.7MB
-
memory/2632-13-0x00000000749D0000-0x0000000075180000-memory.dmpFilesize
7.7MB
-
memory/2632-15-0x00000000079B0000-0x00000000079C4000-memory.dmpFilesize
80KB
-
memory/2632-16-0x0000000007150000-0x0000000007156000-memory.dmpFilesize
24KB
-
memory/2632-2-0x0000000005FF0000-0x0000000006594000-memory.dmpFilesize
5.6MB
-
memory/2632-1-0x0000000000EE0000-0x0000000000FB4000-memory.dmpFilesize
848KB
-
memory/2632-23-0x00000000749D0000-0x0000000075180000-memory.dmpFilesize
7.7MB