Analysis
-
max time kernel
71s -
max time network
63s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 10:51
Static task
static1
Behavioral task
behavioral1
Sample
1b02b2110a83c75e00319da7df7f1ed3_JaffaCakes118.exe
Resource
win7-20240419-en
General
-
Target
1b02b2110a83c75e00319da7df7f1ed3_JaffaCakes118.exe
-
Size
507KB
-
MD5
1b02b2110a83c75e00319da7df7f1ed3
-
SHA1
01ca66b6bd83c1c4e9168767422815b327bfa2a2
-
SHA256
6a0c21a5a37e307becd9ed9bdee0f3f41e3d1a61847a6e9ae272ec891d4f7728
-
SHA512
93eee319549c963b9639a1bdf05f872e7834afdbd6fc7167cd40cb579e607e7b212c259cb8aae08190f0c827e0da448903a161f1ae98ee397c38afa8059ac2ce
-
SSDEEP
12288:pSlQOcPTxF0cvmpJZIxXwWW2WiZnqrw+fuJptW+3e3miUZ:OKTxacvmPZIxjmiFqr/u1LUC
Malware Config
Extracted
formbook
4.1
ffw
unmutedgenerations.com
localmoversuae.com
centralrea.com
geyyfphzoe.com
silverpackfactory.com
techtronixx.com
shop-deinen-deal.com
buehne.cloud
inspirefreedomtoday.com
chapelcouture.com
easton-taiwan.com
quanaonudep.store
merzigomusic.com
wpzoomin.com
service-lkytrsahdfpedf.com
yeasuc.com
mydogtrainingservice.com
galeribisnisonline.com
cscremodeling.com
bom-zzxx.com
ensobet88.com
vegancto.com
digivisiol.com
advancetools.net
gzqyjd.com
xtgnsl.com
ftfortmyers.com
g-siqueira.com
ufdzbhrxk.icu
tiekotiin.com
youschrutedit.com
takahatadenkikouji.com
goodfastco.com
jtelitetraining.com
planet-hype.com
gigwindow.com
levelxpr.com
besttechmobcomm.info
funneldesigngenie.com
mylisting.cloud
alltwoyou.com
mortgagesandprotection.online
monthlydigest.info
senlangdq.com
postphenomenon.com
slymwhite.com
masonpreschool.com
wahooshop.com
meridiangummies.com
samsungpartsdept.com
saludbellezaybienestar.net
vickifoxproductions.com
shawandwesson.info
nutrepele.com
gorillatanks.com
praktijkinfinity.online
lanteredam.com
refinedmanagement.com
tiwapay.com
fruitsinbeers.com
charliekay.net
realironart.com
sonsofmari.com
kedingtonni.com
evolvekitchendesign.com
Signatures
-
Formbook payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/224-13-0x0000000000400000-0x000000000042E000-memory.dmp formbook -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
1b02b2110a83c75e00319da7df7f1ed3_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions 1b02b2110a83c75e00319da7df7f1ed3_JaffaCakes118.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
1b02b2110a83c75e00319da7df7f1ed3_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools 1b02b2110a83c75e00319da7df7f1ed3_JaffaCakes118.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
1b02b2110a83c75e00319da7df7f1ed3_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1b02b2110a83c75e00319da7df7f1ed3_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1b02b2110a83c75e00319da7df7f1ed3_JaffaCakes118.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
1b02b2110a83c75e00319da7df7f1ed3_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 1b02b2110a83c75e00319da7df7f1ed3_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 1b02b2110a83c75e00319da7df7f1ed3_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
1b02b2110a83c75e00319da7df7f1ed3_JaffaCakes118.exedescription pid process target process PID 3560 set thread context of 224 3560 1b02b2110a83c75e00319da7df7f1ed3_JaffaCakes118.exe 1b02b2110a83c75e00319da7df7f1ed3_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
1b02b2110a83c75e00319da7df7f1ed3_JaffaCakes118.exe1b02b2110a83c75e00319da7df7f1ed3_JaffaCakes118.exepid process 3560 1b02b2110a83c75e00319da7df7f1ed3_JaffaCakes118.exe 224 1b02b2110a83c75e00319da7df7f1ed3_JaffaCakes118.exe 224 1b02b2110a83c75e00319da7df7f1ed3_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1b02b2110a83c75e00319da7df7f1ed3_JaffaCakes118.exedescription pid process Token: SeDebugPrivilege 3560 1b02b2110a83c75e00319da7df7f1ed3_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
1b02b2110a83c75e00319da7df7f1ed3_JaffaCakes118.exedescription pid process target process PID 3560 wrote to memory of 224 3560 1b02b2110a83c75e00319da7df7f1ed3_JaffaCakes118.exe 1b02b2110a83c75e00319da7df7f1ed3_JaffaCakes118.exe PID 3560 wrote to memory of 224 3560 1b02b2110a83c75e00319da7df7f1ed3_JaffaCakes118.exe 1b02b2110a83c75e00319da7df7f1ed3_JaffaCakes118.exe PID 3560 wrote to memory of 224 3560 1b02b2110a83c75e00319da7df7f1ed3_JaffaCakes118.exe 1b02b2110a83c75e00319da7df7f1ed3_JaffaCakes118.exe PID 3560 wrote to memory of 224 3560 1b02b2110a83c75e00319da7df7f1ed3_JaffaCakes118.exe 1b02b2110a83c75e00319da7df7f1ed3_JaffaCakes118.exe PID 3560 wrote to memory of 224 3560 1b02b2110a83c75e00319da7df7f1ed3_JaffaCakes118.exe 1b02b2110a83c75e00319da7df7f1ed3_JaffaCakes118.exe PID 3560 wrote to memory of 224 3560 1b02b2110a83c75e00319da7df7f1ed3_JaffaCakes118.exe 1b02b2110a83c75e00319da7df7f1ed3_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1b02b2110a83c75e00319da7df7f1ed3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1b02b2110a83c75e00319da7df7f1ed3_JaffaCakes118.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1b02b2110a83c75e00319da7df7f1ed3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1b02b2110a83c75e00319da7df7f1ed3_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/224-13-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/224-16-0x0000000001160000-0x00000000014AA000-memory.dmpFilesize
3.3MB
-
memory/3560-8-0x0000000005C80000-0x0000000005C8A000-memory.dmpFilesize
40KB
-
memory/3560-9-0x0000000074C8E000-0x0000000074C8F000-memory.dmpFilesize
4KB
-
memory/3560-4-0x0000000005A30000-0x0000000005AC2000-memory.dmpFilesize
584KB
-
memory/3560-7-0x0000000074C80000-0x0000000075430000-memory.dmpFilesize
7.7MB
-
memory/3560-6-0x00000000059C0000-0x0000000005A16000-memory.dmpFilesize
344KB
-
memory/3560-5-0x00000000058B0000-0x00000000058BA000-memory.dmpFilesize
40KB
-
memory/3560-0-0x0000000074C8E000-0x0000000074C8F000-memory.dmpFilesize
4KB
-
memory/3560-3-0x0000000005FE0000-0x0000000006584000-memory.dmpFilesize
5.6MB
-
memory/3560-10-0x0000000074C80000-0x0000000075430000-memory.dmpFilesize
7.7MB
-
memory/3560-11-0x0000000001940000-0x00000000019A2000-memory.dmpFilesize
392KB
-
memory/3560-12-0x0000000005F60000-0x0000000005FC6000-memory.dmpFilesize
408KB
-
memory/3560-2-0x0000000005920000-0x00000000059BC000-memory.dmpFilesize
624KB
-
memory/3560-15-0x0000000074C80000-0x0000000075430000-memory.dmpFilesize
7.7MB
-
memory/3560-1-0x0000000000E70000-0x0000000000EF6000-memory.dmpFilesize
536KB