Analysis
-
max time kernel
148s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
02-07-2024 23:42
Static task
static1
Behavioral task
behavioral1
Sample
204da52ffbac84b1067d3ee2d06a8b15_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
204da52ffbac84b1067d3ee2d06a8b15_JaffaCakes118.exe
-
Size
490KB
-
MD5
204da52ffbac84b1067d3ee2d06a8b15
-
SHA1
05672de9a26d7cb5cfd408f06bc50e71265f32f3
-
SHA256
40ee2027d06e0a2ed12888c0e64c43a501ac7f81709625eb1ed61e5b0e43f865
-
SHA512
0989cf3b1de4c71e664471cfb9ff783c250e8d251e1438dd01815f8ee3d7103b9b55dd8dfaf374e0ce1ec2c605efc3cb6f8f46df9a9e209ee5638fb0762296b5
-
SSDEEP
6144:MTDMAYloj1/L8YEAQwgG5hUf+uJ18yL3gfDj3f4acR2RzqmCGujxggwHDU1W8:+DMAzjN4YEAFKmE0fbcgcVwg1W8
Malware Config
Extracted
formbook
4.1
pep
whitelabelgraphics.pro
futureguidefilms.com
mission-duplex.com
rutherealty.com
acehardwaremall.com
potenb.com
tbhawt.com
momentum-ip.group
m8sr8s.com
cfwagner.com
umiyama-eri.com
klantenvinden.com
simplycasd.com
visionhomerecruiting.com
inkjet-material.com
banking-aib.com
fast1performance.com
eventsbyja.com
breuer.network
smartecelectronics.com
vtbunkie.com
lexingtonclarke.com
ayintapbaklava.com
sugarstyleearrings.com
caiyanxi.com
the2mblueprint.com
bakldx.com
7choicesar.com
jesusencounterminisries.com
lamptail.com
bobkeet.com
chasingplanet.com
obernix.com
managementgpus.mobi
tcunionnet.com
hydzonised.com
jennie-espy.com
animeinkcon.com
hesovery.cool
bvilifemagazine.com
medicareworldnewsreport.net
zdrowykon.com
atenmedilatam.com
dlasso.com
7si3.com
seasonedsupport.com
29essentials.com
cnpuhang.com
yyaa2.net
neocareadvisory.com
tblsportshoes.com
chohub.com
initiationpodcast.com
architex.info
jamietylerlee.com
diusae.com
sun-go24.com
rfeap.com
safunerepublic.com
juanluanzi.com
neptuneribs.com
defocasc.com
tatilingerie.com
all-env.com
triumphantlytransformedbk.com
Signatures
-
Formbook payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2972-17-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/2972-23-0x0000000000400000-0x000000000042E000-memory.dmp formbook -
Executes dropped EXE 1 IoCs
Processes:
AddInProcess32.exepid process 2972 AddInProcess32.exe -
Loads dropped DLL 1 IoCs
Processes:
204da52ffbac84b1067d3ee2d06a8b15_JaffaCakes118.exepid process 1492 204da52ffbac84b1067d3ee2d06a8b15_JaffaCakes118.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/1492-3-0x00000000043E0000-0x0000000004408000-memory.dmp agile_net -
Suspicious use of SetThreadContext 3 IoCs
Processes:
204da52ffbac84b1067d3ee2d06a8b15_JaffaCakes118.exeAddInProcess32.execmstp.exedescription pid process target process PID 1492 set thread context of 2972 1492 204da52ffbac84b1067d3ee2d06a8b15_JaffaCakes118.exe AddInProcess32.exe PID 2972 set thread context of 1184 2972 AddInProcess32.exe Explorer.EXE PID 2648 set thread context of 1184 2648 cmstp.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
204da52ffbac84b1067d3ee2d06a8b15_JaffaCakes118.exeAddInProcess32.execmstp.exepid process 1492 204da52ffbac84b1067d3ee2d06a8b15_JaffaCakes118.exe 1492 204da52ffbac84b1067d3ee2d06a8b15_JaffaCakes118.exe 2972 AddInProcess32.exe 2972 AddInProcess32.exe 2648 cmstp.exe 2648 cmstp.exe 2648 cmstp.exe 2648 cmstp.exe 2648 cmstp.exe 2648 cmstp.exe 2648 cmstp.exe 2648 cmstp.exe 2648 cmstp.exe 2648 cmstp.exe 2648 cmstp.exe 2648 cmstp.exe 2648 cmstp.exe 2648 cmstp.exe 2648 cmstp.exe 2648 cmstp.exe 2648 cmstp.exe 2648 cmstp.exe 2648 cmstp.exe 2648 cmstp.exe 2648 cmstp.exe 2648 cmstp.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
AddInProcess32.execmstp.exepid process 2972 AddInProcess32.exe 2972 AddInProcess32.exe 2972 AddInProcess32.exe 2648 cmstp.exe 2648 cmstp.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
204da52ffbac84b1067d3ee2d06a8b15_JaffaCakes118.exeAddInProcess32.execmstp.exedescription pid process Token: SeDebugPrivilege 1492 204da52ffbac84b1067d3ee2d06a8b15_JaffaCakes118.exe Token: SeDebugPrivilege 2972 AddInProcess32.exe Token: SeDebugPrivilege 2648 cmstp.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
204da52ffbac84b1067d3ee2d06a8b15_JaffaCakes118.exeExplorer.EXEcmstp.exedescription pid process target process PID 1492 wrote to memory of 2972 1492 204da52ffbac84b1067d3ee2d06a8b15_JaffaCakes118.exe AddInProcess32.exe PID 1492 wrote to memory of 2972 1492 204da52ffbac84b1067d3ee2d06a8b15_JaffaCakes118.exe AddInProcess32.exe PID 1492 wrote to memory of 2972 1492 204da52ffbac84b1067d3ee2d06a8b15_JaffaCakes118.exe AddInProcess32.exe PID 1492 wrote to memory of 2972 1492 204da52ffbac84b1067d3ee2d06a8b15_JaffaCakes118.exe AddInProcess32.exe PID 1492 wrote to memory of 2972 1492 204da52ffbac84b1067d3ee2d06a8b15_JaffaCakes118.exe AddInProcess32.exe PID 1492 wrote to memory of 2972 1492 204da52ffbac84b1067d3ee2d06a8b15_JaffaCakes118.exe AddInProcess32.exe PID 1492 wrote to memory of 2972 1492 204da52ffbac84b1067d3ee2d06a8b15_JaffaCakes118.exe AddInProcess32.exe PID 1184 wrote to memory of 2648 1184 Explorer.EXE cmstp.exe PID 1184 wrote to memory of 2648 1184 Explorer.EXE cmstp.exe PID 1184 wrote to memory of 2648 1184 Explorer.EXE cmstp.exe PID 1184 wrote to memory of 2648 1184 Explorer.EXE cmstp.exe PID 1184 wrote to memory of 2648 1184 Explorer.EXE cmstp.exe PID 1184 wrote to memory of 2648 1184 Explorer.EXE cmstp.exe PID 1184 wrote to memory of 2648 1184 Explorer.EXE cmstp.exe PID 2648 wrote to memory of 2544 2648 cmstp.exe cmd.exe PID 2648 wrote to memory of 2544 2648 cmstp.exe cmd.exe PID 2648 wrote to memory of 2544 2648 cmstp.exe cmd.exe PID 2648 wrote to memory of 2544 2648 cmstp.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\204da52ffbac84b1067d3ee2d06a8b15_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\204da52ffbac84b1067d3ee2d06a8b15_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\SysWOW64\cmstp.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\AddInProcess32.exeFilesize
41KB
MD56a673bfc3b67ae9782cb31af2f234c68
SHA17544e89566d91e84e3cd437b9a073e5f6b56566e
SHA256978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e
SHA51272c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39
-
memory/1184-25-0x00000000075D0000-0x0000000007760000-memory.dmpFilesize
1.6MB
-
memory/1184-22-0x0000000003190000-0x0000000003290000-memory.dmpFilesize
1024KB
-
memory/1184-31-0x00000000075D0000-0x0000000007760000-memory.dmpFilesize
1.6MB
-
memory/1492-9-0x0000000000800000-0x0000000000806000-memory.dmpFilesize
24KB
-
memory/1492-5-0x0000000074E2E000-0x0000000074E2F000-memory.dmpFilesize
4KB
-
memory/1492-6-0x0000000074E20000-0x000000007550E000-memory.dmpFilesize
6.9MB
-
memory/1492-8-0x00000000007F0000-0x0000000000804000-memory.dmpFilesize
80KB
-
memory/1492-4-0x0000000074E20000-0x000000007550E000-memory.dmpFilesize
6.9MB
-
memory/1492-3-0x00000000043E0000-0x0000000004408000-memory.dmpFilesize
160KB
-
memory/1492-0-0x0000000074E2E000-0x0000000074E2F000-memory.dmpFilesize
4KB
-
memory/1492-2-0x0000000074E20000-0x000000007550E000-memory.dmpFilesize
6.9MB
-
memory/1492-19-0x0000000074E20000-0x000000007550E000-memory.dmpFilesize
6.9MB
-
memory/1492-1-0x0000000000F60000-0x0000000000FE0000-memory.dmpFilesize
512KB
-
memory/2648-26-0x00000000005B0000-0x00000000005C8000-memory.dmpFilesize
96KB
-
memory/2648-28-0x00000000005B0000-0x00000000005C8000-memory.dmpFilesize
96KB
-
memory/2972-13-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/2972-24-0x0000000000190000-0x00000000001A4000-memory.dmpFilesize
80KB
-
memory/2972-20-0x00000000009C0000-0x0000000000CC3000-memory.dmpFilesize
3.0MB
-
memory/2972-23-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/2972-17-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/2972-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2972-14-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB