Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
02-07-2024 23:42
Static task
static1
Behavioral task
behavioral1
Sample
204da52ffbac84b1067d3ee2d06a8b15_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
204da52ffbac84b1067d3ee2d06a8b15_JaffaCakes118.exe
-
Size
490KB
-
MD5
204da52ffbac84b1067d3ee2d06a8b15
-
SHA1
05672de9a26d7cb5cfd408f06bc50e71265f32f3
-
SHA256
40ee2027d06e0a2ed12888c0e64c43a501ac7f81709625eb1ed61e5b0e43f865
-
SHA512
0989cf3b1de4c71e664471cfb9ff783c250e8d251e1438dd01815f8ee3d7103b9b55dd8dfaf374e0ce1ec2c605efc3cb6f8f46df9a9e209ee5638fb0762296b5
-
SSDEEP
6144:MTDMAYloj1/L8YEAQwgG5hUf+uJ18yL3gfDj3f4acR2RzqmCGujxggwHDU1W8:+DMAzjN4YEAFKmE0fbcgcVwg1W8
Malware Config
Extracted
formbook
4.1
pep
whitelabelgraphics.pro
futureguidefilms.com
mission-duplex.com
rutherealty.com
acehardwaremall.com
potenb.com
tbhawt.com
momentum-ip.group
m8sr8s.com
cfwagner.com
umiyama-eri.com
klantenvinden.com
simplycasd.com
visionhomerecruiting.com
inkjet-material.com
banking-aib.com
fast1performance.com
eventsbyja.com
breuer.network
smartecelectronics.com
vtbunkie.com
lexingtonclarke.com
ayintapbaklava.com
sugarstyleearrings.com
caiyanxi.com
the2mblueprint.com
bakldx.com
7choicesar.com
jesusencounterminisries.com
lamptail.com
bobkeet.com
chasingplanet.com
obernix.com
managementgpus.mobi
tcunionnet.com
hydzonised.com
jennie-espy.com
animeinkcon.com
hesovery.cool
bvilifemagazine.com
medicareworldnewsreport.net
zdrowykon.com
atenmedilatam.com
dlasso.com
7si3.com
seasonedsupport.com
29essentials.com
cnpuhang.com
yyaa2.net
neocareadvisory.com
tblsportshoes.com
chohub.com
initiationpodcast.com
architex.info
jamietylerlee.com
diusae.com
sun-go24.com
rfeap.com
safunerepublic.com
juanluanzi.com
neptuneribs.com
defocasc.com
tatilingerie.com
all-env.com
triumphantlytransformedbk.com
Signatures
-
Formbook payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4308-16-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral2/memory/4308-22-0x0000000000400000-0x000000000042E000-memory.dmp formbook -
Executes dropped EXE 1 IoCs
Processes:
AddInProcess32.exepid process 4308 AddInProcess32.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral2/memory/2464-6-0x0000000006740000-0x0000000006768000-memory.dmp agile_net -
Suspicious use of SetThreadContext 3 IoCs
Processes:
204da52ffbac84b1067d3ee2d06a8b15_JaffaCakes118.exeAddInProcess32.exewlanext.exedescription pid process target process PID 2464 set thread context of 4308 2464 204da52ffbac84b1067d3ee2d06a8b15_JaffaCakes118.exe AddInProcess32.exe PID 4308 set thread context of 3484 4308 AddInProcess32.exe Explorer.EXE PID 1624 set thread context of 3484 1624 wlanext.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 52 IoCs
Processes:
204da52ffbac84b1067d3ee2d06a8b15_JaffaCakes118.exeAddInProcess32.exewlanext.exepid process 2464 204da52ffbac84b1067d3ee2d06a8b15_JaffaCakes118.exe 2464 204da52ffbac84b1067d3ee2d06a8b15_JaffaCakes118.exe 4308 AddInProcess32.exe 4308 AddInProcess32.exe 4308 AddInProcess32.exe 4308 AddInProcess32.exe 1624 wlanext.exe 1624 wlanext.exe 1624 wlanext.exe 1624 wlanext.exe 1624 wlanext.exe 1624 wlanext.exe 1624 wlanext.exe 1624 wlanext.exe 1624 wlanext.exe 1624 wlanext.exe 1624 wlanext.exe 1624 wlanext.exe 1624 wlanext.exe 1624 wlanext.exe 1624 wlanext.exe 1624 wlanext.exe 1624 wlanext.exe 1624 wlanext.exe 1624 wlanext.exe 1624 wlanext.exe 1624 wlanext.exe 1624 wlanext.exe 1624 wlanext.exe 1624 wlanext.exe 1624 wlanext.exe 1624 wlanext.exe 1624 wlanext.exe 1624 wlanext.exe 1624 wlanext.exe 1624 wlanext.exe 1624 wlanext.exe 1624 wlanext.exe 1624 wlanext.exe 1624 wlanext.exe 1624 wlanext.exe 1624 wlanext.exe 1624 wlanext.exe 1624 wlanext.exe 1624 wlanext.exe 1624 wlanext.exe 1624 wlanext.exe 1624 wlanext.exe 1624 wlanext.exe 1624 wlanext.exe 1624 wlanext.exe 1624 wlanext.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
AddInProcess32.exewlanext.exepid process 4308 AddInProcess32.exe 4308 AddInProcess32.exe 4308 AddInProcess32.exe 1624 wlanext.exe 1624 wlanext.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
204da52ffbac84b1067d3ee2d06a8b15_JaffaCakes118.exeAddInProcess32.exewlanext.exedescription pid process Token: SeDebugPrivilege 2464 204da52ffbac84b1067d3ee2d06a8b15_JaffaCakes118.exe Token: SeDebugPrivilege 4308 AddInProcess32.exe Token: SeDebugPrivilege 1624 wlanext.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3484 Explorer.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
204da52ffbac84b1067d3ee2d06a8b15_JaffaCakes118.exeExplorer.EXEwlanext.exedescription pid process target process PID 2464 wrote to memory of 4308 2464 204da52ffbac84b1067d3ee2d06a8b15_JaffaCakes118.exe AddInProcess32.exe PID 2464 wrote to memory of 4308 2464 204da52ffbac84b1067d3ee2d06a8b15_JaffaCakes118.exe AddInProcess32.exe PID 2464 wrote to memory of 4308 2464 204da52ffbac84b1067d3ee2d06a8b15_JaffaCakes118.exe AddInProcess32.exe PID 2464 wrote to memory of 4308 2464 204da52ffbac84b1067d3ee2d06a8b15_JaffaCakes118.exe AddInProcess32.exe PID 2464 wrote to memory of 4308 2464 204da52ffbac84b1067d3ee2d06a8b15_JaffaCakes118.exe AddInProcess32.exe PID 2464 wrote to memory of 4308 2464 204da52ffbac84b1067d3ee2d06a8b15_JaffaCakes118.exe AddInProcess32.exe PID 3484 wrote to memory of 1624 3484 Explorer.EXE wlanext.exe PID 3484 wrote to memory of 1624 3484 Explorer.EXE wlanext.exe PID 3484 wrote to memory of 1624 3484 Explorer.EXE wlanext.exe PID 1624 wrote to memory of 1208 1624 wlanext.exe cmd.exe PID 1624 wrote to memory of 1208 1624 wlanext.exe cmd.exe PID 1624 wrote to memory of 1208 1624 wlanext.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\204da52ffbac84b1067d3ee2d06a8b15_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\204da52ffbac84b1067d3ee2d06a8b15_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\wlanext.exe"C:\Windows\SysWOW64\wlanext.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exeFilesize
42KB
MD59827ff3cdf4b83f9c86354606736ca9c
SHA1e73d73f42bb2a310f03eb1bcbb22be2b8eb7c723
SHA256c1cf3dc8fa1c7fc00f88e07ad539979b3706ca8d69223cffd1d58bc8f521f63a
SHA5128261828d55f3b5134c0aeb98311c04e20c5395d4347251746f3be0fb854f36cc7e118713cd00c9867537e6e47d5e71f2b2384fc00c67f0ae1b285b8310321579
-
memory/1624-25-0x0000000000430000-0x0000000000447000-memory.dmpFilesize
92KB
-
memory/1624-27-0x0000000000430000-0x0000000000447000-memory.dmpFilesize
92KB
-
memory/2464-13-0x0000000007160000-0x0000000007174000-memory.dmpFilesize
80KB
-
memory/2464-0-0x000000007441E000-0x000000007441F000-memory.dmpFilesize
4KB
-
memory/2464-5-0x0000000074410000-0x0000000074BC0000-memory.dmpFilesize
7.7MB
-
memory/2464-6-0x0000000006740000-0x0000000006768000-memory.dmpFilesize
160KB
-
memory/2464-7-0x0000000006900000-0x0000000006966000-memory.dmpFilesize
408KB
-
memory/2464-8-0x00000000067B0000-0x00000000067D2000-memory.dmpFilesize
136KB
-
memory/2464-9-0x0000000074410000-0x0000000074BC0000-memory.dmpFilesize
7.7MB
-
memory/2464-10-0x000000007441E000-0x000000007441F000-memory.dmpFilesize
4KB
-
memory/2464-11-0x0000000074410000-0x0000000074BC0000-memory.dmpFilesize
7.7MB
-
memory/2464-1-0x00000000008E0000-0x0000000000960000-memory.dmpFilesize
512KB
-
memory/2464-14-0x0000000007170000-0x0000000007176000-memory.dmpFilesize
24KB
-
memory/2464-4-0x0000000005400000-0x000000000549C000-memory.dmpFilesize
624KB
-
memory/2464-3-0x0000000005360000-0x00000000053F2000-memory.dmpFilesize
584KB
-
memory/2464-19-0x0000000074410000-0x0000000074BC0000-memory.dmpFilesize
7.7MB
-
memory/2464-2-0x0000000005870000-0x0000000005E14000-memory.dmpFilesize
5.6MB
-
memory/3484-24-0x0000000007B50000-0x0000000007CFA000-memory.dmpFilesize
1.7MB
-
memory/3484-34-0x0000000008280000-0x00000000083EA000-memory.dmpFilesize
1.4MB
-
memory/3484-33-0x0000000008280000-0x00000000083EA000-memory.dmpFilesize
1.4MB
-
memory/3484-37-0x0000000008280000-0x00000000083EA000-memory.dmpFilesize
1.4MB
-
memory/3484-30-0x0000000007B50000-0x0000000007CFA000-memory.dmpFilesize
1.7MB
-
memory/4308-16-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/4308-22-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/4308-23-0x0000000001000000-0x0000000001014000-memory.dmpFilesize
80KB
-
memory/4308-20-0x00000000010E0000-0x000000000142A000-memory.dmpFilesize
3.3MB