Analysis Overview
SHA256
788612367e194c4ca18368f5d7e25e9d5606d429a87c2de356ff2408738a3eb6
Threat Level: Known bad
The file 91a5e32457d8a5316bfc75a0f66edaf6_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Formbook
Formbook payload
Deletes itself
Checks computer location settings
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-02 16:37
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-02 16:37
Reported
2024-04-02 16:39
Platform
win7-20240221-en
Max time kernel
147s
Max time network
123s
Command Line
Signatures
Formbook
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1460 set thread context of 2708 | N/A | C:\Users\Admin\AppData\Local\Temp\Confirmation de paiement.exe | C:\Users\Admin\AppData\Local\Temp\Confirmation de paiement.exe |
| PID 2708 set thread context of 1212 | N/A | C:\Users\Admin\AppData\Local\Temp\Confirmation de paiement.exe | C:\Windows\Explorer.EXE |
| PID 2708 set thread context of 1212 | N/A | C:\Users\Admin\AppData\Local\Temp\Confirmation de paiement.exe | C:\Windows\Explorer.EXE |
| PID 2864 set thread context of 1212 | N/A | C:\Windows\SysWOW64\help.exe | C:\Windows\Explorer.EXE |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Confirmation de paiement.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Confirmation de paiement.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Confirmation de paiement.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Confirmation de paiement.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\help.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\help.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Confirmation de paiement.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Confirmation de paiement.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\help.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\Confirmation de paiement.exe
"C:\Users\Admin\AppData\Local\Temp\Confirmation de paiement.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pIHJhbCBS" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBA2B.tmp"
C:\Users\Admin\AppData\Local\Temp\Confirmation de paiement.exe
"C:\Users\Admin\AppData\Local\Temp\Confirmation de paiement.exe"
C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Confirmation de paiement.exe"
Network
Files
memory/1460-0-0x0000000000FF0000-0x000000000105A000-memory.dmp
memory/1460-1-0x0000000074AE0000-0x00000000751CE000-memory.dmp
memory/1460-2-0x0000000004E40000-0x0000000004E80000-memory.dmp
memory/1460-3-0x00000000003E0000-0x00000000003EE000-memory.dmp
memory/1460-4-0x0000000074AE0000-0x00000000751CE000-memory.dmp
memory/1460-5-0x0000000004E40000-0x0000000004E80000-memory.dmp
memory/1460-6-0x0000000000D40000-0x0000000000D98000-memory.dmp
memory/2708-12-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2708-14-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2708-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2708-18-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2708-20-0x0000000000A00000-0x0000000000D03000-memory.dmp
memory/1460-19-0x0000000074AE0000-0x00000000751CE000-memory.dmp
memory/1212-23-0x0000000003230000-0x0000000003330000-memory.dmp
memory/2708-22-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2708-24-0x0000000000190000-0x00000000001A4000-memory.dmp
memory/1212-25-0x0000000006410000-0x0000000006559000-memory.dmp
memory/2708-28-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2708-29-0x0000000000310000-0x0000000000324000-memory.dmp
memory/1212-30-0x0000000006B10000-0x0000000006C7D000-memory.dmp
memory/2864-31-0x00000000007F0000-0x00000000007F6000-memory.dmp
memory/2864-32-0x00000000007F0000-0x00000000007F6000-memory.dmp
memory/2864-33-0x0000000000080000-0x00000000000AE000-memory.dmp
memory/2864-34-0x0000000000800000-0x0000000000B03000-memory.dmp
memory/2864-35-0x0000000000080000-0x00000000000AE000-memory.dmp
memory/2864-37-0x00000000005A0000-0x0000000000633000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-02 16:37
Reported
2024-04-02 16:39
Platform
win10v2004-20231215-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Formbook
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Confirmation de paiement.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3160 set thread context of 732 | N/A | C:\Users\Admin\AppData\Local\Temp\Confirmation de paiement.exe | C:\Users\Admin\AppData\Local\Temp\Confirmation de paiement.exe |
| PID 732 set thread context of 3520 | N/A | C:\Users\Admin\AppData\Local\Temp\Confirmation de paiement.exe | C:\Windows\Explorer.EXE |
| PID 4624 set thread context of 3520 | N/A | C:\Windows\SysWOW64\systray.exe | C:\Windows\Explorer.EXE |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Confirmation de paiement.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Confirmation de paiement.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Confirmation de paiement.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\systray.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\systray.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Confirmation de paiement.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Confirmation de paiement.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\systray.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\Confirmation de paiement.exe
"C:\Users\Admin\AppData\Local\Temp\Confirmation de paiement.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pIHJhbCBS" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF78F.tmp"
C:\Users\Admin\AppData\Local\Temp\Confirmation de paiement.exe
"C:\Users\Admin\AppData\Local\Temp\Confirmation de paiement.exe"
C:\Users\Admin\AppData\Local\Temp\Confirmation de paiement.exe
"C:\Users\Admin\AppData\Local\Temp\Confirmation de paiement.exe"
C:\Users\Admin\AppData\Local\Temp\Confirmation de paiement.exe
"C:\Users\Admin\AppData\Local\Temp\Confirmation de paiement.exe"
C:\Users\Admin\AppData\Local\Temp\Confirmation de paiement.exe
"C:\Users\Admin\AppData\Local\Temp\Confirmation de paiement.exe"
C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Confirmation de paiement.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.162.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.pennydarbyshire.com | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.1for1ecomask.com | udp |
| US | 8.8.8.8:53 | www.priyathams.com | udp |
| US | 8.8.8.8:53 | www.itsinthereimage.com | udp |
| US | 3.33.130.190:80 | www.itsinthereimage.com | tcp |
| US | 8.8.8.8:53 | 190.130.33.3.in-addr.arpa | udp |
Files
memory/3160-0-0x0000000000910000-0x000000000097A000-memory.dmp
memory/3160-1-0x0000000075250000-0x0000000075A00000-memory.dmp
memory/3160-2-0x0000000005920000-0x0000000005EC4000-memory.dmp
memory/3160-3-0x0000000005410000-0x00000000054A2000-memory.dmp
memory/3160-4-0x00000000055E0000-0x00000000055F0000-memory.dmp
memory/3160-5-0x0000000005380000-0x000000000538A000-memory.dmp
memory/3160-6-0x0000000005910000-0x000000000591E000-memory.dmp
memory/3160-7-0x0000000075250000-0x0000000075A00000-memory.dmp
memory/3160-8-0x00000000055E0000-0x00000000055F0000-memory.dmp
memory/3160-9-0x0000000008280000-0x000000000831C000-memory.dmp
memory/3160-10-0x00000000083C0000-0x0000000008418000-memory.dmp
memory/732-16-0x0000000000400000-0x000000000042E000-memory.dmp
memory/3160-18-0x0000000075250000-0x0000000075A00000-memory.dmp
memory/732-20-0x0000000001370000-0x00000000016BA000-memory.dmp
memory/732-21-0x0000000000400000-0x000000000042E000-memory.dmp
memory/732-22-0x0000000000FE0000-0x0000000000FF4000-memory.dmp
memory/3520-23-0x00000000033C0000-0x00000000034B9000-memory.dmp
memory/4624-24-0x00000000008D0000-0x00000000008D6000-memory.dmp
memory/4624-25-0x00000000008D0000-0x00000000008D6000-memory.dmp
memory/4624-26-0x0000000000ED0000-0x0000000000EFE000-memory.dmp
memory/4624-27-0x0000000002D70000-0x00000000030BA000-memory.dmp
memory/4624-28-0x0000000000ED0000-0x0000000000EFE000-memory.dmp
memory/4624-30-0x0000000002C60000-0x0000000002CF3000-memory.dmp
memory/3520-33-0x0000000009090000-0x0000000009213000-memory.dmp
memory/3520-34-0x0000000009090000-0x0000000009213000-memory.dmp
memory/3520-37-0x0000000009090000-0x0000000009213000-memory.dmp