Overview

overview

10

Static

static

3

fa3f2124cf...18.exe

windows7-x64

10

fa3f2124cf...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    107s
  • max time network
    113s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-04-2024 11:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fa3f2124cf9b027ca2b8a04df5e27cc2_JaffaCakes118.exe

  • Size

    1.5MB

  • MD5

    fa3f2124cf9b027ca2b8a04df5e27cc2

  • SHA1

    be0968843e1654dd2a5b7f7085226188d9276276

  • SHA256

    b85055ab3db03b5496bcd19448c54dea594d8f44cc84d17f99cbf6cd9085fa2d

  • SHA512

    d40399ed1c72a3907ebd8697fba492da2e71728fb8bbeb39ad01bbbc6edb7931b3902d4782d815a18c4f313b2f2d1c1425da95be6a12a8d005a3506830311c83

  • SSDEEP

    24576:0ZZS5R0pULbNWrOAJPidVEHMvx1vHYY1o:03BpvJPidV5vx1v

Score
10/10
formbookupioevasionratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

upio

Decoy

thecantonmentcookhouse.com

1for1ecomask.com

thatvintagehome.com

momentbymomentmindfulness.com

denxmedia.com

arc-corner.com

siddharthmakharia.com

meiluk.com

toughu.com

hotelwisatabaru.com

ibluebelt3dbuy.com

bestfootwearhk.com

wbjobalerts.com

radiancenurestoringcleanse.com

xintianlongyeya.com

docauphuhau.com

liberty-furniture.com

ranchhousepizzaonline.com

bednhomes.com

kollakids.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 1 IoCs
    rat
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fa3f2124cf9b027ca2b8a04df5e27cc2_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fa3f2124cf9b027ca2b8a04df5e27cc2_JaffaCakes118.exe"
    1⤵
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Checks computer location settings
    • Maps connected drives based on registry
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2032
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\fa3f2124cf9b027ca2b8a04df5e27cc2_JaffaCakes118.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2252
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\YPSemDsygYqHl.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2296
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YPSemDsygYqHl" /XML "C:\Users\Admin\AppData\Local\Temp\tmp39A9.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2640
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\YPSemDsygYqHl.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1896
    • C:\Users\Admin\AppData\Local\Temp\fa3f2124cf9b027ca2b8a04df5e27cc2_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\fa3f2124cf9b027ca2b8a04df5e27cc2_JaffaCakes118.exe"
      2⤵
        PID:736
      • C:\Users\Admin\AppData\Local\Temp\fa3f2124cf9b027ca2b8a04df5e27cc2_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\fa3f2124cf9b027ca2b8a04df5e27cc2_JaffaCakes118.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:4016

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Scheduled Task/Job

    1
    T1053

    Persistence

    Scheduled Task/Job

    1
    T1053

    Privilege Escalation

    Scheduled Task/Job

    1
    T1053

    Defense Evasion

    Virtualization/Sandbox Evasion

    2
    T1497

    Credential Access

    Discovery

    Query Registry

    5
    T1012

    Virtualization/Sandbox Evasion

    2
    T1497

    System Information Discovery

    4
    T1082

    Peripheral Device Discovery

    1
    T1120

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      3d086a433708053f9bf9523e1d87a4e8

      SHA1

      b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

      SHA256

      6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

      SHA512

      931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      18KB

      MD5

      0794306c4cfd42d5e46b88372bcff20a

      SHA1

      a821ea83e2cccc1bbb27875ebcadd01f9834c0f1

      SHA256

      debba529dd4237040afd41560f29be6640d6b39a39cb915ccbb476c27ad3ccd0

      SHA512

      50699d074c8a2a73062d116a1ef9a355682c99747ae7629f2556483d261e39c07a457de87566520dbd0f3a0fdd6094daedb030c3d93126205431c65f874bd032

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      18KB

      MD5

      40d70c5b635b5225848e8a7518a2620d

      SHA1

      67d79d85ae6ff097cb3cb9f27048554eb55b95a0

      SHA256

      b6e4edd01ff98a89fc2de0ffa05be0e2568289e3ca67676508a9795cd759a7a6

      SHA512

      91e2abb5c28a32cd4fcfa36a26e897857fc146e266b2990bdf5e7d94aa3f1a0731250306984129e195ae74b36ed1c24908eb7b824fc578a7a9a529652da3dfc1

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s3duhmqw.q53.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\tmp39A9.tmp
      Filesize

      1KB

      MD5

      dac2dd96bba53060b31021069a9b7bf3

      SHA1

      146a288ad3f8fb8e69f70aff8e54916f2c2dd841

      SHA256

      04f7d5611a163c82af66690ca3a78234b7819192629fddd3b0cb9ac4ac16c555

      SHA512

      71745a9e4d441f2a0d63f3f4001d06b657bca8414d8e05b0b31252c8ffe5e36020aa36abcf5c5e79e69f6f33dfbd3f2a490918d0ee52e6ba85a1bb19b8b13d46

      Download Submit
    • memory/1896-122-0x0000000074A70000-0x0000000075220000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/1896-52-0x0000000074A70000-0x0000000075220000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/1896-53-0x0000000004EF0000-0x0000000004F00000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1896-54-0x0000000004EF0000-0x0000000004F00000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1896-95-0x000000006F8A0000-0x000000006F8EC000-memory.dmp
      Filesize

      304KB

      Download
    • memory/1896-107-0x0000000004EF0000-0x0000000004F00000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2032-6-0x0000000005620000-0x00000000056BC000-memory.dmp
      Filesize

      624KB

      Download
    • memory/2032-7-0x0000000005340000-0x000000000535E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/2032-11-0x0000000008DF0000-0x0000000008E24000-memory.dmp
      Filesize

      208KB

      Download
    • memory/2032-10-0x0000000006810000-0x00000000068B4000-memory.dmp
      Filesize

      656KB

      Download
    • memory/2032-1-0x0000000000490000-0x000000000061A000-memory.dmp
      Filesize

      1.5MB

      Download
    • memory/2032-9-0x0000000005230000-0x0000000005240000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2032-8-0x0000000074A70000-0x0000000075220000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/2032-12-0x000000000C620000-0x000000000C686000-memory.dmp
      Filesize

      408KB

      Download
    • memory/2032-51-0x0000000074A70000-0x0000000075220000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/2032-5-0x0000000004FC0000-0x0000000004FCA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/2032-4-0x0000000005230000-0x0000000005240000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2032-3-0x0000000004FD0000-0x0000000005062000-memory.dmp
      Filesize

      584KB

      Download
    • memory/2032-2-0x00000000056E0000-0x0000000005C84000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/2032-0-0x0000000074A70000-0x0000000075220000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/2252-16-0x00000000048D0000-0x00000000048E0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2252-79-0x0000000007040000-0x00000000070E3000-memory.dmp
      Filesize

      652KB

      Download
    • memory/2252-13-0x00000000048E0000-0x0000000004916000-memory.dmp
      Filesize

      216KB

      Download
    • memory/2252-15-0x0000000004F50000-0x0000000005578000-memory.dmp
      Filesize

      6.2MB

      Download
    • memory/2252-43-0x0000000005E20000-0x0000000005E3E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/2252-119-0x0000000074A70000-0x0000000075220000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/2252-14-0x0000000074A70000-0x0000000075220000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/2252-17-0x0000000004E50000-0x0000000004E72000-memory.dmp
      Filesize

      136KB

      Download
    • memory/2252-64-0x0000000006440000-0x0000000006472000-memory.dmp
      Filesize

      200KB

      Download
    • memory/2252-65-0x000000007F690000-0x000000007F6A0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2252-66-0x000000006F8A0000-0x000000006F8EC000-memory.dmp
      Filesize

      304KB

      Download
    • memory/2252-77-0x00000000048D0000-0x00000000048E0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2252-78-0x00000000048D0000-0x00000000048E0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2252-109-0x0000000007380000-0x000000000738E000-memory.dmp
      Filesize

      56KB

      Download
    • memory/2252-76-0x00000000063D0000-0x00000000063EE000-memory.dmp
      Filesize

      120KB

      Download
    • memory/2252-110-0x0000000007390000-0x00000000073A4000-memory.dmp
      Filesize

      80KB

      Download
    • memory/2252-90-0x0000000074A70000-0x0000000075220000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/2252-47-0x0000000005ED0000-0x0000000005F1C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/2252-92-0x0000000007790000-0x0000000007E0A000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/2252-93-0x0000000007150000-0x000000000716A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/2252-94-0x00000000071C0000-0x00000000071CA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/2252-32-0x0000000005810000-0x0000000005B64000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/2252-96-0x00000000048D0000-0x00000000048E0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2252-102-0x00000000073D0000-0x0000000007466000-memory.dmp
      Filesize

      600KB

      Download
    • memory/2252-18-0x0000000005730000-0x0000000005796000-memory.dmp
      Filesize

      408KB

      Download
    • memory/2296-91-0x0000000000870000-0x0000000000880000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2296-108-0x0000000006F20000-0x0000000006F31000-memory.dmp
      Filesize

      68KB

      Download
    • memory/2296-80-0x000000006F8A0000-0x000000006F8EC000-memory.dmp
      Filesize

      304KB

      Download
    • memory/2296-111-0x0000000007060000-0x000000000707A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/2296-112-0x0000000007040000-0x0000000007048000-memory.dmp
      Filesize

      32KB

      Download
    • memory/2296-115-0x0000000074A70000-0x0000000075220000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/2296-33-0x0000000074A70000-0x0000000075220000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/2296-34-0x0000000000870000-0x0000000000880000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2296-36-0x0000000000870000-0x0000000000880000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4016-50-0x00000000015B0000-0x00000000018FA000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/4016-48-0x0000000000400000-0x000000000042E000-memory.dmp
      Filesize

      184KB

      Download