Analysis

  • max time kernel
    134s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-05-2024 12:21

General

  • Target

    108156ae3609706003c6cefd6335c554_JaffaCakes118.exe

  • Size

    368KB

  • MD5

    108156ae3609706003c6cefd6335c554

  • SHA1

    9ad9e65ee4407162beb14eb33859ffc77451e7fb

  • SHA256

    535d92c4a194c64723fdf9b7279f033085c0861d93b9f43747320759fd172afc

  • SHA512

    72ec03a163d291c9fc8e73689e63e0b55aa78d2c97e83b2187d581592d09a7ab361004ce72ee9a8792dee6c36a4a6ffda80391106afc2a1e7733653f813b247f

  • SSDEEP

    3072:aFFyrH+tfkhzjvRYkYjvnNfugsIN23+q7cuZv2kjgyoWOuClDfujpITpVxzApTld:aiHGIRYtvZughqLFeuwi0pVaY

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

jc

Decoy

petfashionvalley.com

sisermexico.com

mycityneighbors.com

trojanerhilfe.com

2012mi.com

bitcoinkeith.com

integracube.com

portalgnu.com

xingcaiyule2.com

saasgroceries.com

groupulljimzasac.com

sscfz.win

microauditoria.com

grandijen.com

beautiebootik.com

trb899.com

autobittrex.com

greeksinbritain.com

flamingouno.com

agencecuivre.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook payload 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\108156ae3609706003c6cefd6335c554_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\108156ae3609706003c6cefd6335c554_JaffaCakes118.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3676
    • C:\Users\Admin\AppData\Local\Temp\108156ae3609706003c6cefd6335c554_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\108156ae3609706003c6cefd6335c554_JaffaCakes118.exe"
      2⤵
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:3976

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\win.ini

    Filesize

    123B

    MD5

    6bf517432f65eb7f0d18d574bf14124c

    SHA1

    5b9f37c1dd1318ebbec3bd2f07c109eb9d22c727

    SHA256

    6e2b70dfccabf3cc651545676a3a566c9cfae03f15f772886646abce1da35b46

    SHA512

    7b0cb8c20034585ec8bf4b45eda5eda5993a56e24931a7426dc5a9f081ec1f82545f3e26a48a4df885c8691fc6e8026d0808aebe3cc3358ba85ddca08ac4cb06

  • memory/3676-3-0x00000000021B0000-0x00000000021B8000-memory.dmp

    Filesize

    32KB

  • memory/3676-4-0x0000000077061000-0x0000000077181000-memory.dmp

    Filesize

    1.1MB

  • memory/3976-11-0x0000000000540000-0x0000000000548000-memory.dmp

    Filesize

    32KB

  • memory/3976-9-0x0000000000400000-0x000000000045F000-memory.dmp

    Filesize

    380KB

  • memory/3976-12-0x000000001FB90000-0x000000001FEDA000-memory.dmp

    Filesize

    3.3MB