Analysis

  • max time kernel
    138s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-05-2024 22:36

General

  • Target

    1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exe

  • Size

    1.2MB

  • MD5

    1e96b55fdd95824b3f3c5f2156be44c5

  • SHA1

    5ec468430b06c8a3c43f8ee20fb8a1ef5e41241f

  • SHA256

    caf8a53c2a1bbc6169474702cd71a047176f4e4c78244e2a1c2a82352ca97c25

  • SHA512

    e4f6aa43af7ccef63549438e514260c3d4381119c3a5f0991c23e91117803eb69072e8ad99afe3a3d5b638ffacc8ba35eefd688ba379dfcc2392731cb9b53a54

  • SSDEEP

    12288:oFpvKqiiQwvG9a9xl4JQ5+xa+3Ao1QdiLD/XG:CpvzQO9fMQ54azo1QALbG

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

hx232

Decoy

kcmjdgf.com

live2attain.com

constellationgalaxy.com

anyandallpodcasts.com

ahsapfuarstandi.com

apoif.com

jointeambrandyn.com

thelifeof2kand1q.com

zhmzwhy.com

ilovefloattanks.com

thirdeyeproductionstep.com

karasing.online

bpyvyx.online

dingdingjiaoche.com

mrotcl.net

chargetimely.com

meesthetic.com

absence.ltd

zj-training.com

gzgpc07.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook payload 10 IoCs
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3092
    • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
      "C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1940
      • C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
        "C:\Users\Admin\AppData\Local\Temp\RegAsm.exe"
        3⤵
        • Executes dropped EXE
        PID:4348
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 540
          4⤵
          • Program crash
          PID:3776
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4348 -ip 4348
    1⤵
      PID:4060

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe

      Filesize

      41KB

      MD5

      5d4073b2eb6d217c19f2b22f21bf8d57

      SHA1

      f0209900fbf08d004b886a0b3ba33ea2b0bf9da8

      SHA256

      ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3

      SHA512

      9ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159

    • C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

      Filesize

      63KB

      MD5

      0d5df43af2916f47d00c1573797c1a13

      SHA1

      230ab5559e806574d26b4c20847c368ed55483b0

      SHA256

      c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

      SHA512

      f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

    • memory/1940-28-0x0000000000400000-0x000000000048E000-memory.dmp

      Filesize

      568KB

    • memory/1940-23-0x0000000000400000-0x000000000048E000-memory.dmp

      Filesize

      568KB

    • memory/1940-36-0x0000000074F20000-0x00000000756D0000-memory.dmp

      Filesize

      7.7MB

    • memory/1940-47-0x0000000074F20000-0x00000000756D0000-memory.dmp

      Filesize

      7.7MB

    • memory/1940-34-0x0000000000400000-0x000000000048E000-memory.dmp

      Filesize

      568KB

    • memory/1940-40-0x0000000074F20000-0x00000000756D0000-memory.dmp

      Filesize

      7.7MB

    • memory/1940-39-0x0000000074F20000-0x00000000756D0000-memory.dmp

      Filesize

      7.7MB

    • memory/1940-32-0x0000000000400000-0x000000000048E000-memory.dmp

      Filesize

      568KB

    • memory/1940-25-0x0000000000400000-0x000000000048E000-memory.dmp

      Filesize

      568KB

    • memory/1940-12-0x0000000000400000-0x000000000048E000-memory.dmp

      Filesize

      568KB

    • memory/1940-27-0x0000000000400000-0x000000000048E000-memory.dmp

      Filesize

      568KB

    • memory/1940-37-0x0000000074F20000-0x00000000756D0000-memory.dmp

      Filesize

      7.7MB

    • memory/1940-31-0x0000000000400000-0x000000000048E000-memory.dmp

      Filesize

      568KB

    • memory/3092-7-0x0000000074F20000-0x00000000756D0000-memory.dmp

      Filesize

      7.7MB

    • memory/3092-10-0x0000000005C80000-0x0000000005C88000-memory.dmp

      Filesize

      32KB

    • memory/3092-4-0x0000000005A60000-0x0000000005AF2000-memory.dmp

      Filesize

      584KB

    • memory/3092-0-0x0000000074F2E000-0x0000000074F2F000-memory.dmp

      Filesize

      4KB

    • memory/3092-35-0x0000000074F20000-0x00000000756D0000-memory.dmp

      Filesize

      7.7MB

    • memory/3092-2-0x0000000005F30000-0x00000000064D4000-memory.dmp

      Filesize

      5.6MB

    • memory/3092-3-0x0000000003200000-0x000000000320A000-memory.dmp

      Filesize

      40KB

    • memory/3092-9-0x0000000074F20000-0x00000000756D0000-memory.dmp

      Filesize

      7.7MB

    • memory/3092-8-0x0000000074F2E000-0x0000000074F2F000-memory.dmp

      Filesize

      4KB

    • memory/3092-1-0x0000000000E40000-0x0000000000F7E000-memory.dmp

      Filesize

      1.2MB

    • memory/3092-5-0x0000000074F20000-0x00000000756D0000-memory.dmp

      Filesize

      7.7MB

    • memory/4348-43-0x0000000000580000-0x00000000005AD000-memory.dmp

      Filesize

      180KB