Analysis

  • max time kernel
    132s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-05-2024 01:36

General

  • Target

    1a26f946ac1d1a308989f533596d5b5d_JaffaCakes118.exe

  • Size

    789KB

  • MD5

    1a26f946ac1d1a308989f533596d5b5d

  • SHA1

    a88e79bbdd4a3d47f47dd6c977bec9015e14c6b5

  • SHA256

    e5d8344ae7d9f2641a4e564d0e6e1a6494e216e6a5be0355eb45190e25d11f8f

  • SHA512

    ef7734f034793c582b30ed944c1ad91e42aef905bd84315f7ff44cc434cdb9635eb0e85d79e0f98181962faec55800b3c42a7881023f43a4f7323b4bd5746417

  • SSDEEP

    12288:icFUncJ54irus265GoqlDX1YH0COI+w7Ror6PpGg+l2K3RYUOPlNTXm1XBv1HfeO:2nYnuRcBIoGblBhGlBKvdfF

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

3nk4

Decoy

teresaanaya.com

byronhobbs.com

altiizgara.com

reignsponsibly.com

kanistones.com

clickpk.site

aizzainvestments.com

bpqbq.com

openfitxbstretch.com

blackvoicesstore.com

yousefzaid.com

verdeaccounting.com

independentthoughtshow.com

fainlywatchdog.com

elreventondelsabor.com

spiceyourfood.com

1277hb.com

cesttoni.com

portalngs.com

turismoplayas.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook payload 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1a26f946ac1d1a308989f533596d5b5d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1a26f946ac1d1a308989f533596d5b5d_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:4312
    • C:\Users\Admin\AppData\Local\Temp\1a26f946ac1d1a308989f533596d5b5d_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\1a26f946ac1d1a308989f533596d5b5d_JaffaCakes118.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:4928

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4312-0-0x0000000002260000-0x0000000002261000-memory.dmp

    Filesize

    4KB

  • memory/4312-2-0x0000000002310000-0x0000000002320000-memory.dmp

    Filesize

    64KB

  • memory/4312-1-0x0000000002310000-0x0000000002320000-memory.dmp

    Filesize

    64KB

  • memory/4312-3-0x0000000002330000-0x0000000002331000-memory.dmp

    Filesize

    4KB

  • memory/4312-5-0x0000000000400000-0x00000000004CC000-memory.dmp

    Filesize

    816KB

  • memory/4928-4-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB