Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    07-05-2024 06:49

General

  • Target

    1fc9b5094b733179f1033890c79b2e41_JaffaCakes118.rtf

  • Size

    475KB

  • MD5

    1fc9b5094b733179f1033890c79b2e41

  • SHA1

    3f42f46d0398ae70f3435707c849fa7b7b9c62d3

  • SHA256

    816c9d6d36399c0ef5bb8d0334ef40ba6668cd043be104a4ec3f4291ae1a4b86

  • SHA512

    851a4874baa6206fe82ba7ee43df0211810b4390d91b7c70a02673e0826b1a7131c7da9c9b98e56a227d23daeb860957a5304281040b1580332c07f1f4f4cc84

  • SSDEEP

    12288:477BeRhC1p1Cy4FkRIni8oNX9gjOxMygi2svV:ocy54FJi8IyygHu

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

stn

Decoy

wlojz.com

nrvonlineconnection.com

miracleworldofent.com

homeswithcherry.com

yeye79791.com

scshanglv.com

webtradenetthebronx.com

dsg-worldwide.com

bakshibeauty.com

17784724521.com

broadswordsinc.com

weekendq.com

sfnetstu.com

ashitsuyo.com

9410pe.com

bankfxrates.com

baidumedical.com

ripchesterfield.com

teepakthai.com

sabattu.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Formbook payload 2 IoCs
  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 2 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Delays execution with timeout.exe 1 IoCs
  • Kills process with taskkill 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 10 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1356
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\1fc9b5094b733179f1033890c79b2e41_JaffaCakes118.rtf"
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1684
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tAsK.bAt
        3⤵
        • Process spawned unexpected child process
        • Suspicious use of WriteProcessMemory
        PID:2512
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\2nd.bat
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2524
          • C:\Windows\SysWOW64\timeout.exe
            TIMEOUT 1
            5⤵
            • Delays execution with timeout.exe
            PID:2732
          • C:\Users\Admin\AppData\Local\Temp\exe.exe
            C:\Users\Admin\AppData\Local\Temp\ExE.ExE
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • Suspicious behavior: MapViewOfSection
            PID:2424
            • C:\Users\Admin\AppData\Local\Temp\exe.exe
              C:\Users\Admin\AppData\Local\Temp\ExE.ExE
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of AdjustPrivilegeToken
              PID:2656
          • C:\Windows\SysWOW64\taskkill.exe
            TASKKILL /F /IM winword.exe
            5⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2464
          • C:\Windows\SysWOW64\reg.exe
            reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Word\Resiliency /f
            5⤵
              PID:1892
            • C:\Windows\SysWOW64\reg.exe
              reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Resiliency /f
              5⤵
                PID:2372
              • C:\Windows\SysWOW64\reg.exe
                reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Resiliency /f
                5⤵
                  PID:2808
                • C:\Windows\SysWOW64\reg.exe
                  reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\Resiliency /f
                  5⤵
                    PID:2684
                  • C:\Windows\SysWOW64\reg.exe
                    reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency /f
                    5⤵
                      PID:2692
                    • C:\Windows\SysWOW64\reg.exe
                      reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency /f
                      5⤵
                        PID:2660
                      • C:\Windows\SysWOW64\reg.exe
                        reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Resiliency /f
                        5⤵
                          PID:2768
                        • C:\Windows\SysWOW64\reg.exe
                          reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Resiliency /f
                          5⤵
                            PID:1200
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\8.0\Word\File MRU" /v "Item 1"
                            5⤵
                            • Suspicious use of WriteProcessMemory
                            PID:2000
                            • C:\Windows\SysWOW64\reg.exe
                              REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\8.0\Word\File MRU" /v "Item 1"
                              6⤵
                                PID:2020
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\9.0\Word\File MRU" /v "Item 1"
                              5⤵
                                PID:1904
                                • C:\Windows\SysWOW64\reg.exe
                                  REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\9.0\Word\File MRU" /v "Item 1"
                                  6⤵
                                    PID:1196
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\10.0\Word\File MRU" /v "Item 1"
                                  5⤵
                                    PID:1064
                                    • C:\Windows\SysWOW64\reg.exe
                                      REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\10.0\Word\File MRU" /v "Item 1"
                                      6⤵
                                        PID:1068
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"
                                      5⤵
                                        PID:2648
                                        • C:\Windows\SysWOW64\reg.exe
                                          REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"
                                          6⤵
                                            PID:2608
                                        • C:\Windows\SysWOW64\cmd.exe
                                          C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"
                                          5⤵
                                            PID:1648
                                            • C:\Windows\SysWOW64\reg.exe
                                              REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"
                                              6⤵
                                                PID:1184
                                            • C:\Windows\SysWOW64\cmd.exe
                                              C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"
                                              5⤵
                                                PID:2148
                                                • C:\Windows\SysWOW64\reg.exe
                                                  REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"
                                                  6⤵
                                                    PID:1176
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"
                                                  5⤵
                                                    PID:1312
                                                    • C:\Windows\SysWOW64\reg.exe
                                                      REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"
                                                      6⤵
                                                        PID:1188
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"
                                                      5⤵
                                                        PID:2408
                                                        • C:\Windows\SysWOW64\reg.exe
                                                          REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"
                                                          6⤵
                                                            PID:2672
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tAsK.bAt
                                                      3⤵
                                                      • Process spawned unexpected child process
                                                      PID:2716
                                                  • C:\Windows\SysWOW64\autofmt.exe
                                                    "C:\Windows\SysWOW64\autofmt.exe"
                                                    2⤵
                                                      PID:2772
                                                    • C:\Windows\SysWOW64\autofmt.exe
                                                      "C:\Windows\SysWOW64\autofmt.exe"
                                                      2⤵
                                                        PID:2652
                                                      • C:\Windows\SysWOW64\autofmt.exe
                                                        "C:\Windows\SysWOW64\autofmt.exe"
                                                        2⤵
                                                          PID:1872
                                                        • C:\Windows\SysWOW64\autofmt.exe
                                                          "C:\Windows\SysWOW64\autofmt.exe"
                                                          2⤵
                                                            PID:1672
                                                          • C:\Windows\SysWOW64\raserver.exe
                                                            "C:\Windows\SysWOW64\raserver.exe"
                                                            2⤵
                                                            • Adds policy Run key to start application
                                                            • Suspicious use of SetThreadContext
                                                            • Drops file in Program Files directory
                                                            • Modifies Internet Explorer settings
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious behavior: MapViewOfSection
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:1888
                                                            • C:\Windows\SysWOW64\cmd.exe
                                                              /c del "C:\Users\Admin\AppData\Local\Temp\exe.exe"
                                                              3⤵
                                                                PID:404

                                                          Network

                                                          MITRE ATT&CK Enterprise v15

                                                          Replay Monitor

                                                          Loading Replay Monitor...

                                                          Downloads

                                                          • C:\Users\Admin\AppData\Local\Temp\2nd.bat

                                                            Filesize

                                                            2KB

                                                            MD5

                                                            c9ca8724322ff6b667686b515de69c57

                                                            SHA1

                                                            53d5a05e851dd804f98c88bd3e5936f21d9f87f3

                                                            SHA256

                                                            e8a2ea80da5c919f5c6717eab032357c37053f5c6da9925f9aec5cae2bc7a9a4

                                                            SHA512

                                                            bb3cd943e1261b7ac3331c99838fd425798f3600d29ebfccd5c35d981593c522dacf0ed6c5ae5c4a8e910535559ab46c42dc1b767bea093a90d40a7df1058c94

                                                          • C:\Users\Admin\AppData\Local\Temp\TasK.BaT

                                                            Filesize

                                                            136B

                                                            MD5

                                                            ad4e94119580d0ec73cc15fc835ce2af

                                                            SHA1

                                                            e89414522edb7c800880bab55a1bb8edaf9c953a

                                                            SHA256

                                                            b8783ae2f2a9acf183411b8acf644ca2187aa660a56a34ab89c9084e8d5af72c

                                                            SHA512

                                                            4328c470ecfd292adbd94d798591af7d688ab935dadb07d53779744a9928017b20f2dec17093177b1a27db08fc07f7601704fd9883c49c86a6237bdb063b5f07

                                                          • C:\Users\Admin\AppData\Local\Temp\inteldriverupd1.sct

                                                            Filesize

                                                            424B

                                                            MD5

                                                            95d97cf47fa918e0fabb5d2ccb7ac691

                                                            SHA1

                                                            ca34525fa702ff74898d0c7d286416d1cc1a2155

                                                            SHA256

                                                            58578fdb3e96c8bbd93503fc2dbedc48310b4d4745dccb01c2bdf861bfe90f01

                                                            SHA512

                                                            717d0039a1ebbbb0957ee84ff2c834f4edb9a79d4d0026a079d304bdfd4bee51aa0f5d847f8668bb64c232a1e49c68bb589b4af065170bfff2ffd96ff5137557

                                                          • C:\Users\Admin\AppData\Roaming\O4552S-T\O45logim.jpeg

                                                            Filesize

                                                            65KB

                                                            MD5

                                                            53d0fbe6dda54c836de6ed8d7b11b0cf

                                                            SHA1

                                                            5b73398fe7a0a58d21c746fa5a06aeb7bf1f6ea1

                                                            SHA256

                                                            766b4a6e4dcd678dd6b7424202d3a5be2f9d5f6b9d1df31b3a8f335405e30faa

                                                            SHA512

                                                            cb8826f0cf12b06a0db7031a4b8f458f28d5133f99ccf2d6a3ec7fb180dcdbc43ba34325f340e7667dd5963bf4a746a267efff452beb8f0b8fde57aec0d74644

                                                          • C:\Users\Admin\AppData\Roaming\O4552S-T\O45logri.ini

                                                            Filesize

                                                            40B

                                                            MD5

                                                            d63a82e5d81e02e399090af26db0b9cb

                                                            SHA1

                                                            91d0014c8f54743bba141fd60c9d963f869d76c9

                                                            SHA256

                                                            eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae

                                                            SHA512

                                                            38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad

                                                          • C:\Users\Admin\AppData\Roaming\O4552S-T\O45logrv.ini

                                                            Filesize

                                                            40B

                                                            MD5

                                                            ba3b6bc807d4f76794c4b81b09bb9ba5

                                                            SHA1

                                                            24cb89501f0212ff3095ecc0aba97dd563718fb1

                                                            SHA256

                                                            6eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507

                                                            SHA512

                                                            ecd07e601fc9e3cfc39addd7bd6f3d7f7ff3253afb40bf536e9eaac5a4c243e5ec40fbfd7b216cb0ea29f2517419601e335e33ba19dea4a46f65e38694d465bf

                                                          • \Users\Admin\AppData\Local\Temp\exe.exe

                                                            Filesize

                                                            227KB

                                                            MD5

                                                            1542e30e228c47560ed2ad6bc58388d5

                                                            SHA1

                                                            f221e6278fe7764d5fc5eb6c5a63977e479b22f0

                                                            SHA256

                                                            d738c9fc2d162a7d76e0e965ab9ceee7f14e2360abb37821b1e7ddfa6af40e31

                                                            SHA512

                                                            ba78316f146a65ae8c772344edc5c4bd3c41f5bbccc5d7bc64397f569a3990e10723c627402ae9c921b5fcd05db9bf698e16d33d9f5380278e6799569c0ed750

                                                          • \Users\Admin\AppData\Local\Temp\nsy148C.tmp\System.dll

                                                            Filesize

                                                            11KB

                                                            MD5

                                                            3f176d1ee13b0d7d6bd92e1c7a0b9bae

                                                            SHA1

                                                            fe582246792774c2c9dd15639ffa0aca90d6fd0b

                                                            SHA256

                                                            fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e

                                                            SHA512

                                                            0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

                                                          • memory/1356-55-0x0000000003090000-0x0000000003190000-memory.dmp

                                                            Filesize

                                                            1024KB

                                                          • memory/1356-59-0x00000000073D0000-0x00000000074EA000-memory.dmp

                                                            Filesize

                                                            1.1MB

                                                          • memory/1684-0-0x000000002FD71000-0x000000002FD72000-memory.dmp

                                                            Filesize

                                                            4KB

                                                          • memory/1684-44-0x00000000715CD000-0x00000000715D8000-memory.dmp

                                                            Filesize

                                                            44KB

                                                          • memory/1684-2-0x00000000715CD000-0x00000000715D8000-memory.dmp

                                                            Filesize

                                                            44KB

                                                          • memory/1684-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

                                                            Filesize

                                                            64KB

                                                          • memory/1888-54-0x00000000003B0000-0x00000000003CC000-memory.dmp

                                                            Filesize

                                                            112KB

                                                          • memory/2656-48-0x0000000000400000-0x000000000042A000-memory.dmp

                                                            Filesize

                                                            168KB

                                                          • memory/2656-53-0x0000000000400000-0x000000000042A000-memory.dmp

                                                            Filesize

                                                            168KB