Analysis

  • max time kernel
    121s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    07-05-2024 11:42

General

  • Target

    2076f3389e743659dcb4daef802479f3_JaffaCakes118.exe

  • Size

    412KB

  • MD5

    2076f3389e743659dcb4daef802479f3

  • SHA1

    e29db627de75b18e61fcaa452b44b6609def8cb7

  • SHA256

    faf0518430f6333ff6fe2e3c51bb69cd3a1be29511aaa8b568b96945b4ff18ed

  • SHA512

    828fa0929acb64f78c46476121c2053c32ee682f812fa23f98ccd9143facba38230cd0da04bef5f81935c8791bae5605a38b05e2f45586be0ff1e3370e4b4811

  • SSDEEP

    6144:u07TDvqyS2EEBFH0WbMtg9mOYm/k+M84bCQM8475:xTDvq1C5XQq9mOr/k+M8Pd84

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

cu

Decoy

szmsdwl.com

sansurftowntesting.rocks

mixingtheworld.com

jagadhribartanbhandar.com

albanypieshop.com

tago.ltd

lmwellnessgroup.com

xn--vb0bj6jvrexvt.com

180pe.com

1l1threecome.men

visualgraphicarts.science

ecofitlife.com

kearneygeneralcontracting.com

stmarysbandclub.info

jinshucaijing.com

mariahdawson.com

tophoteluniverse.com

yastudent.com

fastrautoservice.com

fslgt.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook payload 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2076f3389e743659dcb4daef802479f3_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2076f3389e743659dcb4daef802479f3_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2984
    • C:\Users\Admin\AppData\Local\Temp\2076f3389e743659dcb4daef802479f3_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\2076f3389e743659dcb4daef802479f3_JaffaCakes118.exe"
      2⤵
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:820

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\win.ini

    Filesize

    509B

    MD5

    d2a2412bddba16d60ec63bd9550d933f

    SHA1

    deb3d3bdc9055f0b4909b31d3048446848fae0e1

    SHA256

    79ff2254e38192be1626d05bec6c82e10c85e1cf91df7440c4c443380a1e877a

    SHA512

    8fecada107f72e59e43a689eeb8e2e18fa6134d0941c122025ed5bd00e5eab8114d7125bd289505be75641385a0c3f112d402c693f142c3ddc870d5fa8116e31

  • memory/820-12-0x0000000077640000-0x00000000777E9000-memory.dmp

    Filesize

    1.7MB

  • memory/820-10-0x0000000000290000-0x0000000000296000-memory.dmp

    Filesize

    24KB

  • memory/820-9-0x0000000000400000-0x0000000000467000-memory.dmp

    Filesize

    412KB

  • memory/820-15-0x000000001FD60000-0x0000000020063000-memory.dmp

    Filesize

    3.0MB

  • memory/2984-3-0x0000000077641000-0x0000000077742000-memory.dmp

    Filesize

    1.0MB

  • memory/2984-4-0x0000000077640000-0x00000000777E9000-memory.dmp

    Filesize

    1.7MB

  • memory/2984-11-0x0000000077830000-0x0000000077906000-memory.dmp

    Filesize

    856KB