Analysis

  • max time kernel
    134s
  • max time network
    101s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-05-2024 11:42

General

  • Target

    2076f3389e743659dcb4daef802479f3_JaffaCakes118.exe

  • Size

    412KB

  • MD5

    2076f3389e743659dcb4daef802479f3

  • SHA1

    e29db627de75b18e61fcaa452b44b6609def8cb7

  • SHA256

    faf0518430f6333ff6fe2e3c51bb69cd3a1be29511aaa8b568b96945b4ff18ed

  • SHA512

    828fa0929acb64f78c46476121c2053c32ee682f812fa23f98ccd9143facba38230cd0da04bef5f81935c8791bae5605a38b05e2f45586be0ff1e3370e4b4811

  • SSDEEP

    6144:u07TDvqyS2EEBFH0WbMtg9mOYm/k+M84bCQM8475:xTDvq1C5XQq9mOr/k+M8Pd84

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

cu

Decoy

szmsdwl.com

sansurftowntesting.rocks

mixingtheworld.com

jagadhribartanbhandar.com

albanypieshop.com

tago.ltd

lmwellnessgroup.com

xn--vb0bj6jvrexvt.com

180pe.com

1l1threecome.men

visualgraphicarts.science

ecofitlife.com

kearneygeneralcontracting.com

stmarysbandclub.info

jinshucaijing.com

mariahdawson.com

tophoteluniverse.com

yastudent.com

fastrautoservice.com

fslgt.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook payload 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2076f3389e743659dcb4daef802479f3_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2076f3389e743659dcb4daef802479f3_JaffaCakes118.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4848
    • C:\Users\Admin\AppData\Local\Temp\2076f3389e743659dcb4daef802479f3_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\2076f3389e743659dcb4daef802479f3_JaffaCakes118.exe"
      2⤵
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:4680

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\win.ini

    Filesize

    123B

    MD5

    6bf517432f65eb7f0d18d574bf14124c

    SHA1

    5b9f37c1dd1318ebbec3bd2f07c109eb9d22c727

    SHA256

    6e2b70dfccabf3cc651545676a3a566c9cfae03f15f772886646abce1da35b46

    SHA512

    7b0cb8c20034585ec8bf4b45eda5eda5993a56e24931a7426dc5a9f081ec1f82545f3e26a48a4df885c8691fc6e8026d0808aebe3cc3358ba85ddca08ac4cb06

  • memory/4680-9-0x0000000000630000-0x0000000000636000-memory.dmp

    Filesize

    24KB

  • memory/4680-8-0x0000000000400000-0x0000000000467000-memory.dmp

    Filesize

    412KB

  • memory/4680-11-0x000000001FFB0000-0x00000000202FA000-memory.dmp

    Filesize

    3.3MB

  • memory/4848-3-0x0000000077551000-0x0000000077671000-memory.dmp

    Filesize

    1.1MB