Analysis

  • max time kernel
    117s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    08-05-2024 10:28

General

  • Target

    246b8a3300e87c961b0cb85a1d485597_JaffaCakes118.exe

  • Size

    862KB

  • MD5

    246b8a3300e87c961b0cb85a1d485597

  • SHA1

    31f92a80c5c88995fd6c29c75559d428fd1eb904

  • SHA256

    5155cbca08d97a5eaf47b303ecf752cc305bb273308ce79a67bdc4b35d2f41d0

  • SHA512

    4b79dfc44aeb4c3952d7038986d23eff1f0b528b61d400803c732c4b3e78415af9f72b5acf1e9a251420546a4b87604b8a4f2704517efad4f0de9eebdc5ab01d

  • SSDEEP

    12288:mbly675yJo0juRXhT4MghC35C6HWYeOmtHL+Qmznaj1eClK8KbCiZW:R6ca0jux+Bs3HjmtHLXxeAz0V

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

btl

Decoy

kyliefeet.com

scotia8web.com

nsclcdrivers.com

that-store.com

tempestchs.com

jonathandowney.info

skincentrolaser.com

villagetherapyatlanta.com

thesurgeshow.com

rwflottery.com

mutinysoundproject.com

snyxsz.com

sahovic.net

alexaneroux.com

nataliamedellinm.com

aplofer.info

leagacyrealty.com

ropescan.com

allintogo.com

punjabifactory.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook payload 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\246b8a3300e87c961b0cb85a1d485597_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\246b8a3300e87c961b0cb85a1d485597_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2276
    • C:\Users\Admin\AppData\Local\Temp\246b8a3300e87c961b0cb85a1d485597_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\246b8a3300e87c961b0cb85a1d485597_JaffaCakes118.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2592

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2276-2-0x0000000000380000-0x0000000000393000-memory.dmp

    Filesize

    76KB

  • memory/2276-4-0x0000000000400000-0x00000000004DD000-memory.dmp

    Filesize

    884KB

  • memory/2276-0-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

  • memory/2276-1-0x0000000000380000-0x0000000000393000-memory.dmp

    Filesize

    76KB

  • memory/2592-3-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB