Analysis

  • max time kernel
    147s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    08-05-2024 20:15

General

  • Target

    268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe

  • Size

    616KB

  • MD5

    268afc68ac43d35ebd367d49433f0e37

  • SHA1

    fdb5f6dd1e6194e439ab2380ed2cb49c0184a34a

  • SHA256

    5eec2983e5ade0317c7380df23c6e70e4cdae38bfd39c27668b982b787b1c40c

  • SHA512

    6b732ed56e428500deb390b0f6317c70f925a24ec572b9b076f78080dfdb19789cc987356b569aae2d472780e604fd55d0efca071e26f0d3dfea0a5e2383b65f

  • SSDEEP

    6144:7mGJqJqBQv2LZA52ewOm/UroZnsEZ5wqvWcQCnB5aMkY+LqEemje3Gs73KeJK:7mOaGLtec/KoJL7xBBOimje2sDKeJK

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

to

Decoy

13s9.com

stayingcentred.com

cravastudios.com

yukilegal.com

895manbet.com

bf1tdesign.com

jakeandjackie.com

squisita.online

nuoya68888.com

bizkaibus.live

pupnpints.com

bigflew.online

researchinabox.com

tenerifediscounts.com

spookyshoppe.com

huipai-trade.com

beroar.com

readysetshot.com

veggie.fyi

findworkjobsonline.com

Extracted

Family

pony

C2

http://tolain.ru/tola/gate.php

Attributes
  • payload_url

    http://myp0nysite.ru/shit.exe

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

  • Formbook payload 2 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 34 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1156
    • C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Drops file in Windows directory
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2320
      • C:\Users\Admin\AppData\Local\Temp\TOLAbin.exe
        "C:\Users\Admin\AppData\Local\Temp\TOLAbin.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2548
      • C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe"
        3⤵
        • Accesses Microsoft Outlook accounts
        • Accesses Microsoft Outlook profiles
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        • outlook_win_path
        PID:2672
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Local\Temp\259407838.bat" "C:\Users\Admin\AppData\Local\Temp\268afc68ac43d35ebd367d49433f0e37_JaffaCakes118.exe" "
          4⤵
          • Deletes itself
          PID:2876
    • C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2388
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\TOLAbin.exe"
        3⤵
          PID:1560

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\259407838.bat

      Filesize

      94B

      MD5

      3880eeb1c736d853eb13b44898b718ab

      SHA1

      4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

      SHA256

      936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

      SHA512

      3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

    • C:\Windows\win.ini

      Filesize

      506B

      MD5

      8e6100faa270f8b935ebba91ae814491

      SHA1

      1b5d16ec7d3f2ed289fc4c079fed992275578257

      SHA256

      293b109535400cdd3eb36c8a47dcdda245e8f48200aa59bfddb21d105923e93b

      SHA512

      78b36ef3fd77d991d7ef9aa4f900f653edb1df5ab6ddbc369e0b3b3430fba9074673bf67d208cbb885b41afd3a9cd26ae9c2b392c70df7d08f055a41318469e7

    • \Users\Admin\AppData\Local\Temp\TOLAbin.exe

      Filesize

      167KB

      MD5

      3903702822dd3f972ad6f23c855ebaea

      SHA1

      677a7b1e5a5b71f6f492c57a21dd1149cff95302

      SHA256

      e6c547ff98f9f695304185cc6b39567ae0bc64c63be6a21d1c97dbb941b378c3

      SHA512

      2f5844301a43176f5607dbf9406b97c9ad2220631499b3644b95faa5a2d9b3dc3ab4d18bcbaf01c37aea9defc5e067a71d0bf11d865c121a6c955d0d1df740b0

    • memory/1156-22-0x0000000003B70000-0x0000000003C70000-memory.dmp

      Filesize

      1024KB

    • memory/1156-27-0x0000000008C50000-0x0000000008DD9000-memory.dmp

      Filesize

      1.5MB

    • memory/1156-45-0x0000000008C50000-0x0000000008DD9000-memory.dmp

      Filesize

      1.5MB

    • memory/1156-43-0x0000000004400000-0x00000000044B9000-memory.dmp

      Filesize

      740KB

    • memory/1156-23-0x0000000004400000-0x00000000044B9000-memory.dmp

      Filesize

      740KB

    • memory/2320-5-0x0000000002E50000-0x0000000002F50000-memory.dmp

      Filesize

      1024KB

    • memory/2320-4-0x0000000000290000-0x0000000000390000-memory.dmp

      Filesize

      1024KB

    • memory/2320-7-0x0000000077741000-0x0000000077842000-memory.dmp

      Filesize

      1.0MB

    • memory/2320-8-0x0000000077740000-0x00000000778E9000-memory.dmp

      Filesize

      1.7MB

    • memory/2388-39-0x00000000000F0000-0x0000000000371000-memory.dmp

      Filesize

      2.5MB

    • memory/2548-26-0x0000000000D70000-0x0000000000D9A000-memory.dmp

      Filesize

      168KB

    • memory/2548-25-0x0000000000D8B000-0x0000000000D8C000-memory.dmp

      Filesize

      4KB

    • memory/2548-21-0x0000000077740000-0x00000000778E9000-memory.dmp

      Filesize

      1.7MB

    • memory/2672-36-0x0000000000400000-0x0000000000419000-memory.dmp

      Filesize

      100KB

    • memory/2672-19-0x0000000000400000-0x0000000000419000-memory.dmp

      Filesize

      100KB

    • memory/2672-20-0x0000000077740000-0x00000000778E9000-memory.dmp

      Filesize

      1.7MB

    • memory/2672-17-0x0000000000400000-0x0000000000419000-memory.dmp

      Filesize

      100KB