Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-05-2024 21:21

General

  • Target

    26cc0c76595f1e82f6be57f44a7c6232_JaffaCakes118.exe

  • Size

    821KB

  • MD5

    26cc0c76595f1e82f6be57f44a7c6232

  • SHA1

    0d58b9a7feb0c43aa20907707ce81ebfd21f21a6

  • SHA256

    4275b2dbfe9de1028660a52bae61fc22d560abf0a96d9bf8079b319e8f610973

  • SHA512

    be9cc0efe3433a9d8320df49385a699e5df713cfe83008267ba76e334e35058ca7e4aeeda83ae178a62f9fd46e9adfc57cbbc7c1f0e35d5f258a18f4bcb72e4e

  • SSDEEP

    6144:v3fINvQlQQbSLXdB8usErKQEDCYwIjtSdj/4KngWIq6jRkO:vPINvWQQV+mDCY5SKKngWIj

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

dg1

Decoy

fcbarcelona.cloud

diadelosdoggos.com

zgyxmt.com

puntlanddna.online

ob58zzk99.biz

alvamd.com

fjgcf.info

liquormelbourne.com

essentialkratom.com

konbiniotakara.com

stressnomorebyalyssa.com

adoptiondossiers.com

3dprinted.gold

grandmasystems.com

17klxx.com

fstoptom.com

redd2801.com

wxibh1vx.biz

ahqiheng.com

607manbet.com

Signatures

  • Detect ZGRat V1 1 IoCs
  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • ZGRat

    ZGRat is remote access trojan written in C#.

  • Formbook payload 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\26cc0c76595f1e82f6be57f44a7c6232_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\26cc0c76595f1e82f6be57f44a7c6232_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1240
    • C:\Users\Admin\AppData\Local\Temp\26cc0c76595f1e82f6be57f44a7c6232_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\26cc0c76595f1e82f6be57f44a7c6232_JaffaCakes118.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:3300

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1240-6-0x0000000006280000-0x000000000631C000-memory.dmp

    Filesize

    624KB

  • memory/1240-1-0x00000000006E0000-0x00000000007B4000-memory.dmp

    Filesize

    848KB

  • memory/1240-2-0x0000000005830000-0x0000000005DD4000-memory.dmp

    Filesize

    5.6MB

  • memory/1240-3-0x0000000005180000-0x0000000005212000-memory.dmp

    Filesize

    584KB

  • memory/1240-4-0x00000000752A0000-0x0000000075A50000-memory.dmp

    Filesize

    7.7MB

  • memory/1240-5-0x0000000005160000-0x0000000005180000-memory.dmp

    Filesize

    128KB

  • memory/1240-0-0x00000000752AE000-0x00000000752AF000-memory.dmp

    Filesize

    4KB

  • memory/1240-7-0x00000000752AE000-0x00000000752AF000-memory.dmp

    Filesize

    4KB

  • memory/1240-8-0x00000000752A0000-0x0000000075A50000-memory.dmp

    Filesize

    7.7MB

  • memory/1240-11-0x00000000752A0000-0x0000000075A50000-memory.dmp

    Filesize

    7.7MB

  • memory/3300-9-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/3300-12-0x0000000001000000-0x000000000134A000-memory.dmp

    Filesize

    3.3MB

  • memory/3300-13-0x0000000001000000-0x000000000134A000-memory.dmp

    Filesize

    3.3MB