Analysis

  • max time kernel
    121s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    09-05-2024 06:58

General

  • Target

    28d109c8ae793e4166f571c33862b727_JaffaCakes118.exe

  • Size

    1.4MB

  • MD5

    28d109c8ae793e4166f571c33862b727

  • SHA1

    bfb670e54ce2ec6caf7e3dcee84f013c50913a82

  • SHA256

    72430a2f734d2e80b7f465382cf3d0cb0f640fff26bf1d98ccec2430cdc9fb2d

  • SHA512

    45f5499f314f8a18f33e52bcd347f69ebf2f8cc660e5bb436ca2f43d46bfcf12744ccfdd4e0c432d692665dd9885edb3da71342ed3b332d6ab93944706e0766e

  • SSDEEP

    24576:+e4dCkuNAU5WbbjpttWxYj0Jonxrj+cuU:+fuu/DtWxZJUl+cu

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

ob

Decoy

humblefamilydentist.com

as4rff.faith

duanroyalhill.com

goodday6688.com

naylorcourtlofts.com

lighthouse-landing.com

internationaldiplomat.net

thedutchkeys.com

theperfecttouchfloraldesign.com

guidatravel.com

superaffiliateprolist.com

dbishirts.com

testaddnewdomains.academy

wshx999.com

disneylandcentral.com

livingwagecoalition.com

takaosan.online

tv16575.info

parsited.com

taschemichaelkors.info

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook payload 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\28d109c8ae793e4166f571c33862b727_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\28d109c8ae793e4166f571c33862b727_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2204
    • C:\Users\Admin\AppData\Local\Temp\28d109c8ae793e4166f571c33862b727_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\28d109c8ae793e4166f571c33862b727_JaffaCakes118.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2192

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2192-3-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2204-2-0x0000000077630000-0x0000000077706000-memory.dmp

    Filesize

    856KB