Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2024 12:28

General

  • Target

    29f92283750de72e762be0defcaaf7bc_JaffaCakes118.exe

  • Size

    272KB

  • MD5

    29f92283750de72e762be0defcaaf7bc

  • SHA1

    2375cd5381df116fcd4e548065a1a1f8e6d9d4f3

  • SHA256

    214252466a63120c1473180e5f4d2558f59a6a12aa8f3c38d3d5f45712965d7c

  • SHA512

    2b346d0898e63308fc88b7a7f0dc70bd3ec91ee835e3e46cbd05275030ba0a5ef02802ae31b033cc4d156fdca8a4d88e4c16ffdc75a21ec2387f051db68f95ad

  • SSDEEP

    6144:9mWaVTWFH0b/8FvlTbXOVj73t7ustHdepOPxKLQJ:AWhFc/8ZlNycpOJK

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

mk

Decoy

push-notifications.net

riopumpen.com

tourniquetleash.com

webjobsource.com

lovelouevents.com

exesac.com

zodiacleagues.com

detoutespetiteschoses.com

canondrop.com

588pz.com

townsvillewomenmarketplace.com

caramaschitopquality.com

1lrl.com

fg-lawchambers.com

sdbeishida.com

puregarciniacambogia.store

virtualcurrency.loan

retinaonline.store

memesclothes.com

wineflash.net

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook payload 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\29f92283750de72e762be0defcaaf7bc_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\29f92283750de72e762be0defcaaf7bc_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3788
    • C:\Users\Admin\AppData\Local\Temp\29f92283750de72e762be0defcaaf7bc_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\29f92283750de72e762be0defcaaf7bc_JaffaCakes118.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1520

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1520-4-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/3788-3-0x0000000000480000-0x0000000000580000-memory.dmp

    Filesize

    1024KB

  • memory/3788-5-0x0000000077A91000-0x0000000077BB1000-memory.dmp

    Filesize

    1.1MB