Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    09-05-2024 18:11

General

  • Target

    2b3c4a317d8fc64ca9991aec36624e6d_JaffaCakes118.exe

  • Size

    745KB

  • MD5

    2b3c4a317d8fc64ca9991aec36624e6d

  • SHA1

    db802611ad8a645d12a609f596d152c2ea5d0d52

  • SHA256

    82f4ebd30b18743d8cc409de5931a978434755705af9bbfa3c6d8d0b34d30a6b

  • SHA512

    09cab61855eb7dffbe26a3ac51338510d74b5c6b7fbccb5610b295ac2ccf199c4b559ca3162b984689b535c9f7a53ee708671bba44c8fb3fbf5910aca77c0ef1

  • SSDEEP

    12288:k0QQSy3frualbxbrBsbkqgkEKjzH4tvF89:RSyrskJuc9

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gtb

Decoy

kbsvipbags.com

grandma-salt.com

org-id100.info

marketobserverllc.com

robjmccarthy.com

orbitnest.com

7d5d.com

hotdealsallday.com

kaban-shitsuji.com

eivisionexport.com

luatfv.com

creationxbydom.com

realjuku.com

roast365.com

epis2020.com

schcman.com

xn--pimi-ooa.com

jobshustle.com

rightnewswire.com

seguonra.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook payload 3 IoCs
  • Suspicious use of SetThreadContext 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1368
    • C:\Users\Admin\AppData\Local\Temp\2b3c4a317d8fc64ca9991aec36624e6d_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\2b3c4a317d8fc64ca9991aec36624e6d_JaffaCakes118.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2008
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1884
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\2b3c4a317d8fc64ca9991aec36624e6d_JaffaCakes118.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:940
        • C:\Windows\SysWOW64\choice.exe
          choice /C Y /N /D Y /T 3
          4⤵
            PID:2816
        • C:\Users\Admin\AppData\Local\Temp\2b3c4a317d8fc64ca9991aec36624e6d_JaffaCakes118.exe
          "C:\Users\Admin\AppData\Local\Temp\2b3c4a317d8fc64ca9991aec36624e6d_JaffaCakes118.exe"
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2824
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            4⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            PID:2460
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\2b3c4a317d8fc64ca9991aec36624e6d_JaffaCakes118.exe"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2568
            • C:\Windows\SysWOW64\choice.exe
              choice /C Y /N /D Y /T 3
              5⤵
                PID:2908
        • C:\Windows\SysWOW64\help.exe
          "C:\Windows\SysWOW64\help.exe"
          2⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2520
          • C:\Windows\SysWOW64\cmd.exe
            /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            3⤵
              PID:2640
          • C:\Windows\SysWOW64\control.exe
            "C:\Windows\SysWOW64\control.exe"
            2⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2592

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1368-8-0x0000000000360000-0x0000000000460000-memory.dmp

          Filesize

          1024KB

        • memory/1884-5-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/1884-15-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/1884-11-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/1884-6-0x00000000021F0000-0x00000000024F3000-memory.dmp

          Filesize

          3.0MB

        • memory/2008-3-0x0000000004360000-0x000000000439A000-memory.dmp

          Filesize

          232KB

        • memory/2008-4-0x0000000074D20000-0x000000007540E000-memory.dmp

          Filesize

          6.9MB

        • memory/2008-0-0x0000000074D2E000-0x0000000074D2F000-memory.dmp

          Filesize

          4KB

        • memory/2008-2-0x0000000074D20000-0x000000007540E000-memory.dmp

          Filesize

          6.9MB

        • memory/2008-1-0x0000000000D70000-0x0000000000E30000-memory.dmp

          Filesize

          768KB

        • memory/2008-20-0x0000000074D2E000-0x0000000074D2F000-memory.dmp

          Filesize

          4KB

        • memory/2008-21-0x0000000074D20000-0x000000007540E000-memory.dmp

          Filesize

          6.9MB

        • memory/2008-22-0x0000000074D20000-0x000000007540E000-memory.dmp

          Filesize

          6.9MB

        • memory/2520-13-0x0000000000DB0000-0x0000000000DB6000-memory.dmp

          Filesize

          24KB

        • memory/2592-14-0x00000000007B0000-0x00000000007CF000-memory.dmp

          Filesize

          124KB