Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2024 18:11

General

  • Target

    2b3c4a317d8fc64ca9991aec36624e6d_JaffaCakes118.exe

  • Size

    745KB

  • MD5

    2b3c4a317d8fc64ca9991aec36624e6d

  • SHA1

    db802611ad8a645d12a609f596d152c2ea5d0d52

  • SHA256

    82f4ebd30b18743d8cc409de5931a978434755705af9bbfa3c6d8d0b34d30a6b

  • SHA512

    09cab61855eb7dffbe26a3ac51338510d74b5c6b7fbccb5610b295ac2ccf199c4b559ca3162b984689b535c9f7a53ee708671bba44c8fb3fbf5910aca77c0ef1

  • SSDEEP

    12288:k0QQSy3frualbxbrBsbkqgkEKjzH4tvF89:RSyrskJuc9

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gtb

Decoy

kbsvipbags.com

grandma-salt.com

org-id100.info

marketobserverllc.com

robjmccarthy.com

orbitnest.com

7d5d.com

hotdealsallday.com

kaban-shitsuji.com

eivisionexport.com

luatfv.com

creationxbydom.com

realjuku.com

roast365.com

epis2020.com

schcman.com

xn--pimi-ooa.com

jobshustle.com

rightnewswire.com

seguonra.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook payload 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3516
    • C:\Users\Admin\AppData\Local\Temp\2b3c4a317d8fc64ca9991aec36624e6d_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\2b3c4a317d8fc64ca9991aec36624e6d_JaffaCakes118.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4440
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:3460
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\2b3c4a317d8fc64ca9991aec36624e6d_JaffaCakes118.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4872
        • C:\Windows\SysWOW64\choice.exe
          choice /C Y /N /D Y /T 3
          4⤵
            PID:3692
        • C:\Users\Admin\AppData\Local\Temp\2b3c4a317d8fc64ca9991aec36624e6d_JaffaCakes118.exe
          "C:\Users\Admin\AppData\Local\Temp\2b3c4a317d8fc64ca9991aec36624e6d_JaffaCakes118.exe"
          3⤵
          • Checks computer location settings
          • Suspicious use of SetThreadContext
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3688
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            4⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            PID:2376
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\2b3c4a317d8fc64ca9991aec36624e6d_JaffaCakes118.exe"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4220
            • C:\Windows\SysWOW64\choice.exe
              choice /C Y /N /D Y /T 3
              5⤵
                PID:816
        • C:\Windows\SysWOW64\chkdsk.exe
          "C:\Windows\SysWOW64\chkdsk.exe"
          2⤵
          • Suspicious use of SetThreadContext
          • Enumerates system info in registry
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2180
          • C:\Windows\SysWOW64\cmd.exe
            /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            3⤵
              PID:4204
          • C:\Windows\SysWOW64\WWAHost.exe
            "C:\Windows\SysWOW64\WWAHost.exe"
            2⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1240

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1240-16-0x0000000000090000-0x000000000016C000-memory.dmp

          Filesize

          880KB

        • memory/1240-17-0x0000000000090000-0x000000000016C000-memory.dmp

          Filesize

          880KB

        • memory/2180-15-0x00000000005E0000-0x00000000005EA000-memory.dmp

          Filesize

          40KB

        • memory/3460-9-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/3460-5-0x0000000000400000-0x000000000042E000-memory.dmp

          Filesize

          184KB

        • memory/3460-7-0x0000000002AA0000-0x0000000002DEA000-memory.dmp

          Filesize

          3.3MB

        • memory/3460-10-0x0000000000E60000-0x0000000000E74000-memory.dmp

          Filesize

          80KB

        • memory/3516-24-0x0000000009610000-0x00000000097B8000-memory.dmp

          Filesize

          1.7MB

        • memory/3516-28-0x000000000B180000-0x000000000B2EC000-memory.dmp

          Filesize

          1.4MB

        • memory/3516-11-0x0000000009610000-0x00000000097B8000-memory.dmp

          Filesize

          1.7MB

        • memory/3688-25-0x0000000074EAE000-0x0000000074EAF000-memory.dmp

          Filesize

          4KB

        • memory/3688-12-0x0000000074EAE000-0x0000000074EAF000-memory.dmp

          Filesize

          4KB

        • memory/4440-3-0x0000000074EA0000-0x0000000075650000-memory.dmp

          Filesize

          7.7MB

        • memory/4440-2-0x0000000004EC0000-0x0000000004F52000-memory.dmp

          Filesize

          584KB

        • memory/4440-1-0x00000000004D0000-0x0000000000590000-memory.dmp

          Filesize

          768KB

        • memory/4440-21-0x0000000074EAE000-0x0000000074EAF000-memory.dmp

          Filesize

          4KB

        • memory/4440-22-0x0000000074EA0000-0x0000000075650000-memory.dmp

          Filesize

          7.7MB

        • memory/4440-4-0x0000000004FD0000-0x000000000500A000-memory.dmp

          Filesize

          232KB

        • memory/4440-0-0x0000000074EAE000-0x0000000074EAF000-memory.dmp

          Filesize

          4KB

        • memory/4440-6-0x0000000074EA0000-0x0000000075650000-memory.dmp

          Filesize

          7.7MB