Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    10-05-2024 10:22

General

  • Target

    2ea720e08d23620eec19036e1e019fde_JaffaCakes118.exe

  • Size

    472KB

  • MD5

    2ea720e08d23620eec19036e1e019fde

  • SHA1

    e125ebf7c78ab570425a496482797c46783bc3c6

  • SHA256

    c2b83fb9b026ac37aaa0fa3599494f848c7d2ecd4da2493e6842fba00b31dba0

  • SHA512

    ce91403211d6b03bde8b94bcd0d961e7685b8d34e506882b96d58fea9234a4a48038eab5828a2ea349325a970032ce7b8f3e167233091b67785d3f9ef95992eb

  • SSDEEP

    6144:HfiZD08oqA7ik/P0QQnSoQ/NITl0OdjNSImQl2t88gfw3FU76wF:HfxHqAek/GS7BQYIp2t88XVUnF

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

sl

Decoy

man085.com

splnkr.com

ecogasuk.com

chefdominick.com

gopay.site

littlehootyoga.com

xmhailibu.com

maerz-it.com

garrongoshen.com

mstestlabo2.online

thepatioideas.com

loftiscpa.net

p3juices.com

knot-experts.win

hell.enterprises

luisa-anderson.com

transporterivas.com

lispic.com

admiralswitch.win

onionscreative.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook payload 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2ea720e08d23620eec19036e1e019fde_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2ea720e08d23620eec19036e1e019fde_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1924
    • C:\Users\Admin\AppData\Local\Temp\2ea720e08d23620eec19036e1e019fde_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\2ea720e08d23620eec19036e1e019fde_JaffaCakes118.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2988

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1924-3-0x0000000077751000-0x0000000077852000-memory.dmp

    Filesize

    1.0MB

  • memory/1924-6-0x0000000000600000-0x0000000000700000-memory.dmp

    Filesize

    1024KB

  • memory/1924-4-0x0000000077750000-0x00000000778F9000-memory.dmp

    Filesize

    1.7MB

  • memory/2988-5-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2988-7-0x0000000077750000-0x00000000778F9000-memory.dmp

    Filesize

    1.7MB

  • memory/2988-10-0x0000000000770000-0x0000000000A73000-memory.dmp

    Filesize

    3.0MB