Overview

overview

10

Static

static

3

444d3df9a2...18.exe

windows7-x64

10

444d3df9a2...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-05-2024 03:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    444d3df9a20c68281353a091f76428e3_JaffaCakes118.exe

  • Size

    485KB

  • MD5

    444d3df9a20c68281353a091f76428e3

  • SHA1

    b8659dab04ea1120bc696a1ee43b5d3022f830a5

  • SHA256

    c222b07df99688f8ba5c35ce475d970b9fd0597420061d42707b553d00c788aa

  • SHA512

    34556cf1a8ef045f8ae76f5d81216cae4748f51d3ecf81a12e2799c7ee4705457e47c5755c26bb40f296a27e7ad088c703d899bab8472f409b9b28b83ee6f1d7

  • SSDEEP

    12288:IJzuW1RElKHFrTzh4NnsGvyrTOEEF1TQEULvz/:czuyElmlTMshrTC/kEULvD

Score
10/10
formbookumagilenetpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

um

Decoy

tophandbagmart.com

indycabinetconnection.com

lastmonthsnews.com

schoolofgeneius.com

talkingtoms.com

pleasefixmyheat.com

nvdough.com

tauruslegal.com

designercoverscustom.com

clubdevfun.com

pourpop.com

republiccreditcoin.com

nmochat.com

techpriors.com

apartmentsomr.com

edjamesjones.com

hxtfgs.com

betturka.media

organicwaisttrainingcorset.com

foxtrotfilm.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 2 IoCs
    rat
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Obfuscated with Agile.Net obfuscator 1 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3488
    • C:\Users\Admin\AppData\Local\Temp\444d3df9a20c68281353a091f76428e3_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\444d3df9a20c68281353a091f76428e3_JaffaCakes118.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:4752
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:116
    • C:\Windows\SysWOW64\ipconfig.exe
      "C:\Windows\SysWOW64\ipconfig.exe"
      2⤵
      • Adds policy Run key to start application
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • Gathers network information
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4768
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        3⤵
          PID:2504
        • C:\Windows\SysWOW64\cmd.exe
          /c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
          3⤵
            PID:2548

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\DB1
        Filesize

        46KB

        MD5

        8f5942354d3809f865f9767eddf51314

        SHA1

        20be11c0d42fc0cef53931ea9152b55082d1a11e

        SHA256

        776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea

        SHA512

        fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

        Download Submit

      • C:\Users\Admin\AppData\Roaming\78N-QDRE\78Nlogim.jpeg
        Filesize

        78KB

        MD5

        6818aa485d6f15af412d9a6092a6238a

        SHA1

        1fe521cddf7f901b9e6460f0d2bb089132832312

        SHA256

        f5db5a3af4c8923541ec53dc83e827554b8d9d2e50ad14ab44d7f27f3830a427

        SHA512

        d427288496de4e535c4f345a271623e012e42cd684a97d9f6038b466d9157cec410ca1686bf50cff01483311bda32c5f29f317baccfc1499742d6a97026a40db

        Download Submit

      • C:\Users\Admin\AppData\Roaming\78N-QDRE\78Nlogrg.ini
        Filesize

        38B

        MD5

        4aadf49fed30e4c9b3fe4a3dd6445ebe

        SHA1

        1e332822167c6f351b99615eada2c30a538ff037

        SHA256

        75034beb7bded9aeab5748f4592b9e1419256caec474065d43e531ec5cc21c56

        SHA512

        eb5b3908d5e7b43ba02165e092f05578f45f15a148b4c3769036aa542c23a0f7cd2bc2770cf4119a7e437de3f681d9e398511f69f66824c516d9b451bb95f945

        Download Submit

      • C:\Users\Admin\AppData\Roaming\78N-QDRE\78Nlogri.ini
        Filesize

        40B

        MD5

        d63a82e5d81e02e399090af26db0b9cb

        SHA1

        91d0014c8f54743bba141fd60c9d963f869d76c9

        SHA256

        eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae

        SHA512

        38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad

        Download Submit

      • C:\Users\Admin\AppData\Roaming\78N-QDRE\78Nlogrv.ini
        Filesize

        872B

        MD5

        bbc41c78bae6c71e63cb544a6a284d94

        SHA1

        33f2c1d9fa0e9c99b80bc2500621e95af38b1f9a

        SHA256

        ee83c6bcea9353c74bfc0a7e739f3c4a765ace894470e09cdcdebba700b8d4cb

        SHA512

        0aea424b57adae3e14ad6491cab585f554b4dffe601b5a17bad6ee6177d2f0f995e419cde576e2d1782b9bddc0661aada11a2c9f1454ae625d9e3223635ec9f4

        Download Submit

      • memory/116-10-0x00000000018B0000-0x0000000001BFA000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/116-12-0x0000000000400000-0x000000000042A000-memory.dmp

        Filesize

        168KB

        Download

      • memory/116-13-0x00000000017C0000-0x00000000017D4000-memory.dmp

        Filesize

        80KB

        Download

      • memory/116-6-0x0000000000400000-0x000000000042A000-memory.dmp

        Filesize

        168KB

        Download

      • memory/3488-25-0x000000000A4E0000-0x000000000A637000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/3488-18-0x0000000007B50000-0x0000000007C78000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/3488-14-0x0000000007B50000-0x0000000007C78000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/3488-22-0x000000000A4E0000-0x000000000A637000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/3488-21-0x000000000A4E0000-0x000000000A637000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/4752-5-0x0000000004BE0000-0x0000000004C10000-memory.dmp

        Filesize

        192KB

        Download

      • memory/4752-8-0x0000000074E40000-0x00000000755F0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4752-0-0x0000000074E4E000-0x0000000074E4F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4752-9-0x0000000074E40000-0x00000000755F0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4752-4-0x0000000074E40000-0x00000000755F0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4752-3-0x0000000004E40000-0x0000000004E9A000-memory.dmp

        Filesize

        360KB

        Download

      • memory/4752-2-0x0000000004A40000-0x0000000004AD2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/4752-1-0x0000000000060000-0x00000000000E0000-memory.dmp

        Filesize

        512KB

        Download

      • memory/4768-16-0x0000000000550000-0x000000000055B000-memory.dmp

        Filesize

        44KB

        Download

      • memory/4768-15-0x0000000000550000-0x000000000055B000-memory.dmp

        Filesize

        44KB

        Download