Overview

overview

10

Static

static

3

4b580aef49...18.exe

windows7-x64

10

4b580aef49...18.exe

windows10-2004-x64

10

$PLUGINSDI...sh.dll

windows7-x64

3

$PLUGINSDI...sh.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$TEMP/alerting.dll

windows7-x64

3

$TEMP/alerting.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    154s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-05-2024 13:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe

  • Size

    327KB

  • MD5

    4b580aef493e3c12ff7c8c059cb73973

  • SHA1

    efd2ba7c60ecd1d4e70850406d3d62f4c979eeef

  • SHA256

    6999f846f01515ae48c049e1114b0cebad84d0eb047c10684eff81e9d391ad0b

  • SHA512

    3822cd04861c1497241ac611bbc89b313df0d2bbd43b09f3cf1cf43ae796e4cf1254a73619f421480e5b0cd1b5e7bb36dd5d398a344e08e7f4ef091b939f22c7

  • SSDEEP

    6144:r5L8cieNER8g5TNAKzLB1/1VS7EcsAFhr6RY6NLAnswHeGgoSKJLiWkFdDPNXcKd:Z8ciqEJViO1rSR56n0swHLjiBSKB9Z

Score
10/10
formbookc191ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

c191

Decoy

yegua.rocks

retouraffectifrapide.com

mediacionelite.com

carrosseriemartins.com

filminglombokindonesia.com

rwpygl.info

wkwlkj.com

yjeoevqdaf.info

margaretaphotographs.com

damaskfabricandtextiles.com

woofgang.life

goodhabitsapp.com

kunweishidai.com

kuaizhilian.com

parkaraya.com

globallogic-us.com

charlottephotoboothrental.com

pouchbagsupplier.com

njlgmq.com

nazreenakhtar.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 2 IoCs
    rat
  • Loads dropped DLL 4 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3356
      • C:\Users\Admin\AppData\Local\Temp\4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe"
        2⤵
        • Loads dropped DLL
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:940
        • C:\Windows\SysWOW64\nslookup.exe
          "C:\Windows\system32\nslookup.exe"
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:384
      • C:\Windows\SysWOW64\wscript.exe
        "C:\Windows\SysWOW64\wscript.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2900
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Windows\SysWOW64\nslookup.exe"
          3⤵
            PID:1100
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4092 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8
        1⤵
          PID:1612

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\alerting.dll
          Filesize

          9KB

          MD5

          899df66ecc89a8b62a4e01e719790daf

          SHA1

          81a289f7fe4560995b11c344ffe145df570a14e2

          SHA256

          b798c94ed8f6832b83fb5c6ca5c071dcac11e363fbfd4ce34dc68ff02a77678c

          SHA512

          300e7ac987ca9d012758ed9521c27f50a9f89440e2b5fe0ed3b3c0a48b13496c82f9ad1761a3d12e21f8622ef5a52082dd44aa30e3b97a2d6c054d2ca924cd7d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\nsbC8C0.tmp\Splash.dll
          Filesize

          4KB

          MD5

          3f35f73787f0c3bb5e59445fb18ade0d

          SHA1

          f1566faff96c3988cfc28dc7d433094b6348cdbf

          SHA256

          5570969d22a33c23b60c5f5536f781219e458a869b77b8dde4a94cc124ee4de6

          SHA512

          45c42ea95f53a3b8a3fd74bd55ad6f0b3f2b91dd969104de845fd819fe307dec2b4d472bee45554500b0c51052ee82ac98196e894af806edf67a947328474e57

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\nsbC8C0.tmp\System.dll
          Filesize

          11KB

          MD5

          fbe295e5a1acfbd0a6271898f885fe6a

          SHA1

          d6d205922e61635472efb13c2bb92c9ac6cb96da

          SHA256

          a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1

          SHA512

          2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

          Download Submit

        • C:\Windows\win.ini
          Filesize

          131B

          MD5

          9848e4efb0abd437d65e6d3d1d973adb

          SHA1

          f427ac7c50b19f66658ae7f92cbaf21110b49a47

          SHA256

          c8b84add37da849977a84fe62badb6cb908be99769edb70d60bcd04c0aec2a3f

          SHA512

          f90f1f65b6b824a526469b8d739f733a54a7f485d8b5f680de7a35fac90786bf6ba5a0b1d62e139663c5ee73b8d687cf32d4ccf188e18c53084ec12d8c216b17

          Download Submit

        • memory/384-100030-0x0000000000DD0000-0x0000000000DD5000-memory.dmp

          Filesize

          20KB

          Download

        • memory/384-100046-0x0000000000400000-0x000000000042A000-memory.dmp

          Filesize

          168KB

          Download

        • memory/384-100044-0x0000000000DD0000-0x0000000000DD5000-memory.dmp

          Filesize

          20KB

          Download

        • memory/384-100042-0x0000000000400000-0x000000000042A000-memory.dmp

          Filesize

          168KB

          Download

        • memory/384-100031-0x00007FF99AA90000-0x00007FF99AC85000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/940-26-0x0000000003020000-0x0000000003021000-memory.dmp

          Filesize

          4KB

          Download

        • memory/940-100029-0x00007FF99AA90000-0x00007FF99AC85000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/940-100028-0x0000000000510000-0x0000000000519000-memory.dmp

          Filesize

          36KB

          Download

        • memory/940-25-0x0000000003010000-0x0000000003011000-memory.dmp

          Filesize

          4KB

          Download

        • memory/940-19-0x0000000003030000-0x0000000003037000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2900-100045-0x0000000000710000-0x0000000000737000-memory.dmp

          Filesize

          156KB

          Download

        • memory/3356-100050-0x00000000084C0000-0x0000000008616000-memory.dmp

          Filesize

          1.3MB

          Download