Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
17-05-2024 23:18
General
-
Target
50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe
-
Size
264KB
-
MD5
50282da5093e3086fcde377c5e8e28bd
-
SHA1
f8468c9953686b0b77dfb6949866c68b628ce73d
-
SHA256
ca49aa362621679944ff2bb5c323dbb64ef5f0364dff1be6168c0657962296ec
-
SHA512
7a60e543a0b918591c7dcec8286175ce3c2e746c18055ac5439a9790469b9152ab2f50be6dc7d8f70d0b4002e7b51a9e32a685befb83dc971311deca65c46818
-
SSDEEP
6144:G/HhXZxNiTGAATtFH0zpVVDkYx7pvX9GD:iXZykBFHApVVLFdXsD
Malware Config
Extracted
formbook
3.9
j0g2z5t
nikolajslot.com
buysellhkonline.com
citytireandmuffler.com
moodichocolate.com
hiresses.com
1577584.com
chantaljamet.com
madamrichest.com
catfooddude.com
the9-city.com
dota2.red
risottomyway.com
cmbgw.com
ospreylandingfl.com
nmkindustries.com
video-cuentos.com
rktcont.net
suresourcetreatment.com
molinaroscollision.com
femmefetefashions.com
Signatures
-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Formbook payload 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VvxEzXiV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4E3F.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp4E3F.tmpFilesize
1KB
MD578f9992e5c2ea93a72077a101d6b99db
SHA117054c9674c3736b1b6b888e542a4be0dff826b7
SHA256fdab9bdab2abffd89d195752efd4b740bedd894eadd6c09495bcebeee83d4cbd
SHA512c705664731f15949521f2146fb25a790e1e5b7abbc2f31f70675acc282e5efdb09726f604b703eea54976f1f8e221daf5e2f6ab0d8203a941831084e6b2baaa9
-
memory/2428-8-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/2428-11-0x00000000016B0000-0x00000000019FA000-memory.dmpFilesize
3.3MB
-
memory/3812-0-0x0000000075032000-0x0000000075033000-memory.dmpFilesize
4KB
-
memory/3812-1-0x0000000075030000-0x00000000755E1000-memory.dmpFilesize
5.7MB
-
memory/3812-2-0x0000000075030000-0x00000000755E1000-memory.dmpFilesize
5.7MB
-
memory/3812-10-0x0000000075030000-0x00000000755E1000-memory.dmpFilesize
5.7MB