Overview

overview

10

Static

static

5

51507a0c76...18.exe

windows7-x64

10

51507a0c76...18.exe

windows10-2004-x64

5

Analysis

  • max time kernel
    145s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    17-05-2024 20:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    51507a0c76ccc002ad56782192d5257a_JaffaCakes118.exe

  • Size

    1.2MB

  • MD5

    51507a0c76ccc002ad56782192d5257a

  • SHA1

    bd38cc47586688595625f85f6a09e48a2c06287c

  • SHA256

    8c7a53c895aa1223a5dfde8ead365d9cbb4e8b868e81fbe9c52c3d203c5e1dba

  • SHA512

    60d01558d5cb56cdd39a27d6f1dde3860fd51932cad1ca453194863cb25626d90f6ee0602efc900d55ead28a16d9130716a6605cb55d579ad1ae0f847960a354

  • SSDEEP

    24576:6tb20pkaCqT5TBWgNQ7aGnTSxiQyCNOnck6A:nVg5tQ7aGSiQyC65

Score
10/10
formbookdiratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

di

Decoy

baoxiaofan.com

bestwaycartage.com

sag-architecture.com

salamcanteen.com

clinicalpsychologistkerala.com

mttv222.com

theweproject.com

fybbracelets.net

vv666h.com

bangfupin.com

arkprojetos.com

realgoaldigger.com

pilotedphotography.com

6zonxm55.biz

gaoduanmi.com

aminahmad.com

bountymarketing.net

christopher-rennebach.com

02xjys.faith

estilomiau.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1136
      • C:\Users\Admin\AppData\Local\Temp\51507a0c76ccc002ad56782192d5257a_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\51507a0c76ccc002ad56782192d5257a_JaffaCakes118.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:2240
        • C:\Windows\SysWOW64\WerFault.exe
          "C:\Windows\SysWOW64\WerFault.exe"
          3⤵
            PID:2712
        • C:\Windows\SysWOW64\msiexec.exe
          "C:\Windows\SysWOW64\msiexec.exe"
          2⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2212
          • C:\Windows\SysWOW64\cmd.exe
            /c del "C:\Windows\SysWOW64\WerFault.exe"
            3⤵
              PID:2580

        Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\1.resource
          Filesize

          167KB

          MD5

          a8f6f8cbc242432f29dd9cdd4fad31da

          SHA1

          b88d52b9e486ee8794b47028c2dda040e2af06fd

          SHA256

          cff694c17eb7be042516dd58d20baa5d48b48f6a7a05ec20589ac0603afe1d94

          SHA512

          b5aaa36d621a5eec0dab5c6d01dc57d4909557595c6bbc23864ea30eac343198bfb40ebf83994b12600ee1a3a9a42dd73cbf316c537a9637894db981df42ed93

          Download Submit

        • memory/2212-11-0x0000000000B10000-0x0000000000B24000-memory.dmp

          Filesize

          80KB

          Download

        • memory/2212-13-0x0000000000B10000-0x0000000000B24000-memory.dmp

          Filesize

          80KB

          Download

        • memory/2212-14-0x00000000025D0000-0x00000000028D3000-memory.dmp

          Filesize

          3.0MB

          Download

        • memory/2212-16-0x0000000002300000-0x0000000002393000-memory.dmp

          Filesize

          588KB

          Download

        • memory/2712-10-0x0000000000400000-0x000000000042A000-memory.dmp

          Filesize

          168KB

          Download

        • memory/2712-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2712-8-0x0000000000400000-0x000000000042A000-memory.dmp

          Filesize

          168KB

          Download

        • memory/2712-7-0x0000000000400000-0x000000000042A000-memory.dmp

          Filesize

          168KB

          Download

        • memory/2712-19-0x0000000000400000-0x000000000042A000-memory.dmp

          Filesize

          168KB

          Download