Overview

overview

10

Static

static

3

5ca3fdf3bf...18.exe

windows7-x64

10

5ca3fdf3bf...18.exe

windows10-2004-x64

7

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

$TEMP/votary.dll

windows7-x64

3

$TEMP/votary.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    148s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    20-05-2024 02:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5ca3fdf3bf5727f8362e9586473c0ee8_JaffaCakes118.exe

  • Size

    348KB

  • MD5

    5ca3fdf3bf5727f8362e9586473c0ee8

  • SHA1

    a3bc51f2cc8ff45605f82fe52a030d2b8759c92f

  • SHA256

    15b998430382125aff0b32c83b7685f19ec873c18a0a0160a257f6a886dad659

  • SHA512

    4070ec74cb0e2b74863b32857b6b914abdd5c4b579b9682b67bfeecac9c0ce3dff3c98049adee8bd4f420b0c3838a62dfdcdf8a64225bce1fea27261f260ff20

  • SSDEEP

    6144:P5UyIJOSGUfwPcU8s9JXxKnJsbTPqL7iBd5Nk/cqxD6uW39Ib71f:dIJUDc69JBKJWBC/cqxK9e

Score
10/10
formbookc190ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

c190

Decoy

youxisousuo.com

fabiast.win

mmweddingplanners.com

banmuonden.com

bulnitayiesfde.com

9q1s.com

cursodeinduccion.com

tvipatinga.com

cdkeysgenerator.com

thebestwaterinbelfast.com

gianlucacolombo.net

jetereconnais.com

design-linkage.com

sohogreenbay.net

skinjamonline.com

witechenterprise.net

9gcg.com

hometowngrowers.com

prettypix.events

standupand.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 2 IoCs
    rat
  • Loads dropped DLL 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1184
      • C:\Users\Admin\AppData\Local\Temp\5ca3fdf3bf5727f8362e9586473c0ee8_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\5ca3fdf3bf5727f8362e9586473c0ee8_JaffaCakes118.exe"
        2⤵
        • Loads dropped DLL
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:2552
        • C:\Windows\SysWOW64\nslookup.exe
          "C:\Windows\system32\nslookup.exe"
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:2700
      • C:\Windows\SysWOW64\autochk.exe
        "C:\Windows\SysWOW64\autochk.exe"
        2⤵
          PID:1476
        • C:\Windows\SysWOW64\autochk.exe
          "C:\Windows\SysWOW64\autochk.exe"
          2⤵
            PID:308
          • C:\Windows\SysWOW64\autochk.exe
            "C:\Windows\SysWOW64\autochk.exe"
            2⤵
              PID:1680
            • C:\Windows\SysWOW64\autochk.exe
              "C:\Windows\SysWOW64\autochk.exe"
              2⤵
                PID:892
              • C:\Windows\SysWOW64\autochk.exe
                "C:\Windows\SysWOW64\autochk.exe"
                2⤵
                  PID:2060
                • C:\Windows\SysWOW64\autochk.exe
                  "C:\Windows\SysWOW64\autochk.exe"
                  2⤵
                    PID:1652
                  • C:\Windows\SysWOW64\wscript.exe
                    "C:\Windows\SysWOW64\wscript.exe"
                    2⤵
                    • Suspicious use of SetThreadContext
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious behavior: MapViewOfSection
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2564
                    • C:\Windows\SysWOW64\cmd.exe
                      /c del "C:\Windows\SysWOW64\nslookup.exe"
                      3⤵
                        PID:792

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Windows\win.ini
                    Filesize

                    517B

                    MD5

                    893cae59ab5945a94a7da007d47a1255

                    SHA1

                    d4cfd81c6647ca64022bd307c08a7fb4bbbd4c06

                    SHA256

                    edfa0f2d3bea9f737e0315971c6f81d3d8e7d460b60a19351ada0316a093c938

                    SHA512

                    d66e454781f54f45df814ad32d687b0f100578c2a4ffca62de81add04281fb881a550702bd2d058933d3736d14e88624af268a86ce24b0c3935242b206ffdcc9

                    Download Submit

                  • \Users\Admin\AppData\Local\Temp\nso349A.tmp\System.dll
                    Filesize

                    11KB

                    MD5

                    fbe295e5a1acfbd0a6271898f885fe6a

                    SHA1

                    d6d205922e61635472efb13c2bb92c9ac6cb96da

                    SHA256

                    a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1

                    SHA512

                    2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

                    Download Submit

                  • \Users\Admin\AppData\Local\Temp\votary.dll
                    Filesize

                    9KB

                    MD5

                    3d73e5b3c8b9afda7503fb9f48301046

                    SHA1

                    d96a69633403520e407447719a90478e9f7a74ca

                    SHA256

                    a575479145477d134099eef830bca17080abfa84295550e5d83788fb4a5653e2

                    SHA512

                    36b11cc95aaa77c3e8c7d3545089d61ef0767c01fcc0e4622025150d8be65d98a394491376a10589554ad370d49e07e36efc42968663841bd018dc29b6766d2b

                    Download Submit

                  • memory/1184-100038-0x0000000003020000-0x0000000003120000-memory.dmp

                    Filesize

                    1024KB

                    Download

                  • memory/1184-100041-0x0000000004F20000-0x00000000050A9000-memory.dmp

                    Filesize

                    1.5MB

                    Download

                  • memory/1184-100048-0x0000000004F20000-0x00000000050A9000-memory.dmp

                    Filesize

                    1.5MB

                    Download

                  • memory/2552-100022-0x0000000000440000-0x0000000000449000-memory.dmp

                    Filesize

                    36KB

                    Download

                  • memory/2552-100023-0x0000000077130000-0x00000000772D9000-memory.dmp

                    Filesize

                    1.7MB

                    Download

                  • memory/2552-13-0x00000000003E0000-0x00000000003E7000-memory.dmp

                    Filesize

                    28KB

                    Download

                  • memory/2552-5373-0x00000000003D0000-0x00000000003D1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2552-5372-0x00000000003C0000-0x00000000003C1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2564-100045-0x0000000000500000-0x0000000000526000-memory.dmp

                    Filesize

                    152KB

                    Download

                  • memory/2564-100043-0x0000000000500000-0x0000000000526000-memory.dmp

                    Filesize

                    152KB

                    Download

                  • memory/2700-100036-0x0000000000400000-0x000000000042A000-memory.dmp

                    Filesize

                    168KB

                    Download

                  • memory/2700-100040-0x0000000000510000-0x0000000000524000-memory.dmp

                    Filesize

                    80KB

                    Download

                  • memory/2700-100039-0x0000000003260000-0x0000000003563000-memory.dmp

                    Filesize

                    3.0MB

                    Download

                  • memory/2700-100042-0x0000000000400000-0x000000000042A000-memory.dmp

                    Filesize

                    168KB

                    Download

                  • memory/2700-100046-0x0000000000090000-0x0000000000095000-memory.dmp

                    Filesize

                    20KB

                    Download

                  • memory/2700-100025-0x0000000077130000-0x00000000772D9000-memory.dmp

                    Filesize

                    1.7MB

                    Download

                  • memory/2700-100024-0x0000000000090000-0x0000000000095000-memory.dmp

                    Filesize

                    20KB

                    Download