Overview

overview

10

Static

static

3

639066f415...18.exe

windows7-x64

10

639066f415...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-05-2024 14:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    639066f415f7a4dc58e1890975e9fcc5_JaffaCakes118.exe

  • Size

    564KB

  • MD5

    639066f415f7a4dc58e1890975e9fcc5

  • SHA1

    b97a2f3afbf5b09e155cd99d035cf6f2e3f347f2

  • SHA256

    9bac39b4b986f2f96008c4c6c05cf72ddc6398d99d874525058b654b52cfd64d

  • SHA512

    7d671232f99178c708ba3cb47e93e14046bbd9ec5a27942156ec07d2911be9b4f43cd56b9a2d2eb8cb71e3f7c25d6ebfbeab4ab15ae7501cf368aee06c00f38e

  • SSDEEP

    12288:Rb3RoudOSY3hsmJ6LQ3j2rBFr55AoOiMsos1kubd:Rb3RrdOSKRJ6LQ3j2NFrTHZNJbd

Score
10/10
formbooki01ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

i01

Decoy

viagensbaratasonline.com

lacuevaelmirlo.net

genevaly.com

analpornolariizle.com

rupee.network

pay69645.com

superhsr.com

foammemorymattress.com

jolded.com

bbb684.com

diabetessimplesweet.com

bybeast.com

keut.world

xxjj10.com

youde-88.com

highkickproductions.com

beijingzhjy.com

partnership-aid.com

sehorecollegesehore.com

wangluopay.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 1 IoCs
    rat
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\639066f415f7a4dc58e1890975e9fcc5_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\639066f415f7a4dc58e1890975e9fcc5_JaffaCakes118.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:2740
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 904
      2⤵
      • Program crash
      PID:2052
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2740 -ip 2740
    1⤵
      PID:2304

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2740-6-0x0000000000400000-0x000000000042A000-memory.dmp
      Filesize

      168KB

      Download
    • memory/2740-7-0x00000000773C1000-0x00000000774E1000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/2740-4-0x0000000002C00000-0x0000000002C10000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2740-3-0x0000000002C00000-0x0000000002C10000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2740-8-0x000000000BE10000-0x000000000C15A000-memory.dmp
      Filesize

      3.3MB

      Download