Overview

overview

10

Static

static

3

640697fb17...18.exe

windows7-x64

10

640697fb17...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-05-2024 16:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    640697fb17bca815e114b38b305124aa_JaffaCakes118.exe

  • Size

    400KB

  • MD5

    640697fb17bca815e114b38b305124aa

  • SHA1

    69fecc45676a3913b2a58b7017bfb6a284bfe3a0

  • SHA256

    f78e509ec3ba4a6a2391ef33aa6d6bd82071bf4993f9527ad0b3c599bed5ea7f

  • SHA512

    a97b5fb1b8d7508033caf94c09adf7f06a12a6e127f9737cb6f819c6b32fbf590d091bca035ee3d3a0e452bffe447c50038876e66f86dc34739f39414b71d21f

  • SSDEEP

    12288:r3OdHilEQrfuPbhv/MNLwl+8L41u1EEDv:rgClEufi8NLwl+8k

Score
10/10
formbookkoratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

ko

Decoy

html5zone.com

kennet.cloud

yakaoren.com

bestgirlswonderfulvideo.site

ramurho.com

jinkugw.com

dehraduncoachingacademy.com

lfheater.com

ungzwt.men

aliqiutian.com

lansvallarta.com

morrisimage.win

doppledecker.com

serpaca.com

inversebuy.com

businesalue.com

lotustvhouston.net

dipa.ltd

adscreate.business

xn--3ds50hcyhf6z.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 1 IoCs
    rat
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\640697fb17bca815e114b38b305124aa_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\640697fb17bca815e114b38b305124aa_JaffaCakes118.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:5072
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 880
      2⤵
      • Program crash
      PID:2488
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 920
      2⤵
      • Program crash
      PID:4608
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5072 -ip 5072
    1⤵
      PID:4856
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5072 -ip 5072
      1⤵
        PID:4064

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/5072-3-0x0000000000400000-0x000000000042A000-memory.dmp

        Filesize

        168KB

        Download

      • memory/5072-4-0x0000000077B81000-0x0000000077CA1000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/5072-5-0x000000000CBA0000-0x000000000CEEA000-memory.dmp

        Filesize

        3.3MB

        Download