Overview

overview

10

Static

static

1

6ac766cf73...18.rtf

windows7-x64

10

6ac766cf73...18.rtf

windows10-2004-x64

1

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    23-05-2024 11:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6ac766cf7340aa9c7631eed633a88aa6_JaffaCakes118.rtf

  • Size

    2.5MB

  • MD5

    6ac766cf7340aa9c7631eed633a88aa6

  • SHA1

    698ff575ba75225c92c20b645af9b4c33e294a72

  • SHA256

    82a752fc58acc797eedefc866ac9cebd765da7cc6aa070768ab475678605e24a

  • SHA512

    0842f38af644499735a920ec617176ed3c23dbb07c4cf4381dbfda3ac43630603f16d2bfa2dc37e18be63ac8ef3680ba9bec8495891b03417743bfc776e285f9

  • SSDEEP

    49152:TyY3M1FyYIZpr+0vRKLeEz9bJjomfVee26os:TyY3M1FyYIZpr+0vRKLeEz9bJjomfVea

Score
10/10
formbookbragilenetpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

br

Decoy

q1k0iyiu2.biz

waqsx.info

doctorwigglez.com

truebluego.com

manbet405.com

shopuy.site

karabukkuzeyteknik.com

sgxiayu.com

almvie.com

veteridom.com

michelleeve.com

crabitech.com

envyofamerica.com

joggingtip.com

houseandpets.com

tudekoracje.com

koutheparea.com

fd-electronic.com

ukmrna.net

pizzalato.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 1 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Obfuscated with Agile.Net obfuscator 1 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 32 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1180
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\6ac766cf7340aa9c7631eed633a88aa6_JaffaCakes118.rtf"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1036
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:1620
      • C:\Windows\SysWOW64\mstsc.exe
        "C:\Windows\SysWOW64\mstsc.exe"
        2⤵
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Drops file in Program Files directory
        • Modifies Internet Explorer settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1240
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Local\Temp\gg.exe"
          3⤵
            PID:2032
      • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
        "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
        1⤵
        • Launches Equation Editor
        • Suspicious use of WriteProcessMemory
        PID:2312
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c%temp%\gg.exe A C
          2⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2628
          • C:\Users\Admin\AppData\Local\Temp\gg.exe
            C:\Users\Admin\AppData\Local\Temp\gg.exe A C
            3⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2664
            • C:\Users\Admin\AppData\Local\Temp\gg.exe
              "C:\Users\Admin\AppData\Local\Temp\gg.exe"
              4⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of AdjustPrivilegeToken
              PID:1776

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Exploitation for Client Execution

      1
      T1203

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Defense Evasion

      Modify Registry

      2
      T1112

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\gg.exe
        Filesize

        462KB

        MD5

        d0a1a1d37bba0e912c6a8bdc7c3daa77

        SHA1

        99699b686fcad53f4b6f920aa23d5441cb925557

        SHA256

        0a7e3c1a5dd73bc254625f9a778c5b039fc020b4ab90db6dd2c537c7805bfa49

        SHA512

        46ad02ca78adce826532e65e3469e19410090fd1d2a1d5497e0451669acb7955ba173ab14715fd3e71401d2cb5156554b8f6828ed0038e84f416d29cfe9d22b1

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
        Filesize

        20KB

        MD5

        2d3b801231fefcc12595f263fc47ca0d

        SHA1

        819f39fb4cb2460ae877eaa5f3b14b5fc6648b2e

        SHA256

        51a2b57406daaea1f5fb884f84e745c35c73c83b42b2e0daf5336ccec33cc2f9

        SHA512

        f4d2a2204522a6ef72ac504e8a61af1d9fc4fc387c90e8d6522568c9941a5bfddd34177d640b83dc3787eb409974fa325bb536e4846e4d75d0362ddde00f0d74

        Download Submit
      • memory/1036-0-0x000000002F3B1000-0x000000002F3B2000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1036-1-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1036-2-0x0000000070F8D000-0x0000000070F98000-memory.dmp
        Filesize

        44KB

        Download
      • memory/1036-17-0x0000000070F8D000-0x0000000070F98000-memory.dmp
        Filesize

        44KB

        Download
      • memory/1036-45-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1180-46-0x0000000003E80000-0x0000000003F5E000-memory.dmp
        Filesize

        888KB

        Download
      • memory/1240-22-0x00000000009F0000-0x0000000000AF4000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/1776-19-0x0000000000400000-0x000000000042A000-memory.dmp
        Filesize

        168KB

        Download
      • memory/2664-10-0x0000000000080000-0x00000000000FA000-memory.dmp
        Filesize

        488KB

        Download
      • memory/2664-15-0x00000000003A0000-0x00000000003C0000-memory.dmp
        Filesize

        128KB

        Download