Analysis

  • max time kernel
    117s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    11-07-2024 23:33

General

  • Target

    3b2839138c381fe2901d2daa9290b462_JaffaCakes118.exe

  • Size

    2.5MB

  • MD5

    3b2839138c381fe2901d2daa9290b462

  • SHA1

    4ccb206f3f9be21d42c588be9a65417da11706fe

  • SHA256

    10bd3380601961166b5df308a6927cd6f50a4ab258e60f2aef93292e756d7aa1

  • SHA512

    2c171f522f9721003fd98e0f718152338e27475dda29f635484c36b6a8e69a74a21e00e26d7c0c106b2651069d8bf8b0f0fc23e2a4dc905a751a1cfc7f3e6113

  • SSDEEP

    49152:WtoZ0ajbQzlq5O+l4QOnn8jeX+l8uvlhfNf5lWLPNyeL9+hw/USGy7Xk/51HwgGh:W6X0zlC6mc98IQ1a7

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

u3q

Decoy

wingenomics.com

malwaredeepdive.com

uvdxkup.icu

safeweb-url624.com

lighthousetan.com

liumeilin.com

thaiexpressnyc.com

primedperspective.com

georgekwalker.com

purelife-gt.com

theboseproject.com

moralalaska.icu

anthonysoflittleitaly.com

talahadavi.com

waterbrooksacademy.com

aluneaproaieauayauwpalaua.com

mytshirtforlife.com

penerbitlayung.com

chainslugs.com

bhbgsc.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Beds Protector Packer 1 IoCs

    Detects Beds Protector packer used to load .NET malware.

  • Formbook payload 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3b2839138c381fe2901d2daa9290b462_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3b2839138c381fe2901d2daa9290b462_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2416
    • C:\Users\Admin\AppData\Local\Temp\3b2839138c381fe2901d2daa9290b462_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\3b2839138c381fe2901d2daa9290b462_JaffaCakes118.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2816

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2416-0-0x000000007469E000-0x000000007469F000-memory.dmp

    Filesize

    4KB

  • memory/2416-1-0x0000000000160000-0x00000000003F2000-memory.dmp

    Filesize

    2.6MB

  • memory/2416-3-0x00000000050A0000-0x000000000530E000-memory.dmp

    Filesize

    2.4MB

  • memory/2416-2-0x0000000074690000-0x0000000074D7E000-memory.dmp

    Filesize

    6.9MB

  • memory/2416-4-0x0000000000880000-0x0000000000896000-memory.dmp

    Filesize

    88KB

  • memory/2416-12-0x0000000074690000-0x0000000074D7E000-memory.dmp

    Filesize

    6.9MB

  • memory/2816-5-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/2816-11-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/2816-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2816-7-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/2816-13-0x0000000000B70000-0x0000000000E73000-memory.dmp

    Filesize

    3.0MB