Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    12-07-2024 03:33

General

  • Target

    3bd9315fa824d7f8351d858ca5c12629_JaffaCakes118.exe

  • Size

    484KB

  • MD5

    3bd9315fa824d7f8351d858ca5c12629

  • SHA1

    a19b2e80a240452e4fe251a9299bd5d30b66d709

  • SHA256

    20fd96b00deec9d95d0e251aa4c6885f85af415f8e776716399b4280ae8128f3

  • SHA512

    6fc7405b19ae91a3ad96dc91918eb2e7c2da0e2265a79f17f096c8d2b348ede7df51e2d4a2db69e3bd5aba40ba94e52bf52b374de48c81e0566932983095b38d

  • SSDEEP

    6144:Gbx0cXjCfjnhWQ+3HwOcc0WXJ4+5yk6kPFlom3iBX94AcGFCKrvvScZTHvxqVCHR:QOFPocc0WX64kmiqAcGXFZbAAt

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

s3dy

Decoy

ravlygte.info

marketnewsville.online

flooring-envy.com

flavourhouston.com

donghohanghieunam.com

globleitsolutions.com

digitalgraphicarts.com

cupidbeautybar.com

cannavybes.com

negative-dsp.com

littledali.com

meltwatersoftware.info

blackdogland.com

danasales.com

mississippiscorecard.com

mainesmoker.com

sirenxinlilzixun.com

tychehang.com

gentciu.com

weckloltd.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook payload 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3bd9315fa824d7f8351d858ca5c12629_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3bd9315fa824d7f8351d858ca5c12629_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1436
    • C:\Users\Admin\AppData\Local\Temp\3bd9315fa824d7f8351d858ca5c12629_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\3bd9315fa824d7f8351d858ca5c12629_JaffaCakes118.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2828

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1436-6-0x0000000004DC0000-0x0000000004E1A000-memory.dmp

    Filesize

    360KB

  • memory/1436-1-0x0000000000C90000-0x0000000000D10000-memory.dmp

    Filesize

    512KB

  • memory/1436-2-0x0000000074C90000-0x000000007537E000-memory.dmp

    Filesize

    6.9MB

  • memory/1436-3-0x0000000000520000-0x0000000000532000-memory.dmp

    Filesize

    72KB

  • memory/1436-4-0x0000000074C9E000-0x0000000074C9F000-memory.dmp

    Filesize

    4KB

  • memory/1436-5-0x0000000074C90000-0x000000007537E000-memory.dmp

    Filesize

    6.9MB

  • memory/1436-0-0x0000000074C9E000-0x0000000074C9F000-memory.dmp

    Filesize

    4KB

  • memory/1436-14-0x0000000074C90000-0x000000007537E000-memory.dmp

    Filesize

    6.9MB

  • memory/2828-9-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/2828-13-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/2828-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2828-8-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/2828-15-0x0000000000860000-0x0000000000B63000-memory.dmp

    Filesize

    3.0MB