Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    13-07-2024 07:42

General

  • Target

    40c9b68553716171b9a74fa2785cb160_JaffaCakes118.exe

  • Size

    809KB

  • MD5

    40c9b68553716171b9a74fa2785cb160

  • SHA1

    18ad06d12e92f1d7a61805d294bb2c5e048f3ec7

  • SHA256

    41f081bd505403ec94e9ad6cf6e496e5347482ee8cc64b7e2304ca52f286e236

  • SHA512

    fe3c76659fd0f274ae08c7c9de3dc81b7c573c4ed6cd051d55adda59c426a548901282ac33ae5661c2dfb4d48aa12e9c1ffd32f0b79c0422de94cc0fd2a44a46

  • SSDEEP

    12288:aXBQSnZl+lZbAy/TYTXSjQlXkKuTLXF3ONP5nJyuEBwQrA6iQQR6PcvHQ9:aX18bHTcXSjQlUtXF3wKwQMP

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

wgn

Decoy

kokokara-life-blog.com

faswear.com

futureleadershiptoday.com

date4done.xyz

thecouponinn.com

bbeycarpetsf.com

propolisnasalspray.com

jinjudiamond.com

goodevectors.com

nehyam.com

evalinkapuppets.com

what-if-statistics.com

rateofrisk.com

impacttestonlinne.com

servis-kaydet.info

coloniacafe.com

marcemarketing.com

aarigging.com

goddesswitchery.com

jasqblo.icu

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook payload 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\40c9b68553716171b9a74fa2785cb160_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\40c9b68553716171b9a74fa2785cb160_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1512
    • C:\Users\Admin\AppData\Local\Temp\40c9b68553716171b9a74fa2785cb160_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\40c9b68553716171b9a74fa2785cb160_JaffaCakes118.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2852

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1512-6-0x00000000044A0000-0x0000000004506000-memory.dmp

    Filesize

    408KB

  • memory/1512-1-0x0000000000A50000-0x0000000000B20000-memory.dmp

    Filesize

    832KB

  • memory/1512-2-0x0000000074520000-0x0000000074C0E000-memory.dmp

    Filesize

    6.9MB

  • memory/1512-3-0x00000000003D0000-0x00000000003DA000-memory.dmp

    Filesize

    40KB

  • memory/1512-4-0x000000007452E000-0x000000007452F000-memory.dmp

    Filesize

    4KB

  • memory/1512-5-0x0000000074520000-0x0000000074C0E000-memory.dmp

    Filesize

    6.9MB

  • memory/1512-0-0x000000007452E000-0x000000007452F000-memory.dmp

    Filesize

    4KB

  • memory/1512-13-0x0000000074520000-0x0000000074C0E000-memory.dmp

    Filesize

    6.9MB

  • memory/2852-7-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/2852-8-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/2852-12-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/2852-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2852-14-0x0000000000B20000-0x0000000000E23000-memory.dmp

    Filesize

    3.0MB