Analysis

  • max time kernel
    93s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-07-2024 07:42

General

  • Target

    40c9b68553716171b9a74fa2785cb160_JaffaCakes118.exe

  • Size

    809KB

  • MD5

    40c9b68553716171b9a74fa2785cb160

  • SHA1

    18ad06d12e92f1d7a61805d294bb2c5e048f3ec7

  • SHA256

    41f081bd505403ec94e9ad6cf6e496e5347482ee8cc64b7e2304ca52f286e236

  • SHA512

    fe3c76659fd0f274ae08c7c9de3dc81b7c573c4ed6cd051d55adda59c426a548901282ac33ae5661c2dfb4d48aa12e9c1ffd32f0b79c0422de94cc0fd2a44a46

  • SSDEEP

    12288:aXBQSnZl+lZbAy/TYTXSjQlXkKuTLXF3ONP5nJyuEBwQrA6iQQR6PcvHQ9:aX18bHTcXSjQlUtXF3wKwQMP

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

wgn

Decoy

kokokara-life-blog.com

faswear.com

futureleadershiptoday.com

date4done.xyz

thecouponinn.com

bbeycarpetsf.com

propolisnasalspray.com

jinjudiamond.com

goodevectors.com

nehyam.com

evalinkapuppets.com

what-if-statistics.com

rateofrisk.com

impacttestonlinne.com

servis-kaydet.info

coloniacafe.com

marcemarketing.com

aarigging.com

goddesswitchery.com

jasqblo.icu

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook payload 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\40c9b68553716171b9a74fa2785cb160_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\40c9b68553716171b9a74fa2785cb160_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1540
    • C:\Users\Admin\AppData\Local\Temp\40c9b68553716171b9a74fa2785cb160_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\40c9b68553716171b9a74fa2785cb160_JaffaCakes118.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2112

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1540-6-0x0000000005120000-0x0000000005176000-memory.dmp

    Filesize

    344KB

  • memory/1540-8-0x0000000005110000-0x000000000511A000-memory.dmp

    Filesize

    40KB

  • memory/1540-2-0x0000000004DF0000-0x0000000004E8C000-memory.dmp

    Filesize

    624KB

  • memory/1540-3-0x0000000005440000-0x00000000059E4000-memory.dmp

    Filesize

    5.6MB

  • memory/1540-4-0x0000000004F30000-0x0000000004FC2000-memory.dmp

    Filesize

    584KB

  • memory/1540-5-0x0000000004F20000-0x0000000004F2A000-memory.dmp

    Filesize

    40KB

  • memory/1540-1-0x00000000003E0000-0x00000000004B0000-memory.dmp

    Filesize

    832KB

  • memory/1540-7-0x00000000743E0000-0x0000000074B90000-memory.dmp

    Filesize

    7.7MB

  • memory/1540-0-0x00000000743EE000-0x00000000743EF000-memory.dmp

    Filesize

    4KB

  • memory/1540-9-0x00000000743EE000-0x00000000743EF000-memory.dmp

    Filesize

    4KB

  • memory/1540-10-0x00000000743E0000-0x0000000074B90000-memory.dmp

    Filesize

    7.7MB

  • memory/1540-11-0x0000000000D20000-0x0000000000D86000-memory.dmp

    Filesize

    408KB

  • memory/1540-14-0x00000000743E0000-0x0000000074B90000-memory.dmp

    Filesize

    7.7MB

  • memory/2112-12-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/2112-15-0x0000000001520000-0x000000000186A000-memory.dmp

    Filesize

    3.3MB