Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-07-2024 08:57

General

  • Target

    4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe

  • Size

    956KB

  • MD5

    4105b6a32b90180cd3dfe3c359061f46

  • SHA1

    ea131838d1e1ed495d75c76b956c790f071e002e

  • SHA256

    3f1f0dce8eb0b1a98912a8c08208c5d4425e013e20719aca1d14ca4924f841c6

  • SHA512

    c7c039b347b1a1a0d63d3ab81a3024d7f7bd669325e341bf27d0b62960ddbd56f17b836e98d9cb78ce6feaaf1a7160d1613a4e57d634a712ee28a21683215bbb

  • SSDEEP

    12288:fO4jeQ5jsruJH+ReJqvqfLRXwK4+HNONnvsyl5RODp2K046Mnq0UnsO5lJkKzUva:2HXRYFphm9vFrPMOiPRVZIRfBiBk

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

rf3t

Decoy

palmettohomeswakulla.com

sorelleapparel.com

abouttohour.com

ogrownhemp.com

themontagnard.com

zarioch.space

lty712.info

ajdstone.com

600plusgymspa.com

schmitzland.com

luhuigw.com

mysafeplacetoinsure.com

barkpark.club

investigation-science.com

sermonartnotes.net

gorgeousflippinllc.com

smarttrendshop.com

markusjungfoto.com

glyzaelbol.info

thewiseowl.art

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1272
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\flmLrvYnTWalZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF368.tmp"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:1556
    • C:\Users\Admin\AppData\Local\Temp\4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe
      "{path}"
      2⤵
        PID:436
      • C:\Users\Admin\AppData\Local\Temp\4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe
        "{path}"
        2⤵
          PID:2924
        • C:\Users\Admin\AppData\Local\Temp\4105b6a32b90180cd3dfe3c359061f46_JaffaCakes118.exe
          "{path}"
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1896

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmpF368.tmp

        Filesize

        1KB

        MD5

        c42a60f6bd6e5fcb220a8864cea53ce6

        SHA1

        29215c8925b758f45199ffcfc099b360a4c1a7d5

        SHA256

        03987d2ca1693199fd018683256abb0669a441af23f57545302ddc8b60b24bc9

        SHA512

        cdb1c44e9dd8a2006bba99caaa73aa89a493ccf2aac90ab6dd48f8ea5b7b9df005d89b271515f6b8f923f64d9e8b997fe680cc6fede265031f4cb82048c1e65b

      • memory/1272-8-0x0000000004D80000-0x0000000004DA2000-memory.dmp

        Filesize

        136KB

      • memory/1272-5-0x0000000004D20000-0x0000000004D2A000-memory.dmp

        Filesize

        40KB

      • memory/1272-9-0x0000000000D90000-0x0000000000DA4000-memory.dmp

        Filesize

        80KB

      • memory/1272-4-0x0000000004DB0000-0x0000000004E42000-memory.dmp

        Filesize

        584KB

      • memory/1272-10-0x000000007530E000-0x000000007530F000-memory.dmp

        Filesize

        4KB

      • memory/1272-6-0x0000000004E50000-0x0000000004EA6000-memory.dmp

        Filesize

        344KB

      • memory/1272-7-0x0000000075300000-0x0000000075AB0000-memory.dmp

        Filesize

        7.7MB

      • memory/1272-11-0x0000000075300000-0x0000000075AB0000-memory.dmp

        Filesize

        7.7MB

      • memory/1272-3-0x00000000052C0000-0x0000000005864000-memory.dmp

        Filesize

        5.6MB

      • memory/1272-2-0x0000000004C70000-0x0000000004D0C000-memory.dmp

        Filesize

        624KB

      • memory/1272-0-0x000000007530E000-0x000000007530F000-memory.dmp

        Filesize

        4KB

      • memory/1272-12-0x0000000006480000-0x0000000006528000-memory.dmp

        Filesize

        672KB

      • memory/1272-13-0x0000000006110000-0x0000000006164000-memory.dmp

        Filesize

        336KB

      • memory/1272-1-0x00000000001D0000-0x00000000002C6000-memory.dmp

        Filesize

        984KB

      • memory/1272-19-0x0000000075300000-0x0000000075AB0000-memory.dmp

        Filesize

        7.7MB

      • memory/1896-17-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

      • memory/1896-20-0x00000000012A0000-0x00000000015EA000-memory.dmp

        Filesize

        3.3MB