Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    13-07-2024 20:02

General

  • Target

    43251b851d7807ea3a8a31aa1945a376_JaffaCakes118.exe

  • Size

    501KB

  • MD5

    43251b851d7807ea3a8a31aa1945a376

  • SHA1

    d7972a48974b7b00f7a0b0866107690a04b65a26

  • SHA256

    d7433ec981297919971fcf1e7017b9d8169a787a2f24aa2c31f08500ee510057

  • SHA512

    1d61cb1b95556f7e9cb7ece2e5b4616b38769c0b1ef09751f2797e943a5c0befcd752a5cecf302399248dfa6ed4b065dce33c563b2b73e4e63f830c2fc941665

  • SSDEEP

    6144:wBFXjwC6hJTY7Vy41qmntOc25C/+O9aAE48EBrz4o1T4K+oRlPNUaAYJl/fO9ks:CRz6hG7VTxQr4DLnRlP6qr

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ktz

Decoy

healthbeautysublime.com

simplysouthcarolina.com

lunarsuncreations.com

madhurbazar.website

bestsellersecret.com

geniusbytesdemo.com

timetodebate.com

sarkariresult.network

k-kard.com

selagiprojects.com

sidechickrecords.net

pattayamoneyexchange.com

cindykeet.com

writefordelight.com

1to2rooms.com

doubi2.com

kairospromotions.com

emergencyresponsetech.com

purbelipana.com

reimaginingdental.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook payload 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\43251b851d7807ea3a8a31aa1945a376_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\43251b851d7807ea3a8a31aa1945a376_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1904
    • C:\Users\Admin\AppData\Local\Temp\43251b851d7807ea3a8a31aa1945a376_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\43251b851d7807ea3a8a31aa1945a376_JaffaCakes118.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:3056

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1904-6-0x0000000004330000-0x000000000438C000-memory.dmp

    Filesize

    368KB

  • memory/1904-1-0x00000000000F0000-0x0000000000174000-memory.dmp

    Filesize

    528KB

  • memory/1904-2-0x0000000074CE0000-0x00000000753CE000-memory.dmp

    Filesize

    6.9MB

  • memory/1904-3-0x0000000000590000-0x000000000059A000-memory.dmp

    Filesize

    40KB

  • memory/1904-4-0x0000000074CEE000-0x0000000074CEF000-memory.dmp

    Filesize

    4KB

  • memory/1904-5-0x0000000074CE0000-0x00000000753CE000-memory.dmp

    Filesize

    6.9MB

  • memory/1904-0-0x0000000074CEE000-0x0000000074CEF000-memory.dmp

    Filesize

    4KB

  • memory/1904-12-0x0000000074CE0000-0x00000000753CE000-memory.dmp

    Filesize

    6.9MB

  • memory/3056-11-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/3056-8-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/3056-7-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/3056-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/3056-13-0x0000000000A80000-0x0000000000D83000-memory.dmp

    Filesize

    3.0MB