Malware Analysis Report

2024-10-19 09:28

Sample ID 240713-ysdbnaxekg
Target 43251b851d7807ea3a8a31aa1945a376_JaffaCakes118
SHA256 d7433ec981297919971fcf1e7017b9d8169a787a2f24aa2c31f08500ee510057
Tags
formbook ktz rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d7433ec981297919971fcf1e7017b9d8169a787a2f24aa2c31f08500ee510057

Threat Level: Known bad

The file 43251b851d7807ea3a8a31aa1945a376_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

formbook ktz rat spyware stealer trojan

Formbook

Formbook payload

Suspicious use of SetThreadContext

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-07-13 20:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-13 20:02

Reported

2024-07-13 20:05

Platform

win7-20240705-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\43251b851d7807ea3a8a31aa1945a376_JaffaCakes118.exe"

Signatures

Formbook

trojan spyware stealer formbook

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\43251b851d7807ea3a8a31aa1945a376_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1904 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\43251b851d7807ea3a8a31aa1945a376_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\43251b851d7807ea3a8a31aa1945a376_JaffaCakes118.exe
PID 1904 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\43251b851d7807ea3a8a31aa1945a376_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\43251b851d7807ea3a8a31aa1945a376_JaffaCakes118.exe
PID 1904 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\43251b851d7807ea3a8a31aa1945a376_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\43251b851d7807ea3a8a31aa1945a376_JaffaCakes118.exe
PID 1904 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\43251b851d7807ea3a8a31aa1945a376_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\43251b851d7807ea3a8a31aa1945a376_JaffaCakes118.exe
PID 1904 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\43251b851d7807ea3a8a31aa1945a376_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\43251b851d7807ea3a8a31aa1945a376_JaffaCakes118.exe
PID 1904 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\43251b851d7807ea3a8a31aa1945a376_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\43251b851d7807ea3a8a31aa1945a376_JaffaCakes118.exe
PID 1904 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\43251b851d7807ea3a8a31aa1945a376_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\43251b851d7807ea3a8a31aa1945a376_JaffaCakes118.exe

Processes

C:\Users\Admin\AppData\Local\Temp\43251b851d7807ea3a8a31aa1945a376_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\43251b851d7807ea3a8a31aa1945a376_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\43251b851d7807ea3a8a31aa1945a376_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\43251b851d7807ea3a8a31aa1945a376_JaffaCakes118.exe"

Network

N/A

Files

memory/1904-0-0x0000000074CEE000-0x0000000074CEF000-memory.dmp

memory/1904-1-0x00000000000F0000-0x0000000000174000-memory.dmp

memory/1904-2-0x0000000074CE0000-0x00000000753CE000-memory.dmp

memory/1904-3-0x0000000000590000-0x000000000059A000-memory.dmp

memory/1904-4-0x0000000074CEE000-0x0000000074CEF000-memory.dmp

memory/1904-5-0x0000000074CE0000-0x00000000753CE000-memory.dmp

memory/1904-6-0x0000000004330000-0x000000000438C000-memory.dmp

memory/3056-11-0x0000000000400000-0x000000000042E000-memory.dmp

memory/3056-8-0x0000000000400000-0x000000000042E000-memory.dmp

memory/3056-7-0x0000000000400000-0x000000000042E000-memory.dmp

memory/3056-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1904-12-0x0000000074CE0000-0x00000000753CE000-memory.dmp

memory/3056-13-0x0000000000A80000-0x0000000000D83000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-13 20:02

Reported

2024-07-13 20:05

Platform

win10v2004-20240704-en

Max time kernel

136s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\43251b851d7807ea3a8a31aa1945a376_JaffaCakes118.exe"

Signatures

Formbook

trojan spyware stealer formbook

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\43251b851d7807ea3a8a31aa1945a376_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3040 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\43251b851d7807ea3a8a31aa1945a376_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\43251b851d7807ea3a8a31aa1945a376_JaffaCakes118.exe
PID 3040 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\43251b851d7807ea3a8a31aa1945a376_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\43251b851d7807ea3a8a31aa1945a376_JaffaCakes118.exe
PID 3040 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\43251b851d7807ea3a8a31aa1945a376_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\43251b851d7807ea3a8a31aa1945a376_JaffaCakes118.exe
PID 3040 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\43251b851d7807ea3a8a31aa1945a376_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\43251b851d7807ea3a8a31aa1945a376_JaffaCakes118.exe
PID 3040 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\43251b851d7807ea3a8a31aa1945a376_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\43251b851d7807ea3a8a31aa1945a376_JaffaCakes118.exe
PID 3040 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\43251b851d7807ea3a8a31aa1945a376_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\43251b851d7807ea3a8a31aa1945a376_JaffaCakes118.exe
PID 3040 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\43251b851d7807ea3a8a31aa1945a376_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\43251b851d7807ea3a8a31aa1945a376_JaffaCakes118.exe
PID 3040 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\43251b851d7807ea3a8a31aa1945a376_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\43251b851d7807ea3a8a31aa1945a376_JaffaCakes118.exe
PID 3040 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\43251b851d7807ea3a8a31aa1945a376_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\43251b851d7807ea3a8a31aa1945a376_JaffaCakes118.exe

Processes

C:\Users\Admin\AppData\Local\Temp\43251b851d7807ea3a8a31aa1945a376_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\43251b851d7807ea3a8a31aa1945a376_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\43251b851d7807ea3a8a31aa1945a376_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\43251b851d7807ea3a8a31aa1945a376_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\43251b851d7807ea3a8a31aa1945a376_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\43251b851d7807ea3a8a31aa1945a376_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/3040-0-0x000000007471E000-0x000000007471F000-memory.dmp

memory/3040-1-0x0000000000D40000-0x0000000000DC4000-memory.dmp

memory/3040-2-0x0000000005780000-0x000000000581C000-memory.dmp

memory/3040-3-0x0000000005E10000-0x00000000063B4000-memory.dmp

memory/3040-4-0x0000000005900000-0x0000000005992000-memory.dmp

memory/3040-5-0x0000000005820000-0x000000000582A000-memory.dmp

memory/3040-6-0x0000000005A90000-0x0000000005AE6000-memory.dmp

memory/3040-7-0x0000000074710000-0x0000000074EC0000-memory.dmp

memory/3040-8-0x0000000005B10000-0x0000000005B1A000-memory.dmp

memory/3040-9-0x000000007471E000-0x000000007471F000-memory.dmp

memory/3040-10-0x0000000074710000-0x0000000074EC0000-memory.dmp

memory/3040-11-0x0000000001430000-0x000000000148C000-memory.dmp

memory/4160-12-0x0000000000400000-0x000000000042E000-memory.dmp

memory/3040-14-0x0000000074710000-0x0000000074EC0000-memory.dmp

memory/4160-15-0x00000000016D0000-0x0000000001A1A000-memory.dmp