Overview

overview

10

Static

static

3

68e0117d2b...18.exe

windows7-x64

10

68e0117d2b...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    131s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/07/2024, 00:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    68e0117d2b14f9b4db44063953c9f028_JaffaCakes118.exe

  • Size

    747KB

  • MD5

    68e0117d2b14f9b4db44063953c9f028

  • SHA1

    0b2751b17a9131a9fc636a7dd5136ff8c6951049

  • SHA256

    54c0138d6a0dbd5967d7cf51eb753b29aa1fd72a85152285bd22347fa6654022

  • SHA512

    cb3ebc8964151ccdfd0ee0f78dc1daa7dadc3ce1fb4eee1d291ee306894a538167374d4750943dd2265407e92429ada74da3169600716215e9b4f74764c939c6

  • SSDEEP

    12288:bxojH5jdL/KyCR7PqRo2YQLa3RFC7cvoLTKwnfzOw3Ue8:+ljBKnRIIQOhKcCTKI3

Score
10/10
formbook3nk4discoveryratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

3nk4

Decoy

teresaanaya.com

byronhobbs.com

altiizgara.com

reignsponsibly.com

kanistones.com

clickpk.site

aizzainvestments.com

bpqbq.com

openfitxbstretch.com

blackvoicesstore.com

yousefzaid.com

verdeaccounting.com

independentthoughtshow.com

fainlywatchdog.com

elreventondelsabor.com

spiceyourfood.com

1277hb.com

cesttoni.com

portalngs.com

turismoplayas.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 1 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\68e0117d2b14f9b4db44063953c9f028_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\68e0117d2b14f9b4db44063953c9f028_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:4360
    • C:\Users\Admin\AppData\Local\Temp\68e0117d2b14f9b4db44063953c9f028_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\68e0117d2b14f9b4db44063953c9f028_JaffaCakes118.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:4908

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4360-0-0x00000000007B0000-0x00000000007B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4360-2-0x0000000003F40000-0x0000000003F53000-memory.dmp

    Filesize

    76KB

    Download

  • memory/4360-1-0x0000000003F40000-0x0000000003F53000-memory.dmp

    Filesize

    76KB

    Download

  • memory/4360-3-0x0000000003F60000-0x0000000003F61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4360-5-0x0000000000400000-0x00000000004C1000-memory.dmp

    Filesize

    772KB

    Download

  • memory/4908-4-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4908-6-0x0000000000430000-0x00000000004F9000-memory.dmp

    Filesize

    804KB

    Download