Overview

overview

10

Static

static

3

be75358ef1...18.exe

windows7-x64

10

be75358ef1...18.exe

windows10-2004-x64

10

$TEMP/29.opends60.dll

windows7-x64

1

$TEMP/29.opends60.dll

windows10-2004-x64

1

$TEMP/Ster...ap.dll

windows7-x64

3

$TEMP/Ster...ap.dll

windows10-2004-x64

3

$TEMP/WebN...mes.js

windows7-x64

3

$TEMP/WebN...mes.js

windows10-2004-x64

3

$TEMP/aspnetisapi.dll

windows7-x64

3

$TEMP/aspnetisapi.dll

windows10-2004-x64

3

$TEMP/autolayt.dll

windows7-x64

3

$TEMP/autolayt.dll

windows10-2004-x64

3

$TEMP/coyote.exe

windows7-x64

4

$TEMP/coyote.exe

windows10-2004-x64

10

$TEMP/cvtres.exe

windows7-x64

3

$TEMP/cvtres.exe

windows10-2004-x64

3

$TEMP/disco.exe

windows7-x64

1

$TEMP/disco.exe

windows10-2004-x64

1

$TEMP/emcmp.ko

ubuntu-24.04-amd64

$TEMP/ltv350qv.ko

ubuntu-22.04-amd64

$TEMP/sl-modem.py

windows7-x64

3

$TEMP/sl-modem.py

windows10-2004-x64

3

$TEMP/syst...er.vbs

windows7-x64

1

$TEMP/syst...er.vbs

windows10-2004-x64

1

$TEMP/vsslnui.dll

windows7-x64

1

$TEMP/vsslnui.dll

windows10-2004-x64

1

$TEMP/webb...35.pyc

windows7-x64

3

$TEMP/webb...35.pyc

windows10-2004-x64

3

Analysis

  • max time kernel
    146s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    24-08-2024 11:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    be75358ef16a88307d3722de7f8d080b_JaffaCakes118.exe

  • Size

    759KB

  • MD5

    be75358ef16a88307d3722de7f8d080b

  • SHA1

    0a812866da45cf66666af011efee7965290a537a

  • SHA256

    6401173b049bfd58a827e272138d0cf08185519dfa744e2b2e9990b4cade3a49

  • SHA512

    be050652c2c6ad722292c686898b48dd5c8dfe35d977cb74586dce59e89a24e3ab9b9aa5b9fc3cb9ed91f0ab8bc3b34d53e298c2d0e1a20db32f539e2d12297c

  • SSDEEP

    12288:1gh+13sf8irOhRxuXEMzhy8H2kT//B4vvNuBvw0C9/D42fWGS:TMN9Wk14aY0C97S

Score
10/10
formbooka8cdiscoveryratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

a8c

Decoy

kesslergroupinternational.net

elcarretazo.com

livbim.info

thamxop.net

abitur.expert

cidavidjoy.com

digitalkarwaan.com

hcave.com

foundbyjack.com

servicarpasjc.com

giaotrinh24h.com

ladasno.com

harrisxn.com

bestbtccasinos.info

australianflying.com

louboutinshoes.site

taohaomi.net

s5league-europe.com

lizhongysw.com

imizuspotsboxboxinggym.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 2 IoCs
    rat
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1228
    • C:\Users\Admin\AppData\Local\Temp\be75358ef16a88307d3722de7f8d080b_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\be75358ef16a88307d3722de7f8d080b_JaffaCakes118.exe"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1724
      • C:\Users\Admin\AppData\Local\Temp\coyote.exe
        C:\Users\Admin\AppData\Local\Temp\coyote.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:2732
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe"
          4⤵
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:23616
    • C:\Windows\SysWOW64\control.exe
      "C:\Windows\SysWOW64\control.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:23800
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\SysWOW64\cmd.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:23832

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Harmony
    Filesize

    211KB

    MD5

    de800a2fde3f9c0eddb472eef987f549

    SHA1

    a87e7d10c405bb3d28040f8d24e8dd4fce88abc2

    SHA256

    2f99797338dd783675a0780a8b82379e50940166bbe47c21dfb914cc507939c6

    SHA512

    97d59b161db40d9d3072eb528390f4d439a7dfc768e146b591c1b041835554e2adf5567297c91c6316898e547b6af2cd8ec02c2473ee33815b4133081253211d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\SterletFiretrap.DLL
    Filesize

    55KB

    MD5

    3ec65b93c42c369a4e75a292a6cd0a74

    SHA1

    dbfbf8bea2409544d73a3247555431f864741219

    SHA256

    0218dacfa55a2f8ca15ac49c00b8aa931861918d499266817e3cb09eedadfa06

    SHA512

    681ebf0a9150788e1e8eba4657c3263c95963983db7e5aaed76117cec8582ce5cbf9e22225202a298c9bcf4552f245e5c399036c6713abc773e3316cb2b05b30

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\coyote.exe
    Filesize

    50KB

    MD5

    07b54aa737d16f89c80e6da5a2de5013

    SHA1

    bcad8a5a09597086ce2df3ed4d833ca6a188f12e

    SHA256

    e4ee0e4c5533fad0ece32849b37dec5c22ad662ce3dd1376880200eb6011de5f

    SHA512

    e92ed0a39dd645c60319739b86a06e7643cfb14f28eb6d1bb3ec97febf0405eb5ad4d3e6aaf3374bfebdeb1bbfa1371764790810aa904f1cd9f63b17c62fbe61

    Download Submit

  • C:\Windows\win.ini
    Filesize

    517B

    MD5

    893cae59ab5945a94a7da007d47a1255

    SHA1

    d4cfd81c6647ca64022bd307c08a7fb4bbbd4c06

    SHA256

    edfa0f2d3bea9f737e0315971c6f81d3d8e7d460b60a19351ada0316a093c938

    SHA512

    d66e454781f54f45df814ad32d687b0f100578c2a4ffca62de81add04281fb881a550702bd2d058933d3736d14e88624af268a86ce24b0c3935242b206ffdcc9

    Download Submit

  • memory/1228-10058-0x0000000004E20000-0x0000000004ED2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/1228-10062-0x0000000004E20000-0x0000000004ED2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/2732-41-0x0000000000030000-0x0000000000034000-memory.dmp

    Filesize

    16KB

    Download

  • memory/2732-43-0x0000000000070000-0x0000000000071000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2732-44-0x0000000000190000-0x0000000000196000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2732-10049-0x0000000000250000-0x0000000000272000-memory.dmp

    Filesize

    136KB

    Download

  • memory/23616-10050-0x0000000000090000-0x0000000000096000-memory.dmp

    Filesize

    24KB

    Download

  • memory/23616-10057-0x0000000000430000-0x0000000000444000-memory.dmp

    Filesize

    80KB

    Download

  • memory/23616-10056-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/23616-10054-0x00000000032A0000-0x00000000035A3000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/23616-10053-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/23800-10060-0x00000000006C0000-0x00000000006DF000-memory.dmp

    Filesize

    124KB

    Download

  • memory/23800-10059-0x00000000006C0000-0x00000000006DF000-memory.dmp

    Filesize

    124KB

    Download