Overview

overview

10

Static

static

3

be75358ef1...18.exe

windows7-x64

10

be75358ef1...18.exe

windows10-2004-x64

10

$TEMP/29.opends60.dll

windows7-x64

1

$TEMP/29.opends60.dll

windows10-2004-x64

1

$TEMP/Ster...ap.dll

windows7-x64

3

$TEMP/Ster...ap.dll

windows10-2004-x64

3

$TEMP/WebN...mes.js

windows7-x64

3

$TEMP/WebN...mes.js

windows10-2004-x64

3

$TEMP/aspnetisapi.dll

windows7-x64

3

$TEMP/aspnetisapi.dll

windows10-2004-x64

3

$TEMP/autolayt.dll

windows7-x64

3

$TEMP/autolayt.dll

windows10-2004-x64

3

$TEMP/coyote.exe

windows7-x64

4

$TEMP/coyote.exe

windows10-2004-x64

10

$TEMP/cvtres.exe

windows7-x64

3

$TEMP/cvtres.exe

windows10-2004-x64

3

$TEMP/disco.exe

windows7-x64

1

$TEMP/disco.exe

windows10-2004-x64

1

$TEMP/emcmp.ko

ubuntu-24.04-amd64

$TEMP/ltv350qv.ko

ubuntu-22.04-amd64

$TEMP/sl-modem.py

windows7-x64

3

$TEMP/sl-modem.py

windows10-2004-x64

3

$TEMP/syst...er.vbs

windows7-x64

1

$TEMP/syst...er.vbs

windows10-2004-x64

1

$TEMP/vsslnui.dll

windows7-x64

1

$TEMP/vsslnui.dll

windows10-2004-x64

1

$TEMP/webb...35.pyc

windows7-x64

3

$TEMP/webb...35.pyc

windows10-2004-x64

3

Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-08-2024 11:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    be75358ef16a88307d3722de7f8d080b_JaffaCakes118.exe

  • Size

    759KB

  • MD5

    be75358ef16a88307d3722de7f8d080b

  • SHA1

    0a812866da45cf66666af011efee7965290a537a

  • SHA256

    6401173b049bfd58a827e272138d0cf08185519dfa744e2b2e9990b4cade3a49

  • SHA512

    be050652c2c6ad722292c686898b48dd5c8dfe35d977cb74586dce59e89a24e3ab9b9aa5b9fc3cb9ed91f0ab8bc3b34d53e298c2d0e1a20db32f539e2d12297c

  • SSDEEP

    12288:1gh+13sf8irOhRxuXEMzhy8H2kT//B4vvNuBvw0C9/D42fWGS:TMN9Wk14aY0C97S

Score
10/10
formbooka8cdiscoveryratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

a8c

Decoy

kesslergroupinternational.net

elcarretazo.com

livbim.info

thamxop.net

abitur.expert

cidavidjoy.com

digitalkarwaan.com

hcave.com

foundbyjack.com

servicarpasjc.com

giaotrinh24h.com

ladasno.com

harrisxn.com

bestbtccasinos.info

australianflying.com

louboutinshoes.site

taohaomi.net

s5league-europe.com

lizhongysw.com

imizuspotsboxboxinggym.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 3 IoCs
    rat
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 48 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of UnmapMainImage
    PID:3556
    • C:\Users\Admin\AppData\Local\Temp\be75358ef16a88307d3722de7f8d080b_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\be75358ef16a88307d3722de7f8d080b_JaffaCakes118.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3476
      • C:\Users\Admin\AppData\Local\Temp\coyote.exe
        C:\Users\Admin\AppData\Local\Temp\coyote.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:4892
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe"
          4⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:6084
    • C:\Windows\SysWOW64\msdt.exe
      "C:\Windows\SysWOW64\msdt.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      PID:7112
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\SysWOW64\cmd.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:428

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Harmony
    Filesize

    211KB

    MD5

    de800a2fde3f9c0eddb472eef987f549

    SHA1

    a87e7d10c405bb3d28040f8d24e8dd4fce88abc2

    SHA256

    2f99797338dd783675a0780a8b82379e50940166bbe47c21dfb914cc507939c6

    SHA512

    97d59b161db40d9d3072eb528390f4d439a7dfc768e146b591c1b041835554e2adf5567297c91c6316898e547b6af2cd8ec02c2473ee33815b4133081253211d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\SterletFiretrap.DLL
    Filesize

    55KB

    MD5

    3ec65b93c42c369a4e75a292a6cd0a74

    SHA1

    dbfbf8bea2409544d73a3247555431f864741219

    SHA256

    0218dacfa55a2f8ca15ac49c00b8aa931861918d499266817e3cb09eedadfa06

    SHA512

    681ebf0a9150788e1e8eba4657c3263c95963983db7e5aaed76117cec8582ce5cbf9e22225202a298c9bcf4552f245e5c399036c6713abc773e3316cb2b05b30

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\coyote.exe
    Filesize

    50KB

    MD5

    07b54aa737d16f89c80e6da5a2de5013

    SHA1

    bcad8a5a09597086ce2df3ed4d833ca6a188f12e

    SHA256

    e4ee0e4c5533fad0ece32849b37dec5c22ad662ce3dd1376880200eb6011de5f

    SHA512

    e92ed0a39dd645c60319739b86a06e7643cfb14f28eb6d1bb3ec97febf0405eb5ad4d3e6aaf3374bfebdeb1bbfa1371764790810aa904f1cd9f63b17c62fbe61

    Download Submit

  • C:\Windows\win.ini
    Filesize

    131B

    MD5

    9848e4efb0abd437d65e6d3d1d973adb

    SHA1

    f427ac7c50b19f66658ae7f92cbaf21110b49a47

    SHA256

    c8b84add37da849977a84fe62badb6cb908be99769edb70d60bcd04c0aec2a3f

    SHA512

    f90f1f65b6b824a526469b8d739f733a54a7f485d8b5f680de7a35fac90786bf6ba5a0b1d62e139663c5ee73b8d687cf32d4ccf188e18c53084ec12d8c216b17

    Download Submit

  • memory/3556-10052-0x0000000007DD0000-0x0000000007EF4000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3556-10058-0x00000000082D0000-0x000000000843E000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/3556-10056-0x0000000007DD0000-0x0000000007EF4000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/4892-37-0x0000000000BD0000-0x0000000000BD4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/4892-40-0x0000000000C10000-0x0000000000C16000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4892-39-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4892-10045-0x0000000002790000-0x00000000027B2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/6084-10046-0x0000000001020000-0x0000000001026000-memory.dmp

    Filesize

    24KB

    Download

  • memory/6084-10053-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/6084-10054-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/6084-10050-0x00000000037F0000-0x0000000003B3A000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/6084-10049-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/7112-10055-0x00000000006B0000-0x0000000000707000-memory.dmp

    Filesize

    348KB

    Download