Overview

overview

10

Static

static

3

c064ec37ff...18.exe

windows7-x64

10

c064ec37ff...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    25-08-2024 09:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c064ec37ffd4521397a436a9d0c3da18_JaffaCakes118.exe

  • Size

    1.1MB

  • MD5

    c064ec37ffd4521397a436a9d0c3da18

  • SHA1

    03ba9be491d49752464ffa0755f0d8926e1925e7

  • SHA256

    a308003882167974d1a1f6334f0f9ee1599c50d33ec2883c856de84bf82365f4

  • SHA512

    2186f2f8f28efdde84d196468b00f5df27417b65a10ba6589ee0e57d30ffef121ec04973db8ffc7d6ec935e8bdcf0a98d72cad057f131e6caf7c7455d72379ba

  • SSDEEP

    24576:f9aok2Jbtfcp5l3E5zXVHjx9NMezB3xmSj:f9aSho45xDvZh

Score
10/10
formbookandiscoveryratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

an

Decoy

setzesegel.com

freeyrself.com

searchshoppingonline.com

tv16282.info

unitedtur.com

168jlb.com

blockee.info

ryd5.com

kucun108.com

castcmi.red

ufc202.info

goldendawnequipment.com

anlatacaklarimvar.com

szgty.info

realtorlubbock.com

digitalumsetzbar.com

buy9voltblaster.com

naughtytingz.com

phstructuredwater.com

energettic.download

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1248
    • C:\Users\Admin\AppData\Local\Temp\c064ec37ffd4521397a436a9d0c3da18_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\c064ec37ffd4521397a436a9d0c3da18_JaffaCakes118.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3044
      • C:\Windows\SysWOW64\diskperf.exe
        "C:\Windows\SysWOW64\diskperf.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2740
    • C:\Windows\SysWOW64\help.exe
      "C:\Windows\SysWOW64\help.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2568
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\SysWOW64\diskperf.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3064

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1248-16-0x0000000003F70000-0x0000000004070000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1248-26-0x0000000007D20000-0x0000000007E2B000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1248-21-0x00000000079D0000-0x0000000007B01000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/1248-22-0x0000000007D20000-0x0000000007E2B000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1248-17-0x00000000079D0000-0x0000000007B01000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2568-23-0x00000000003C0000-0x00000000003C6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2568-25-0x00000000003C0000-0x00000000003C6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2740-10-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/2740-15-0x00000000001F0000-0x0000000000204000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2740-14-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/2740-12-0x00000000009C0000-0x0000000000CC3000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2740-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2740-20-0x00000000003A0000-0x00000000003B4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2740-19-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/2740-6-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/3044-11-0x0000000000400000-0x000000000051F000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3044-0-0x0000000000240000-0x0000000000241000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3044-1-0x0000000000400000-0x000000000051F000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3044-2-0x0000000000240000-0x0000000000241000-memory.dmp

    Filesize

    4KB

    Download