Overview

overview

10

Static

static

3

e300b0ea04...18.exe

windows7-x64

10

e300b0ea04...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15-09-2024 17:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e300b0ea04a1c33f7b0ca2a924632d3c_JaffaCakes118.exe

  • Size

    365KB

  • MD5

    e300b0ea04a1c33f7b0ca2a924632d3c

  • SHA1

    47ec6138765a54036ce46ddb900d4ceccfe6d698

  • SHA256

    ec42d1761aba72e3789f1d11e744c46394c2929dfef85c8d6297d37a89057b83

  • SHA512

    f746ea33cb60e2e811a8ecfcd62e3ca0f3073e67c895bb81c0a18eb3b30b19f73da6bd4dee9c303034763001e8b1645b7e12959950cacff3279a706614b72eac

  • SSDEEP

    6144:hBplqXThHWJohGUzxQPlmzGhfeF/ohaNuuH1ay951GfWkP3yd+1rH8zGlzWdlJvE:FlNJoMUmPlmzGhm50oFTUWkv/HQX6

Score
10/10
formbooks8ydiscoverypersistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

s8y

Decoy

jazminewphoto.com

luyansu.com

mastertouchusa.net

hengyuangcjx.com

happinessabscissa.online

kinderspielproject.com

namoloja.com

wattwatchers.energy

ambikaprabhu.online

280top.info

emailtoast.com

holoidayinn.com

usthadhotel.com

jilinhengjinyaoye.com

walden.land

huicbxw.com

zhiyidetrade.com

ykm365.com

whmc99.com

jamiecarbetta.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 2 IoCs
    rat
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1204
    • C:\Users\Admin\AppData\Local\Temp\e300b0ea04a1c33f7b0ca2a924632d3c_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\e300b0ea04a1c33f7b0ca2a924632d3c_JaffaCakes118.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1732
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        "C:\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\InstallUtil.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2864
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\SysWOW64\cmd.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2312
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2952

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1204-17-0x0000000004F80000-0x000000000504A000-memory.dmp

    Filesize

    808KB

    Download

  • memory/1204-20-0x0000000004F80000-0x000000000504A000-memory.dmp

    Filesize

    808KB

    Download

  • memory/1732-4-0x00000000007E0000-0x0000000000816000-memory.dmp

    Filesize

    216KB

    Download

  • memory/1732-2-0x0000000000400000-0x0000000000436000-memory.dmp

    Filesize

    216KB

    Download

  • memory/1732-0-0x000000007406E000-0x000000007406F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1732-5-0x0000000074060000-0x000000007474E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1732-10-0x0000000074060000-0x000000007474E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1732-1-0x0000000000810000-0x0000000000872000-memory.dmp

    Filesize

    392KB

    Download

  • memory/1732-12-0x0000000074060000-0x000000007474E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1732-3-0x0000000074060000-0x000000007474E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2312-19-0x0000000049EA0000-0x0000000049EEC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2312-18-0x0000000049EA0000-0x0000000049EEC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2864-16-0x0000000000130000-0x0000000000144000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2864-15-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/2864-13-0x0000000000840000-0x0000000000B43000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2864-11-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download