Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
19/09/2024, 10:41
General
-
Target
eb29c382d8a70b5d78802d04ec5623e4_JaffaCakes118.exe
-
Size
989KB
-
MD5
eb29c382d8a70b5d78802d04ec5623e4
-
SHA1
0e74128bb6f4c5a75596cfe87a6df9e09f35d1b8
-
SHA256
28c5ed49a415babc182c3c990ec24e5a860fe7b51b0fc768cccae59a08f8a26f
-
SHA512
498f2b08468ef18cbb10a070cce05969f84ccfbe800eea1523e5bae37dba5a8d2fde515cc16bb47187311f779b1a84964940f4d8b0cbf8aeb95aa54bec7fede3
-
SSDEEP
24576:Mtb20pkaCqT5TBWgNQ7aIkX04z6ZQrhk6A:1Vg5tQ7aIktzCQC5
Malware Config
Extracted
formbook
3.8
war
baoeasy.net
elblogdelagenteinmobiliario.com
jxnklx.com
styleweit.com
usmivki.net
gxxmybkw.com
thrifty.tools
oslomatch.com
housten.help
zhituwangluo.com
cagili.info
fanniesandbums.com
metalpay.exchange
swissden.com
padreisla2.com
flysat-stream.com
kadabradelivery.com
mumoswolrd.com
nti.ltd
shiretokoserai.com
Signatures
-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Formbook payload 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 58 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\eb29c382d8a70b5d78802d04ec5623e4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\eb29c382d8a70b5d78802d04ec5623e4_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exe"C:\Windows\SysWOW64\WerFault.exe"3⤵
-
-
-
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\WerFault.exe"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
- System Location Discovery: System Language Discovery
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40KB
MD5a182561a527f929489bf4b8f74f65cd7
SHA18cd6866594759711ea1836e86a5b7ca64ee8911f
SHA25642aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA5129bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558
-
Filesize
167KB
MD5809dd59315e8ddc7b8620dcbf40e600f
SHA1bbdd679ef59ada9b40c7c648e8401596e480b962
SHA256801e944ab6513594fffb38572788b6db73e087f4b83555916aec34b2d9ec8971
SHA51206aba4ede1856b652cb85f022a0b29f008c09969d9979aa0fbd1349cce584041b280f339030d096e7877e0e15339e3812dd6aa2a7242302896aac66985e8a11b
-
Filesize
85KB
MD5e5759afbbc84c8a8b4bf7af451bcf3b5
SHA1b5c3d38103fc94e6d9f532c7ff682e7cc70eb11d
SHA2564a9189e01b608096fcfc0ef0c7a25c41a5408a0ad3dd1e33eb4c71d1400bb00f
SHA512efa53da133de4ad840441c925b779dfd899ce47973a9faed2fd1456d149d83d25da0822bb2c20d2672467874bdb8dd9c7d800a5b0dfb2d5b5b4ded1bee61b745
-
Filesize
38B
MD54aadf49fed30e4c9b3fe4a3dd6445ebe
SHA11e332822167c6f351b99615eada2c30a538ff037
SHA25675034beb7bded9aeab5748f4592b9e1419256caec474065d43e531ec5cc21c56
SHA512eb5b3908d5e7b43ba02165e092f05578f45f15a148b4c3769036aa542c23a0f7cd2bc2770cf4119a7e437de3f681d9e398511f69f66824c516d9b451bb95f945
-
Filesize
40B
MD5d63a82e5d81e02e399090af26db0b9cb
SHA191d0014c8f54743bba141fd60c9d963f869d76c9
SHA256eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae
SHA51238afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad
-
Filesize
872B
MD5bbc41c78bae6c71e63cb544a6a284d94
SHA133f2c1d9fa0e9c99b80bc2500621e95af38b1f9a
SHA256ee83c6bcea9353c74bfc0a7e739f3c4a765ace894470e09cdcdebba700b8d4cb
SHA5120aea424b57adae3e14ad6491cab585f554b4dffe601b5a17bad6ee6177d2f0f995e419cde576e2d1782b9bddc0661aada11a2c9f1454ae625d9e3223635ec9f4
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
588KB
-
Filesize
3.3MB
-
Filesize
48KB
-
Filesize
168KB
-
Filesize
168KB
