Overview

overview

10

Static

static

3

05693d30a2...18.exe

windows7-x64

10

05693d30a2...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    01-10-2024 10:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    05693d30a258095b919c382e469e420e_JaffaCakes118.exe

  • Size

    730KB

  • MD5

    05693d30a258095b919c382e469e420e

  • SHA1

    65d317cf88c097b083adc8a1a4258ed35c6336fe

  • SHA256

    3b2c92e7d412afc8e5aa4c1faf3d30471425c684703cd61cb97face159dac9ac

  • SHA512

    53f2c2ffc1e427496e7fd7add8c99ab09bd95472c366c0a1008ce2a5cc3b8d2d61c2782bc22b88b25654328e65b957ebb5ec8ffb2c4a6dc6b250f83703d5b54c

  • SSDEEP

    12288:3BlxN2iNeHK7zY5DczFF++iyFMrVTgOTARMoQboRkmg27mEfoAyRjgJ:3Bl71bMDKb+0FMZ7o6j27mEXyRA

Score
10/10
formbookowt8discoveryexecutionratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

owt8

Decoy

globalstainlesssteel.com

bentleymichaels.com

svproductiveparents.com

vikinger.one

kiarabrunett.com

lakelandchiefs.com

kickzcity.com

ceroestrespma.com

torchfarmer.com

angelie26.com

pekinggardenonlineorder.com

brooklynrealtynow.com

makaroniwino.com

wiresncircuits.com

vwealth-archive.com

anfang1718.com

sahaconcierge.com

rctuition.com

premiercovidscreening.com

ryl3inc.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 1 IoCs
    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\05693d30a258095b919c382e469e420e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\05693d30a258095b919c382e469e420e_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2112
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\05693d30a258095b919c382e469e420e_JaffaCakes118.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2612
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\EaQVrFOP.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2988
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EaQVrFOP" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCBB8.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:3000
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\EaQVrFOP.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1952
    • C:\Users\Admin\AppData\Local\Temp\05693d30a258095b919c382e469e420e_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\05693d30a258095b919c382e469e420e_JaffaCakes118.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:884

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpCBB8.tmp
    Filesize

    1KB

    MD5

    2d3c35e880938c86860cfd83da675b93

    SHA1

    643d6929bc834e72b7bb5b8940b9bde926b3018f

    SHA256

    1317cd994fd1a586cdd6cc3d3cfb819cb7fac18730c64b6e70a1ae3b24ed1ef8

    SHA512

    b4e40bd2340e2fa3b011ee56141a2aed8e273d9ed98f88f47d7f1f7145c6ce5bbb52a6d1045fa8cc53b427b5b48620d5fdc3a938039cda9d975f30dc7cef1d0d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JDR4613J33UAKIRY5RE4.temp
    Filesize

    7KB

    MD5

    a3dcc2049eaebe1138065b5ba7391c8f

    SHA1

    ec8dc34e77dcd92e91858d6ec955ee37ee23e1b0

    SHA256

    2a2ad2a2f7cf4d000c6a8b5441b99c1719cb5957972a36798306ff71ce72febf

    SHA512

    8fbcf3721c744f8001ed6039da9d3575b440d44839bac43e07a97fc7c5c3ba58ac1f29c74de6e8ed726be568f9f772942e0f1287e6c219edcaed6b05414102ad

    Download Submit

  • memory/884-22-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/884-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/884-25-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/884-20-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2112-3-0x00000000004E0000-0x00000000004F6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2112-7-0x0000000000B40000-0x0000000000B74000-memory.dmp

    Filesize

    208KB

    Download

  • memory/2112-6-0x0000000007D60000-0x0000000007E02000-memory.dmp

    Filesize

    648KB

    Download

  • memory/2112-5-0x0000000074830000-0x0000000074F1E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2112-4-0x000000007483E000-0x000000007483F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2112-0-0x000000007483E000-0x000000007483F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2112-2-0x0000000074830000-0x0000000074F1E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2112-1-0x0000000000CC0000-0x0000000000D7C000-memory.dmp

    Filesize

    752KB

    Download

  • memory/2112-26-0x0000000074830000-0x0000000074F1E000-memory.dmp

    Filesize

    6.9MB

    Download