Analysis
-
max time kernel
149s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
02-10-2024 19:50
General
-
Target
0c3c3c868a9ee2d1c6c14f9fafd757a1_JaffaCakes118.exe
-
Size
946KB
-
MD5
0c3c3c868a9ee2d1c6c14f9fafd757a1
-
SHA1
816b112e6027f9d1caec76f78231bd24f6185094
-
SHA256
df6ade5c4e7c4f0e82aca32d744b6f8762d2dd82a98b7bda97e42748d488a661
-
SHA512
e71f53fa6a4b2d0c36b7b9d110988e47c11bee51ed33dfbcb1368adc34f10a8e17112cd286f88da637075dc37e1946151edbebb20012dedbb2487e6f18848f2c
-
SSDEEP
24576:B2wFJMNjRquEyu6nXj4UCmPUUcQfbhvj5CxRT:UwFehkuEGnTVJs9qJ
Malware Config
Extracted
formbook
4.1
vd9n
theunwrappedcollective.com
seckj-ic.com
tyresandover.com
thetrophyworld.com
fonggrconstruction.com
hopiproject.com
sktitle.com
charlotteobscurer.com
qjuhe.com
girlzglitter.com
createmylawn.com
hempcbgpill.com
zzdfdzkj.com
shreehariessential.com
226sm.com
getcupscall.com
neuralviolin.com
sanskaar.life
xn--fhqrm54yyukopc.com
togetherx4fantasy5star.today
Signatures
-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Formbook payload 2 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 21 IoCs
-
Suspicious behavior: MapViewOfSection 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 25 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\0c3c3c868a9ee2d1c6c14f9fafd757a1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0c3c3c868a9ee2d1c6c14f9fafd757a1_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bIcyzp" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5541.tmp"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- System Location Discovery: System Language Discovery
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e95b48e20d092776b55cb7790c6b8bc1
SHA1e7dfa1724fd8df1bd9817f62680066f2423b2c31
SHA256c6b18f8cc56ba659ab0b54955b59bc5295397bba6ba6ef0d2d89a32df92105a4
SHA5126c5586a0713d0cda8067ce1ebac229da0202b2d931dddeb59a7303f81cffb2bd07cfbfa3d267599b1a28b5b13187f83923064a6249ff8fed4432ccdac1207be7
-
Filesize
648KB
-
Filesize
968KB
-
Filesize
104KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
208KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
920KB
-
Filesize
920KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
184KB
-
Filesize
80KB
-
Filesize
184KB
-
Filesize
3.0MB
-
Filesize
4KB
-
Filesize
184KB
-
Filesize
184KB