Analysis

  • max time kernel
    48s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    31-10-2024 09:09

General

  • Target

    8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe

  • Size

    1.1MB

  • MD5

    8293cfc29278bb798485c76761a79e84

  • SHA1

    4afbbf0994bf0147c8238dc2b7602728201bdd83

  • SHA256

    f567b5072eeb0de2b0c5b921df391ff7ea75996450a39a9eb3202b3eeb33232f

  • SHA512

    6e31a1738d94ec1a51497b67da05bc07aed569a7042ed4ab1ddcb295042db352c9500deeb2a7e7efe5be052bd7a7f700b133d4e50aeec25ba61114ee6b8d8a9b

  • SSDEEP

    12288:WSNiWeZwuKkZbe5KJfD2VXmcjM1zz7bhnF5Y0NPM2yaUVKnp:mWeSdkxCjjMJz7bhnFm0NPoahp

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

obow

Decoy

hinetin.net

narrativebusters.com

jesusmusicatl.com

mywellnessbooking.com

830272.com

mainrein.com

kajeoneworld.com

directaccesss.com

igsecretos.com

campbone.com

socialvidiots.com

abditrade.com

purisopropyl.com

opticalapparatus.com

staveoffboredom.com

evinja.com

onlinebusinesstoolselector.com

todayonly2.info

elitedesign-dz.com

zgszgw.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook family
  • Formbook payload 1 IoCs
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe"
    1⤵
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Maps connected drives based on registry
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2360
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2848
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\pEVQPWunBbZIyo.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2712
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pEVQPWunBbZIyo" /XML "C:\Users\Admin\AppData\Local\Temp\tmp87E5.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2092
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\pEVQPWunBbZIyo.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      PID:1948
    • C:\Users\Admin\AppData\Local\Temp\8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe"
      2⤵
        PID:1388
      • C:\Users\Admin\AppData\Local\Temp\8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\8293cfc29278bb798485c76761a79e84_JaffaCakes118.exe"
        2⤵
          PID:2588

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmp87E5.tmp

        Filesize

        1KB

        MD5

        c565b2067a61c3f0edb38e4a239ade24

        SHA1

        e6ae7d9dcc9f91297f5e12c3dbe29b5e975a914f

        SHA256

        a3abbedc23c40262ddf143b1275937801b19bd5ef089abdeed5713064277195b

        SHA512

        6870c445968ffac75b54ec872088edeffe31aaa8927cc41810903bad0e9c7c945cfd5a1ba5b574668300076fd4d07d2207d056c870dcd26f95fdee49c290f94e

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

        Filesize

        7KB

        MD5

        24397e374490d1185f14834c98becf20

        SHA1

        df2b6b9aeee4e9f284b3cf1427ce40887e1d818d

        SHA256

        d6bc9899c6ac6bf3f68ea02cef9babbe5d3bc731fb5b1d2b4d1b7910202f351c

        SHA512

        de07fb570895e184dcad543c9e35d1a47ae73bf05426f525dd7e75746fc6c3b5e60781cf63fceea181b431051912097e358464c5409b119b0c1711f89b12c612

      • memory/2360-3-0x0000000000580000-0x00000000005A2000-memory.dmp

        Filesize

        136KB

      • memory/2360-0-0x0000000074B0E000-0x0000000074B0F000-memory.dmp

        Filesize

        4KB

      • memory/2360-4-0x0000000074B0E000-0x0000000074B0F000-memory.dmp

        Filesize

        4KB

      • memory/2360-5-0x0000000074B00000-0x00000000751EE000-memory.dmp

        Filesize

        6.9MB

      • memory/2360-6-0x0000000007FB0000-0x0000000008030000-memory.dmp

        Filesize

        512KB

      • memory/2360-7-0x0000000000A10000-0x0000000000A48000-memory.dmp

        Filesize

        224KB

      • memory/2360-2-0x0000000074B00000-0x00000000751EE000-memory.dmp

        Filesize

        6.9MB

      • memory/2360-1-0x0000000000160000-0x000000000027E000-memory.dmp

        Filesize

        1.1MB

      • memory/2360-27-0x0000000074B00000-0x00000000751EE000-memory.dmp

        Filesize

        6.9MB

      • memory/2588-25-0x0000000000400000-0x000000000042E000-memory.dmp

        Filesize

        184KB

      • memory/2588-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

      • memory/2588-22-0x0000000000400000-0x000000000042E000-memory.dmp

        Filesize

        184KB

      • memory/2588-20-0x0000000000400000-0x000000000042E000-memory.dmp

        Filesize

        184KB