Overview

overview

10

Static

static

5

943dd70ae7...18.exe

windows7-x64

10

943dd70ae7...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    24-11-2024 11:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    943dd70ae7ea579feea9d9bef3c30224_JaffaCakes118.exe

  • Size

    2.9MB

  • MD5

    943dd70ae7ea579feea9d9bef3c30224

  • SHA1

    3ddf2c1a0a3f8117f040340aaa4e412af52effd0

  • SHA256

    95ead5f59742715dfe3b73aefd02cc41c778bdef63262431ea39188d269754fc

  • SHA512

    8fefc4dc2c4467a3b75cd59066e965c16b0f9ed1f3343f850d4442ce02120aab7c77eda580dd98b1fabf87a0531eab5eeb73dba9e10af246eb1b52bfdb2cb250

  • SSDEEP

    49152:0GBzABJzYm4/PPp5TIW6zerkrGXT7bD3qoebj6RTRXzJ3GniT/cieat3KltJTD5+:GJzYmGHvTcerk8/H3/eAXzJ3kUkbm6na

Score
10/10
formbook23vdiscoverypersistenceratspywarestealertrojanupx

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

23v

Decoy

1l4m-5qeh0cgx9a.com

portsel.com

vypnxg.men

renrenbaoshangcheng.com

hulebang.com

heatburnio.com

amazingthunderworks.com

quantumreapers.com

8801i.info

moonlightmanager.com

bqypm.info

backlinkbarato.com

jiudianhuixun.com

markerbio.net

empety.com

eternalkollection.com

teknoshift.com

petitenobel.net

zlmqv.info

emotionalcontrols.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook family
    formbook
  • Formbook payload 2 IoCs
    rat
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1196
    • C:\Users\Admin\AppData\Local\Temp\943dd70ae7ea579feea9d9bef3c30224_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\943dd70ae7ea579feea9d9bef3c30224_JaffaCakes118.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3028
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c test.exe
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2740
        • C:\Users\Admin\AppData\Local\Temp\test.exe
          test.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:3060
          • C:\Users\Admin\AppData\Local\Temp\test.exe
            test.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            PID:2664
    • C:\Windows\SysWOW64\help.exe
      "C:\Windows\SysWOW64\help.exe"
      2⤵
      • Adds policy Run key to start application
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2836
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\test.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2856

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\test.exe
    Filesize

    741KB

    MD5

    b47b06cff1d60c9de49274c25985ba4d

    SHA1

    d0a7f22d8394fdaf2c2eec1a75e574ceefbbb7bc

    SHA256

    1b6ec9f600599ce745b4de12b0c8c28425b03b71ccaeb2bd0178ddc374e623b5

    SHA512

    6f21daaaa733c6d44cf28f7753495701f866aa45c4a47249ee09d92505114db0674997033e7350a61273ebaf4adb7149c08d50b146699020f568a53e00f6077a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\8LNO-92F\8LNlogim.jpeg
    Filesize

    62KB

    MD5

    43eade0a16f756e3aa3217da83afe177

    SHA1

    4a771173f087e30c3cacfc152c00875a1ebe1612

    SHA256

    fb317a4ccf0dcea0fc3c73d8379109818dff909a040045f215ba2ab4c502b40a

    SHA512

    f880102bd399186eb1168371d037a387c701c51326ca6ec469f280fd8f997fe1eb3365669e6422180efbe71f0ba4bbe5de6acd9b63bb5c73dc53aa0c32e9a117

    Download Submit

  • C:\Users\Admin\AppData\Roaming\8LNO-92F\8LNlogri.ini
    Filesize

    40B

    MD5

    d63a82e5d81e02e399090af26db0b9cb

    SHA1

    91d0014c8f54743bba141fd60c9d963f869d76c9

    SHA256

    eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae

    SHA512

    38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad

    Download Submit

  • C:\Users\Admin\AppData\Roaming\8LNO-92F\8LNlogrv.ini
    Filesize

    40B

    MD5

    ba3b6bc807d4f76794c4b81b09bb9ba5

    SHA1

    24cb89501f0212ff3095ecc0aba97dd563718fb1

    SHA256

    6eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507

    SHA512

    ecd07e601fc9e3cfc39addd7bd6f3d7f7ff3253afb40bf536e9eaac5a4c243e5ec40fbfd7b216cb0ea29f2517419601e335e33ba19dea4a46f65e38694d465bf

    Download Submit

  • memory/1196-17-0x0000000004C50000-0x0000000004D35000-memory.dmp

    Filesize

    916KB

    Download

  • memory/1196-29-0x00000000051B0000-0x0000000005258000-memory.dmp

    Filesize

    672KB

    Download

  • memory/1196-27-0x00000000051B0000-0x0000000005258000-memory.dmp

    Filesize

    672KB

    Download

  • memory/1196-26-0x00000000051B0000-0x0000000005258000-memory.dmp

    Filesize

    672KB

    Download

  • memory/2664-18-0x0000000000460000-0x0000000000545000-memory.dmp

    Filesize

    916KB

    Download

  • memory/2664-16-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/2664-10-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/2836-21-0x0000000000200000-0x0000000000206000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2836-20-0x0000000000200000-0x0000000000206000-memory.dmp

    Filesize

    24KB

    Download

  • memory/3028-0-0x0000000000400000-0x0000000000A23000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3028-15-0x0000000000400000-0x0000000000A23000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3060-12-0x0000000000400000-0x00000000004C0000-memory.dmp

    Filesize

    768KB

    Download

  • memory/3060-9-0x0000000000290000-0x0000000000291000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3060-7-0x0000000000270000-0x000000000027D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/3060-6-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

    Download