Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    26-11-2024 11:52

General

  • Target

    a1c4645815d0ab06831f62042cfa0da0_JaffaCakes118.exe

  • Size

    1.5MB

  • MD5

    a1c4645815d0ab06831f62042cfa0da0

  • SHA1

    e3ce2d0fc9bd18ab30d589f052edce9ca410f2ee

  • SHA256

    a03ebb1ad2450b07206923043ad865cb83e1d4798a9273704a9626854fd17399

  • SHA512

    a34d0c18b833f36e0698e2396270a43ed93d5d2839fa94753ad5fa4e4bf9ec8ecfb3d38f17c0384f30dde1d838c1cf462a40f14da8f430788e5e51cd0162e020

  • SSDEEP

    24576:4SZIpRCJh5KhAEoaPMRfyT43jJ3cYp9KnZZS5R0:ApR0cjoaPM5yCJ3ck923B

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

nff

Decoy

shinseikai.site

creditmystartup.com

howtovvbucks.com

betterfromthebeginning.com

oubacm.com

stonalogov.com

gentrypartyof8.com

cuesticksandsupplies.com

joelsavestheday.com

llanobnb.com

ecclogic.com

miempaque.com

cai23668.com

miscdr.net

twzhhq.com

bloomandbrewcafe.com

angcomleisure.com

mafeeboutique.com

300coin.club

brooksranchhomes.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook family
  • Formbook payload 1 IoCs
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a1c4645815d0ab06831f62042cfa0da0_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a1c4645815d0ab06831f62042cfa0da0_JaffaCakes118.exe"
    1⤵
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Maps connected drives based on registry
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1628
    • C:\Users\Admin\AppData\Local\Temp\a1c4645815d0ab06831f62042cfa0da0_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\a1c4645815d0ab06831f62042cfa0da0_JaffaCakes118.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2648

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1628-6-0x0000000005480000-0x0000000005522000-memory.dmp

    Filesize

    648KB

  • memory/1628-0-0x000000007424E000-0x000000007424F000-memory.dmp

    Filesize

    4KB

  • memory/1628-2-0x0000000074240000-0x000000007492E000-memory.dmp

    Filesize

    6.9MB

  • memory/1628-3-0x0000000000260000-0x000000000027E000-memory.dmp

    Filesize

    120KB

  • memory/1628-4-0x000000007424E000-0x000000007424F000-memory.dmp

    Filesize

    4KB

  • memory/1628-5-0x0000000074240000-0x000000007492E000-memory.dmp

    Filesize

    6.9MB

  • memory/1628-1-0x0000000000980000-0x0000000000B0A000-memory.dmp

    Filesize

    1.5MB

  • memory/1628-7-0x00000000005D0000-0x0000000000604000-memory.dmp

    Filesize

    208KB

  • memory/1628-14-0x0000000074240000-0x000000007492E000-memory.dmp

    Filesize

    6.9MB

  • memory/2648-9-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/2648-8-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/2648-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2648-13-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/2648-15-0x0000000000B10000-0x0000000000E13000-memory.dmp

    Filesize

    3.0MB