Analysis
-
max time kernel
95s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
28-11-2024 08:28
General
-
Target
abab9797200c25f60d745d3687bec461_JaffaCakes118.exe
-
Size
1.5MB
-
MD5
abab9797200c25f60d745d3687bec461
-
SHA1
0c0f500ca55d81df716f1bb40ea2c9d0c747b6c3
-
SHA256
596f80f5d1291658025f890159518fcabbfb1b9500187b237fe68eb01f6f59cb
-
SHA512
9d397c970424f9eb3b403cf109ff6a2726474ebe0ca8335346db13856535867be6732d13cde4e587f4619daefcad34ff7ba5df2062efe59cfffe14b8b9951ec6
-
SSDEEP
12288:jBiZV1lP0f839UGayJ+UkfYITPdW+Ey9jYBvfe1/w/KgQ6H+Uy1Susr8MmH3jH:onl0f8tUGajlLc+t9jYa/wsZZS5R0
Malware Config
Extracted
formbook
4.1
owt8
globalstainlesssteel.com
bentleymichaels.com
svproductiveparents.com
vikinger.one
kiarabrunett.com
lakelandchiefs.com
kickzcity.com
ceroestrespma.com
torchfarmer.com
angelie26.com
pekinggardenonlineorder.com
brooklynrealtynow.com
makaroniwino.com
wiresncircuits.com
vwealth-archive.com
anfang1718.com
sahaconcierge.com
rctuition.com
premiercovidscreening.com
ryl3inc.com
Signatures
-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Formbook family
-
Formbook payload 1 IoCs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\abab9797200c25f60d745d3687bec461_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\abab9797200c25f60d745d3687bec461_JaffaCakes118.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\abab9797200c25f60d745d3687bec461_JaffaCakes118.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\owoHOIwtKqhcf.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\owoHOIwtKqhcf" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6A3E.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\owoHOIwtKqhcf.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\abab9797200c25f60d745d3687bec461_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\abab9797200c25f60d745d3687bec461_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
Filesize
18KB
MD5e7bafd3bdd48d742460a98a285bb401f
SHA11cde539addbeb89cad1e2f85acc2ef26f259e63f
SHA2564d30f9a33894911d3e128ad2eabf02955d0e85ae813232678024ec2b8054a69a
SHA512df346f494e64705277996ff7eaee257d040803df466f2c3aadb126f8eb14d325a6e0436b9035a3ae6d9147c1aacd0db97a35cb80f1a09dc5d2d3227c0a71459a
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD586cec3e84da422201e48fce15c50732c
SHA10c74e2173c77070a9ca05a10f7f8e9b2a90ec6d5
SHA25667e11e11ea8292dafba54348227fc3ae07eb6ac55f235ab0df5f40935a51cbda
SHA512432bc29caa6f1799b3f84eb11dc7f11699987321071324659e0fd8f15106bdfb024448fd084b588b9011fce5e2573131981968dd066d376524a6b52fc8bbbeb8
-
Filesize
304KB
-
Filesize
4KB
-
Filesize
408KB
-
Filesize
120KB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
656KB
-
Filesize
208KB
-
Filesize
584KB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
7.7MB
-
Filesize
1.6MB
-
Filesize
5.6MB
-
Filesize
624KB
-
Filesize
56KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
80KB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
7.7MB
-
Filesize
200KB
-
Filesize
652KB
-
Filesize
304KB
-
Filesize
184KB
-
Filesize
3.3MB
-
Filesize
304KB
-
Filesize
6.5MB
-
Filesize
104KB
-
Filesize
40KB
-
Filesize
600KB
-
Filesize
408KB
-
Filesize
68KB
-
Filesize
136KB
-
Filesize
6.2MB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
216KB
-
Filesize
7.7MB