Overview

overview

10

Static

static

3

b7d81877ee...18.exe

windows7-x64

10

b7d81877ee...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    02-12-2024 08:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b7d81877eeba60cdaee88287d4dfc1a7_JaffaCakes118.exe

  • Size

    1.5MB

  • MD5

    b7d81877eeba60cdaee88287d4dfc1a7

  • SHA1

    5c7a31f06e48760e3da5900b8bc8e5d2088933e5

  • SHA256

    8eb59f34b6e1c465b4b3c45402ed8d59fc136f024fe97d0cdf94f3c22dc20cb0

  • SHA512

    2dd5843889df3f3abbf93d2eddc43f2480be2eb16a549eeadd0f83df358248dbee593240206423321f5bae2b1eb94c7e4c62721cdd956dac89a60bb099fa8def

  • SSDEEP

    12288:+71CB0/uBEPbhrhi6l+jd7d/hiBnaLHgwBKanOLoejK9ufY/Zd8wzQ6H+Uy1Susj:CeGN1sjknKrBbOLoeUuQZOFZZS5R0

Score
10/10
formbookxgmidiscoveryevasionexecutionratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

xgmi

Decoy

ivouty.icu

bgilroy.com

dgden.com

grosse-schware.com

mandos.tech

deedv.com

the724lab.com

dulcepicor.com

cupsandkids.com

albertafutsal.com

ponthierandson.com

tiendaewin.com

200garden.com

f9753.com

cognitivehearingspecialist.com

pikypets.com

dimestorecowgirlscompany.com

reefervannetwork.com

umf2.com

yoniwater.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook family
    formbook
  • Formbook payload 3 IoCs
    rat
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1184
      • C:\Users\Admin\AppData\Local\Temp\b7d81877eeba60cdaee88287d4dfc1a7_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\b7d81877eeba60cdaee88287d4dfc1a7_JaffaCakes118.exe"
        2⤵
        • Looks for VirtualBox Guest Additions in registry
        • Looks for VMWare Tools registry key
        • Checks BIOS information in registry
        • Maps connected drives based on registry
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2872
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\b7d81877eeba60cdaee88287d4dfc1a7_JaffaCakes118.exe"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1656
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GKcqhLBL.exe"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1392
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GKcqhLBL" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2B54.tmp"
          3⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:2660
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GKcqhLBL.exe"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2604
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          3⤵
            PID:2928
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
            3⤵
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2388
            • C:\Windows\SysWOW64\autoconv.exe
              "C:\Windows\SysWOW64\autoconv.exe"
              4⤵
                PID:2012
              • C:\Windows\SysWOW64\autoconv.exe
                "C:\Windows\SysWOW64\autoconv.exe"
                4⤵
                  PID:1064
                • C:\Windows\SysWOW64\autoconv.exe
                  "C:\Windows\SysWOW64\autoconv.exe"
                  4⤵
                    PID:2244
                  • C:\Windows\SysWOW64\autoconv.exe
                    "C:\Windows\SysWOW64\autoconv.exe"
                    4⤵
                      PID:2224
                    • C:\Windows\SysWOW64\autoconv.exe
                      "C:\Windows\SysWOW64\autoconv.exe"
                      4⤵
                        PID:2424
                      • C:\Windows\SysWOW64\autoconv.exe
                        "C:\Windows\SysWOW64\autoconv.exe"
                        4⤵
                          PID:1944
                        • C:\Windows\SysWOW64\autoconv.exe
                          "C:\Windows\SysWOW64\autoconv.exe"
                          4⤵
                            PID:1936
                          • C:\Windows\SysWOW64\autoconv.exe
                            "C:\Windows\SysWOW64\autoconv.exe"
                            4⤵
                              PID:660
                            • C:\Windows\SysWOW64\autoconv.exe
                              "C:\Windows\SysWOW64\autoconv.exe"
                              4⤵
                                PID:752
                              • C:\Windows\SysWOW64\cmd.exe
                                "C:\Windows\SysWOW64\cmd.exe"
                                4⤵
                                • Suspicious use of SetThreadContext
                                • System Location Discovery: System Language Discovery
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious behavior: MapViewOfSection
                                • Suspicious use of AdjustPrivilegeToken
                                • Suspicious use of WriteProcessMemory
                                PID:2392
                                • C:\Windows\SysWOW64\cmd.exe
                                  /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                  5⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:1812

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Temp\tmp2B54.tmp
                          Filesize

                          1KB

                          MD5

                          15c227c590e426c2430dcc8e51a1e3fc

                          SHA1

                          4e6802cebb7333756d1fc731a1a1157f86aa505f

                          SHA256

                          0866521acd49996758bf7c9c079f98e83b04217c92844da3a76b6fa8d85de3b4

                          SHA512

                          f42e817cd2ab824e183a771e730f324cadeb625d1e81ddc537f61074214317d1910a1a19a791b0623523a72b493ab67adb1dba5843f618e75047a02565dd700c

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
                          Filesize

                          7KB

                          MD5

                          1e2896a48399b67af22c94837aa67cc3

                          SHA1

                          9f16a1a96b12e567d8f07d659f0872f45277c569

                          SHA256

                          dcd75947dad35f8e253b7de61c1a2da141fb7eb447f411365df27384b79da8d1

                          SHA512

                          16413bb340e3b6ac98f594292f3df4f12626366429d38f31fcdb831cf1e08dab34baf8f143ab3a80fa5aa473c892e96da6ca91e2cf229c576d12c5c2df83447b

                          Download Submit

                        • memory/2388-27-0x0000000000400000-0x000000000042E000-memory.dmp

                          Filesize

                          184KB

                          Download

                        • memory/2388-30-0x0000000000400000-0x000000000042E000-memory.dmp

                          Filesize

                          184KB

                          Download

                        • memory/2388-33-0x0000000000400000-0x000000000042E000-memory.dmp

                          Filesize

                          184KB

                          Download

                        • memory/2388-25-0x0000000000400000-0x000000000042E000-memory.dmp

                          Filesize

                          184KB

                          Download

                        • memory/2388-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/2392-35-0x0000000000080000-0x00000000000AE000-memory.dmp

                          Filesize

                          184KB

                          Download

                        • memory/2392-34-0x000000004A9B0000-0x000000004A9FC000-memory.dmp

                          Filesize

                          304KB

                          Download

                        • memory/2872-1-0x00000000002C0000-0x0000000000450000-memory.dmp

                          Filesize

                          1.6MB

                          Download

                        • memory/2872-3-0x0000000000510000-0x000000000052E000-memory.dmp

                          Filesize

                          120KB

                          Download

                        • memory/2872-2-0x0000000074520000-0x0000000074C0E000-memory.dmp

                          Filesize

                          6.9MB

                          Download

                        • memory/2872-0-0x000000007452E000-0x000000007452F000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/2872-7-0x0000000001F40000-0x0000000001F74000-memory.dmp

                          Filesize

                          208KB

                          Download

                        • memory/2872-31-0x0000000074520000-0x0000000074C0E000-memory.dmp

                          Filesize

                          6.9MB

                          Download

                        • memory/2872-6-0x00000000056F0000-0x0000000005794000-memory.dmp

                          Filesize

                          656KB

                          Download

                        • memory/2872-5-0x0000000074520000-0x0000000074C0E000-memory.dmp

                          Filesize

                          6.9MB

                          Download

                        • memory/2872-4-0x000000007452E000-0x000000007452F000-memory.dmp

                          Filesize

                          4KB

                          Download