Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-12-2024 19:44

General

  • Target

    ceb305646f9a8229ff55bf26432eb527_JaffaCakes118.msi

  • Size

    532KB

  • MD5

    ceb305646f9a8229ff55bf26432eb527

  • SHA1

    247ff878939c7ca96db9715afc03e5032c143909

  • SHA256

    e9eee1a0652b7aeb0e816ad27e45d791d5d2e576d7f57833f0de46bc1c651a0e

  • SHA512

    c7bd25a68c8344b2315ab3bcd7ba6741cdd93cad3a63274c6a65f727ed5ea5e11bae10db1e88b9e3687cc08736488c3d47375a11514dd5e541cb26e048fab4d3

  • SSDEEP

    6144:QES4fnuEgmu4ZVKgCV7PKgJSbMw2D7PIDAtVsEHoALjYKmFe3l/H9m7u:QErfng6VKgCV7PKQUSD7w2CvKmelk

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

le

Decoy

ilicak2.net

altinchap.com

junenng-zh.com

forourcountryus.com

windrez.com

xlogicsolutions.com

laboratorydetaillingcar.com

vaynhanhmaritimebank.com

starshipvi.com

fpstemplate.com

individualacountmanager.com

soapquinns.com

bestcra.com

masu.ltd

lkxfdb.info

newhydeparkdentalservices.com

borjahospital.com

0856.ink

siemenscustomercare.com

woaichaye.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook family
  • Formbook payload 3 IoCs
  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 8 IoCs
  • Executes dropped EXE 2 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 56 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3524
    • C:\Windows\system32\msiexec.exe
      msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ceb305646f9a8229ff55bf26432eb527_JaffaCakes118.msi
      2⤵
      • Enumerates connected drives
      • Event Triggered Execution: Installer Packages
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:2108
    • C:\Windows\SysWOW64\autoconv.exe
      "C:\Windows\SysWOW64\autoconv.exe"
      2⤵
        PID:824
      • C:\Windows\SysWOW64\help.exe
        "C:\Windows\SysWOW64\help.exe"
        2⤵
        • Adds policy Run key to start application
        • Suspicious use of SetThreadContext
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:3732
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Windows\Installer\MSIB4CA.tmp"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:3412
        • C:\Windows\SysWOW64\cmd.exe
          /c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
          3⤵
          • System Location Discovery: System Language Discovery
          PID:4616
    • C:\Windows\system32\msiexec.exe
      C:\Windows\system32\msiexec.exe /V
      1⤵
      • Enumerates connected drives
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2224
      • C:\Windows\system32\srtasks.exe
        C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2232
      • C:\Windows\Installer\MSIB4CA.tmp
        "C:\Windows\Installer\MSIB4CA.tmp"
        2⤵
        • Suspicious use of SetThreadContext
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3420
        • C:\Windows\Installer\MSIB4CA.tmp
          "C:\Windows\Installer\MSIB4CA.tmp"
          3⤵
          • Suspicious use of SetThreadContext
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:2648
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:2516

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\e57b384.rbs

      Filesize

      663B

      MD5

      a1d8a78225d9e9c73034e7f83e453973

      SHA1

      eec1def0ee1dc230046f9f01eb47d0156560f5d4

      SHA256

      82b70b6754bd65bf7153703b5e02873411954046192596aaf27adfca53a297aa

      SHA512

      ef1b7c45cd6c2bbddd74444fe2c7bfe621c46f427238396c87fb3b1a7c84919784b973d6fddd0c21053fe2e03d53b2b3f15f41aa4ebdff1a563a8ae17104cc2d

    • C:\Users\Admin\AppData\Local\Temp\DB1

      Filesize

      40KB

      MD5

      a182561a527f929489bf4b8f74f65cd7

      SHA1

      8cd6866594759711ea1836e86a5b7ca64ee8911f

      SHA256

      42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

      SHA512

      9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

    • C:\Users\Admin\AppData\Roaming\K0N5OPPE\K0Nlogim.jpeg

      Filesize

      75KB

      MD5

      901511e618005bbfb8fdc3a19e7134ac

      SHA1

      1cb4804bd7dbfb74621ae08751e5eb7352fc7afb

      SHA256

      d0e600dcd9036261c4106293df918adf2fa6335a5a4e98d9498f3c178269599d

      SHA512

      bc36a1383622a21a99f0b330facb15daa21626a05727e41708e9ae5b2ae06a6c829307d686cfd60425a40234bcee42143b72a24b2b8b32cbe38217c35e1e9d00

    • C:\Users\Admin\AppData\Roaming\K0N5OPPE\K0Nlogrg.ini

      Filesize

      38B

      MD5

      4aadf49fed30e4c9b3fe4a3dd6445ebe

      SHA1

      1e332822167c6f351b99615eada2c30a538ff037

      SHA256

      75034beb7bded9aeab5748f4592b9e1419256caec474065d43e531ec5cc21c56

      SHA512

      eb5b3908d5e7b43ba02165e092f05578f45f15a148b4c3769036aa542c23a0f7cd2bc2770cf4119a7e437de3f681d9e398511f69f66824c516d9b451bb95f945

    • C:\Users\Admin\AppData\Roaming\K0N5OPPE\K0Nlogri.ini

      Filesize

      40B

      MD5

      d63a82e5d81e02e399090af26db0b9cb

      SHA1

      91d0014c8f54743bba141fd60c9d963f869d76c9

      SHA256

      eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae

      SHA512

      38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad

    • C:\Users\Admin\AppData\Roaming\K0N5OPPE\K0Nlogrv.ini

      Filesize

      872B

      MD5

      bbc41c78bae6c71e63cb544a6a284d94

      SHA1

      33f2c1d9fa0e9c99b80bc2500621e95af38b1f9a

      SHA256

      ee83c6bcea9353c74bfc0a7e739f3c4a765ace894470e09cdcdebba700b8d4cb

      SHA512

      0aea424b57adae3e14ad6491cab585f554b4dffe601b5a17bad6ee6177d2f0f995e419cde576e2d1782b9bddc0661aada11a2c9f1454ae625d9e3223635ec9f4

    • C:\Windows\Installer\MSIB4CA.tmp

      Filesize

      508KB

      MD5

      62feb8bc6bd67f1199dc35696bb84e17

      SHA1

      ab8a6abd103d3a430d5f8e91e74feead5da02ece

      SHA256

      7591e80ee7d1f219d8472cc16d504a5df94a336d510b714f10a4ae79531d5368

      SHA512

      3ffd066cef30ca363a5e47277411379e41753dd5a6cd30c1f1a7019ebaa7b35ebe52b358750dfb114d21777c5c7b3d2b251b989cce17b4046aa22b0162047141

    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

      Filesize

      24.1MB

      MD5

      d22bb5132f29ede5229f6762fa32b939

      SHA1

      93bfe6ccf8398dc94e2ddc6cd1189121d509cf7a

      SHA256

      49ceca6196b16ab5c89af20de87f5f81004faaa01fe04a6364c875e1a66ae879

      SHA512

      3a2168661799059e64735f03e39cc323731a001e9b30f29c2556c02024415c1fd11faff008e0105e7585fb81404caf11aea44012a8e14f1c3545475c6a6d7ce2

    • \??\Volume{f9c79713-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{15e063c9-01fc-42fd-b7aa-659d320d88ec}_OnDiskSnapshotProp

      Filesize

      6KB

      MD5

      64fe3c2067ef3b026e1ceff30ba19c8e

      SHA1

      17bdc01a2ee8cf9ab629535dece39b65506beb1d

      SHA256

      42fb36706b4e7abc7de18583d527dba66baf448bf9683fee3ee6d10e32f975e4

      SHA512

      bee1b8a47194e5e16f9b130b4ebc279846fb3a514533d84b06755eced2a2020c79b661209b3566f7caa7d7c137da1acfbbf9b00eb14fa0c280d762b5bd0bb8ef

    • memory/2648-32-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

    • memory/2648-31-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

    • memory/2648-15-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

    • memory/3524-37-0x00000000043C0000-0x0000000004470000-memory.dmp

      Filesize

      704KB

    • memory/3732-34-0x0000000000C10000-0x0000000000C17000-memory.dmp

      Filesize

      28KB