Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13-12-2024 07:50

General

  • Target

    ea9f9fc409b8e70415b11bfcf37e09e1_JaffaCakes118.exe

  • Size

    557KB

  • MD5

    ea9f9fc409b8e70415b11bfcf37e09e1

  • SHA1

    13fe23e9334428c7898657f094db5cb234000ac6

  • SHA256

    43391d3abc411fd3198710c32127898396759f1372ee99fb3aea8efd8e50d086

  • SHA512

    e1c78808853ed762730895295ec6e775287de98c4f797da134cc45315d9b3b67059f7e4b96ec9d6581f7545887b5cf566b12df9e894c657637601661edbd419f

  • SSDEEP

    12288:Ya2DLn2MOytQK+HUdA0Y56roAC+tgy/UbJs42AvTR9Tn2HW13A:ODq5ytQeSZaoW4xRJn2oA

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

z8bb

Decoy

bg0bpz.xyz

heelncheel.com

full-port.com

77se999.xyz

kentaa.xyz

nemsdumbloser.com

xn--par-tma.art

basculasonline.com

brt-cloud.com

ankesolutions.com

cappersacces.com

lessonsdrums.com

tastygentleman.com

yuzhou.plus

cursando-online.com

comfortzone-frankfurt.com

natesmining.com

logjec070.xyz

manualidadesencasa.net

rowdyravers.club

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook family
  • Formbook payload 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ea9f9fc409b8e70415b11bfcf37e09e1_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ea9f9fc409b8e70415b11bfcf37e09e1_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2616
    • C:\Users\Admin\AppData\Local\Temp\ea9f9fc409b8e70415b11bfcf37e09e1_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\ea9f9fc409b8e70415b11bfcf37e09e1_JaffaCakes118.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2220

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2220-8-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2220-15-0x00000000009E0000-0x0000000000CE3000-memory.dmp

    Filesize

    3.0MB

  • memory/2220-14-0x00000000009E0000-0x0000000000CE3000-memory.dmp

    Filesize

    3.0MB

  • memory/2220-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2220-12-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2220-9-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2616-3-0x0000000000640000-0x000000000064C000-memory.dmp

    Filesize

    48KB

  • memory/2616-7-0x0000000000710000-0x0000000000746000-memory.dmp

    Filesize

    216KB

  • memory/2616-6-0x0000000005DA0000-0x0000000005E0A000-memory.dmp

    Filesize

    424KB

  • memory/2616-5-0x00000000745A0000-0x0000000074C8E000-memory.dmp

    Filesize

    6.9MB

  • memory/2616-4-0x00000000745AE000-0x00000000745AF000-memory.dmp

    Filesize

    4KB

  • memory/2616-0-0x00000000745AE000-0x00000000745AF000-memory.dmp

    Filesize

    4KB

  • memory/2616-13-0x00000000745A0000-0x0000000074C8E000-memory.dmp

    Filesize

    6.9MB

  • memory/2616-2-0x00000000745A0000-0x0000000074C8E000-memory.dmp

    Filesize

    6.9MB

  • memory/2616-1-0x0000000000940000-0x00000000009D2000-memory.dmp

    Filesize

    584KB