Analysis

  • max time kernel
    60s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    19-12-2024 04:33

General

  • Target

    fe740e7999ea046c611b6af048228301_JaffaCakes118.exe

  • Size

    846KB

  • MD5

    fe740e7999ea046c611b6af048228301

  • SHA1

    b11b855d1328255503fd2e3d86260293af0fef8a

  • SHA256

    e53afd0b5fd432a725fce3ee514f9bf7e58b54b06c096640c0672faf7eb209b5

  • SHA512

    c6eef694077d945c92dab79d1f99b349d71fa65f0a9dbece5a86f9e400e85c9c6b0ffd8d2236e4cde1ab97728762262bc6e2272a33e9f561418d3c56ce16f617

  • SSDEEP

    24576:AAsnEguXVgHgteHLHyLWf6A1Ti2KIzoGsrq34MeWjc:3tFWfV4MeWj

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

qg0x

Decoy

guruguyd.com

martiallawtcg.com

minervamerch.com

websiteseotools.net

productionsrassembleurs.com

tarcanlaroto.com

zoloftmusic.com

waseet.club

mtelphinstonemasonicsociety.com

indertechstore.com

iostdefi.net

juxrams.info

magwearhouse.com

ellerey.com

jointhekkk.com

wednesdaytravel.com

nineban.icu

westcoastk95.com

parkcityruthschris.com

monicarodri.design

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook family
  • Formbook payload 1 IoCs
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fe740e7999ea046c611b6af048228301_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\fe740e7999ea046c611b6af048228301_JaffaCakes118.exe"
    1⤵
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Maps connected drives based on registry
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1084
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\fe740e7999ea046c611b6af048228301_JaffaCakes118.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2916
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\hfeCcdsnBnrre.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2304
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hfeCcdsnBnrre" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9953.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:1572
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\hfeCcdsnBnrre.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1260
    • C:\Users\Admin\AppData\Local\Temp\fe740e7999ea046c611b6af048228301_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\fe740e7999ea046c611b6af048228301_JaffaCakes118.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1692

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp9953.tmp

    Filesize

    1KB

    MD5

    28f99a246822d4a3b45f46b91fb89f69

    SHA1

    64c971880cb81c4995f547815a198d1a3572ff09

    SHA256

    9e4322fb720c22960f75bb91cf309a86d45d28835e12718650758a2fc17662a3

    SHA512

    b7b7d9e63d9a3aa72dea76889c2aef5ee6985fb387b9c2449ed07c00f64a71b262db724c04b7d2724a99c8197e9c7aac08aa87d8e06e9b950cd6fe04e5b49cec

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

    Filesize

    7KB

    MD5

    35afbed0637fbcca78a49b295dda99a3

    SHA1

    c4df1a0ccce3eed8bc55d3948746c4c049ed0e65

    SHA256

    9e42c8d036703af9a93442bb70b90a0b192eaf365731d519bf61fb6ab629ccf2

    SHA512

    c768d24a0427c857a19dc9a584436bf8594eae6c39d5e608accc93bb314d10baee5d1a3f288b1ce7d5374c4e107ee4f769859248cc8efc245c6f01912f58cb23

  • memory/1084-8-0x00000000009F0000-0x0000000000A24000-memory.dmp

    Filesize

    208KB

  • memory/1084-2-0x0000000001240000-0x00000000012DE000-memory.dmp

    Filesize

    632KB

  • memory/1084-4-0x0000000000900000-0x0000000000916000-memory.dmp

    Filesize

    88KB

  • memory/1084-5-0x00000000744EE000-0x00000000744EF000-memory.dmp

    Filesize

    4KB

  • memory/1084-6-0x00000000744E0000-0x0000000074BCE000-memory.dmp

    Filesize

    6.9MB

  • memory/1084-7-0x000000000D370000-0x000000000D412000-memory.dmp

    Filesize

    648KB

  • memory/1084-0-0x00000000744EE000-0x00000000744EF000-memory.dmp

    Filesize

    4KB

  • memory/1084-3-0x00000000744E0000-0x0000000074BCE000-memory.dmp

    Filesize

    6.9MB

  • memory/1084-1-0x0000000001330000-0x000000000140A000-memory.dmp

    Filesize

    872KB

  • memory/1084-28-0x00000000744E0000-0x0000000074BCE000-memory.dmp

    Filesize

    6.9MB

  • memory/1692-26-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/1692-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/1692-23-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

  • memory/1692-21-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB