Overview

overview

10

Static

static

3

4372c18fbe...18.exe

windows7-x64

10

4372c18fbe...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    14-05-2024 22:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4372c18fbe734ef31fffe8fbde52adda_JaffaCakes118.exe

  • Size

    355KB

  • MD5

    4372c18fbe734ef31fffe8fbde52adda

  • SHA1

    4b65e3ea741ba115088ffd0915e7f1963c4d91bc

  • SHA256

    f5fa18d39f0b842d6a142a8c6da920bc494e880b5909b196fa68e7e6ffe4604c

  • SHA512

    f906dfc4ae493b57c974770b1f2dc9d00a1c8a69e1e1eb625ef5eecc67fb385b1b68d4d0547d2aa6a195b4a6a4348a3919338d41511e9f83e9b243fd14e182d9

  • SSDEEP

    6144:l9m82gw6NuqWzgETzScJHGfX80mzZPN/Wbt/jOXTTwhA4rdr:XKSuqWqcJmf8FxhWFjOXvkr

Score
10/10
formbookzgratpoagilenetratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

po

Decoy

toptravelbox.com

564manbetx.com

rainmakerfreedom.com

caobi954.com

vananhhandmade.com

reisengeniessen.net

milan000.com

opebet181.com

betshoppersparadise.com

zersenengineering.com

www4021166.com

itgifbhfhfg.online

wagertoken.com

casinomansions.net

gabiethiagomendes.com

com-services-secure-id.info

workdigitalmarketing.com

housesforcashpros.link

redsealdigital.com

hj1986.com

Signatures

  • Detect ZGRat V1 1 IoCs
  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Formbook payload 1 IoCs
    rat
  • Obfuscated with Agile.Net obfuscator 1 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4372c18fbe734ef31fffe8fbde52adda_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4372c18fbe734ef31fffe8fbde52adda_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2524
    • C:\Users\Admin\AppData\Local\Temp\4372c18fbe734ef31fffe8fbde52adda_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\4372c18fbe734ef31fffe8fbde52adda_JaffaCakes118.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2644

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2524-0-0x000000007406E000-0x000000007406F000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2524-1-0x0000000000360000-0x00000000003C2000-memory.dmp
    Filesize

    392KB

    Download
  • memory/2524-2-0x0000000000620000-0x0000000000680000-memory.dmp
    Filesize

    384KB

    Download
  • memory/2524-3-0x00000000001F0000-0x000000000021C000-memory.dmp
    Filesize

    176KB

    Download
  • memory/2524-4-0x0000000074060000-0x000000007474E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2524-5-0x000000007406E000-0x000000007406F000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2524-6-0x0000000074060000-0x000000007474E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2524-7-0x0000000074060000-0x000000007474E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2524-9-0x0000000074060000-0x000000007474E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2644-8-0x0000000000400000-0x000000000042A000-memory.dmp
    Filesize

    168KB

    Download
  • memory/2644-10-0x00000000009E0000-0x0000000000CE3000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/2644-11-0x00000000009E0000-0x0000000000CE3000-memory.dmp
    Filesize

    3.0MB

    Download