Overview

overview

10

Static

static

1

bc0ef9408f...18.msi

windows7-x64

10

bc0ef9408f...18.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    132s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    18-06-2024 12:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bc0ef9408fc18184938d89d695f8fb2b_JaffaCakes118.msi

  • Size

    468KB

  • MD5

    bc0ef9408fc18184938d89d695f8fb2b

  • SHA1

    e6198d3ab82269f4d4c6309c918330190dcf693c

  • SHA256

    6698735d635bc7b991236e31da603fd2f08cb9c2e41fbc8c0aed7efbdf63f9a7

  • SHA512

    9397077dd2388af14a39aad7191ad05e0f9a40faea7e44ea879a56bd44da3a5fbbcaa2792486c145d1166f9fd8dbf8c2ee47803221758c07b6634822f4eb65db

  • SSDEEP

    6144:QEsI1tKVCRk4tywG4JSW2H79BKZ2RLHVIgFXAExTAvVSMfGdZ1z:QESVp4tyJ4YH7q2QNE+NNfGd

Score
10/10
formbookhepersistenceprivilege_escalationratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

he

Decoy

ajnonline.info

marpolos.com

lzj97.com

meijiatp.com

soyoung-dongha.com

arrambideabogados.com

tannor.net

f1yc33j0wmn.biz

geboooth.com

battery365.net

nu-entry.com

obaldo.net

downstreamlatam.com

belkysfloral.net

chwaimai.com

winningpowermomentum.com

transitiontomedicare.net

creationglobalcrew.com

mimtechs.com

indianplesur.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 2 IoCs
    rat
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 10 IoCs
  • Executes dropped EXE 1 IoCs
  • Event Triggered Execution: Installer Packages 1 TTPs 1 IoCs
    persistenceprivilege_escalation
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of UnmapMainImage 4 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:1216
    • C:\Windows\system32\msiexec.exe
      msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\bc0ef9408fc18184938d89d695f8fb2b_JaffaCakes118.msi
      2⤵
      • Enumerates connected drives
      • Event Triggered Execution: Installer Packages
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:1436
    • C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\SysWOW64\svchost.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2144
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\Installer\MSI51CA.tmp"
        3⤵
          PID:1080
    • C:\Windows\system32\msiexec.exe
      C:\Windows\system32\msiexec.exe /V
      1⤵
      • Enumerates connected drives
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2216
      • C:\Windows\Installer\MSI51CA.tmp
        "C:\Windows\Installer\MSI51CA.tmp"
        2⤵
        • Suspicious use of SetThreadContext
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of UnmapMainImage
        PID:1852
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2376
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot18" "" "" "6792c44eb" "0000000000000000" "00000000000003A4" "00000000000003B4"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:2724

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Event Triggered Execution

    1
    T1546

    Installer Packages

    1
    T1546.016

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Event Triggered Execution

    1
    T1546

    Installer Packages

    1
    T1546.016

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\f764ff8.rbs
      Filesize

      663B

      MD5

      0450e1bc1a117a5dc35b62e875f89765

      SHA1

      511e1f780ad477d0e2844e42e8665ae3134076af

      SHA256

      eba0e21eea0eac7391abcf88b5089c42586916231d43fd526404477adca41fbb

      SHA512

      320856e10ba97e55cc37be95eab198cfca47f9f77651456280998503c7f52452c2473d7cc8a85b7d4207a1698b0338a88b6ea9c2f7f52338eb521cf217a843c8

      Download Submit
    • C:\Users\Admin\AppData\Roaming\KMPQ8QRE\KMPlogim.jpeg
      Filesize

      48KB

      MD5

      28b0caa99d8f46ff929a82dea3d0d39b

      SHA1

      b833ac4bea45a15375c40b4f601f4317812b9fdc

      SHA256

      6ec9116379abce0509e98a0e3b54516607c216906aa35669f92b0908104d11d6

      SHA512

      e54b54d662e4a5004efaaef966624e2852b84d996cc48a75ff1b1bb1fc05cb4b839a111ecd056ea05d2b061a531013f6def88bee2c3ca659d530246548d4983a

      Download Submit
    • C:\Users\Admin\AppData\Roaming\KMPQ8QRE\KMPlogri.ini
      Filesize

      40B

      MD5

      d63a82e5d81e02e399090af26db0b9cb

      SHA1

      91d0014c8f54743bba141fd60c9d963f869d76c9

      SHA256

      eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae

      SHA512

      38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad

      Download Submit
    • C:\Users\Admin\AppData\Roaming\KMPQ8QRE\KMPlogrv.ini
      Filesize

      40B

      MD5

      ba3b6bc807d4f76794c4b81b09bb9ba5

      SHA1

      24cb89501f0212ff3095ecc0aba97dd563718fb1

      SHA256

      6eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507

      SHA512

      ecd07e601fc9e3cfc39addd7bd6f3d7f7ff3253afb40bf536e9eaac5a4c243e5ec40fbfd7b216cb0ea29f2517419601e335e33ba19dea4a46f65e38694d465bf

      Download Submit
    • C:\Windows\Installer\MSI51CA.tmp
      Filesize

      444KB

      MD5

      8bb42084db7178d5ffdb46e18f3c5145

      SHA1

      4802f127244331df99aac017f6c7477164e93e04

      SHA256

      2aca1699f468bf5a56dd539cef66132e1b895882017f1cdd6da62459b7a1242f

      SHA512

      43fa5f59ea38675b1d807f3be9700e660c6cc235049a84cc4a97c7583036aa70b2a448651154a3db97d15a4f3741c98c14d1f06838c889a087f6809b970c74c7

      Download Submit
    • memory/1216-17-0x0000000003CB0000-0x0000000003DB0000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/1216-32-0x0000000004070000-0x000000000411F000-memory.dmp
      Filesize

      700KB

      Download
    • memory/1852-15-0x0000000000400000-0x000000000042A000-memory.dmp
      Filesize

      168KB

      Download
    • memory/1852-20-0x0000000000400000-0x000000000042A000-memory.dmp
      Filesize

      168KB

      Download
    • memory/2144-18-0x00000000003C0000-0x00000000003C8000-memory.dmp
      Filesize

      32KB

      Download