Overview

overview

10

Static

static

3

1b02b2110a...18.exe

windows7-x64

10

1b02b2110a...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    71s
  • max time network
    63s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-07-2024 10:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1b02b2110a83c75e00319da7df7f1ed3_JaffaCakes118.exe

  • Size

    507KB

  • MD5

    1b02b2110a83c75e00319da7df7f1ed3

  • SHA1

    01ca66b6bd83c1c4e9168767422815b327bfa2a2

  • SHA256

    6a0c21a5a37e307becd9ed9bdee0f3f41e3d1a61847a6e9ae272ec891d4f7728

  • SHA512

    93eee319549c963b9639a1bdf05f872e7834afdbd6fc7167cd40cb579e607e7b212c259cb8aae08190f0c827e0da448903a161f1ae98ee397c38afa8059ac2ce

  • SSDEEP

    12288:pSlQOcPTxF0cvmpJZIxXwWW2WiZnqrw+fuJptW+3e3miUZ:OKTxacvmPZIxjmiFqr/u1LUC

Score
10/10
formbookffwevasionratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ffw

Decoy

unmutedgenerations.com

localmoversuae.com

centralrea.com

geyyfphzoe.com

silverpackfactory.com

techtronixx.com

shop-deinen-deal.com

buehne.cloud

inspirefreedomtoday.com

chapelcouture.com

easton-taiwan.com

quanaonudep.store

merzigomusic.com

wpzoomin.com

service-lkytrsahdfpedf.com

yeasuc.com

mydogtrainingservice.com

galeribisnisonline.com

cscremodeling.com

bom-zzxx.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 1 IoCs
    rat
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1b02b2110a83c75e00319da7df7f1ed3_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1b02b2110a83c75e00319da7df7f1ed3_JaffaCakes118.exe"
    1⤵
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Maps connected drives based on registry
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3560
    • C:\Users\Admin\AppData\Local\Temp\1b02b2110a83c75e00319da7df7f1ed3_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\1b02b2110a83c75e00319da7df7f1ed3_JaffaCakes118.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:224

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

2
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/224-13-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/224-16-0x0000000001160000-0x00000000014AA000-memory.dmp
    Filesize

    3.3MB

    Download
  • memory/3560-8-0x0000000005C80000-0x0000000005C8A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/3560-9-0x0000000074C8E000-0x0000000074C8F000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3560-4-0x0000000005A30000-0x0000000005AC2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/3560-7-0x0000000074C80000-0x0000000075430000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/3560-6-0x00000000059C0000-0x0000000005A16000-memory.dmp
    Filesize

    344KB

    Download
  • memory/3560-5-0x00000000058B0000-0x00000000058BA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/3560-0-0x0000000074C8E000-0x0000000074C8F000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3560-3-0x0000000005FE0000-0x0000000006584000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/3560-10-0x0000000074C80000-0x0000000075430000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/3560-11-0x0000000001940000-0x00000000019A2000-memory.dmp
    Filesize

    392KB

    Download
  • memory/3560-12-0x0000000005F60000-0x0000000005FC6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/3560-2-0x0000000005920000-0x00000000059BC000-memory.dmp
    Filesize

    624KB

    Download
  • memory/3560-15-0x0000000074C80000-0x0000000075430000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/3560-1-0x0000000000E70000-0x0000000000EF6000-memory.dmp
    Filesize

    536KB

    Download