formbook | b75d52e883034848f4e22ae6a13d42cb6bc85dce0dd524572c9d9ba1a81f9ca1

General

Target

01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe
Size

570KB
MD5

01863136c202a0df665d3c05549f6f0f
SHA1

3c7491155a98d6a50e54f0ded6b6acf95e7e0eb8
SHA256

b75d52e883034848f4e22ae6a13d42cb6bc85dce0dd524572c9d9ba1a81f9ca1
SHA512

6c24a8676b5fd3d369a71660e7787c490e017378bfc6a0d3548c76d9910b7302c72df0628e513d1f75ceee0559b3b28824d5ee748e506099d25b7f120e972476
SSDEEP

6144:hmpz5hiNU5PRLGGTxcwQbyc8DdgiJdBL2nFeIOl8V6IghYNmnTV+WEZ4Z+YirYP2:hzaPtGkQbaDdbDBL2JW8II9WEifsSJo

Score

10^/10

formbook gd3e rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gd3e

Decoy

losfesdffewfdskokoka11.xyz

aspenroofingel.net

mlstrategygroup.com

breakaway.asia

gzmx3.com

dronesadvise.com

bitmain.discount

lifestylekenya.com

dragonfly-road.store

rumbaughrecruiting.com

tarimech.com

starmcb.com

xn--kfz-schlsseldienst-t6b.com

eqgiftshop.com

regionsi.com

bonsainer.com

guideofguardians.com

orlv7x.icu

xemnha100.com

thelupinlady.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2576-18-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe

description	pid	process	target process
PID 2364 set thread context of 2576	2364	01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe	01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2708 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe

pid process

2364 01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe
2576 01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 2364 01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe

pid	process
2708	schtasks.exe

pid	process
2364	01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe
2576	01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	2364	01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sPsWoUxI" /XML "C:\Users\Admin\AppData\Local\Temp\tmp92DD.tmp"
2⤵
- Creates scheduled task(s)
PID:2708

C:\Users\Admin\AppData\Local\Temp\01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe"
2⤵
PID:2584

C:\Users\Admin\AppData\Local\Temp\01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2576

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2364-6-0x00000000046E0000-0x0000000004738000-memory.dmp

Filesize
352KB

Download
memory/2364-1-0x00000000748B0000-0x0000000074F9E000-memory.dmp

Filesize
6.9MB

Download
memory/2364-2-0x00000000072F0000-0x0000000007330000-memory.dmp

Filesize
256KB

Download
memory/2364-3-0x00000000003C0000-0x00000000003CE000-memory.dmp

Filesize
56KB

Download
memory/2364-4-0x00000000748B0000-0x0000000074F9E000-memory.dmp

Filesize
6.9MB

Download
memory/2364-5-0x00000000072F0000-0x0000000007330000-memory.dmp

Filesize
256KB

Download
memory/2364-0-0x0000000000100000-0x0000000000194000-memory.dmp

Filesize
592KB

Download
memory/2364-19-0x00000000748B0000-0x0000000074F9E000-memory.dmp

Filesize
6.9MB

Download
memory/2576-12-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2576-14-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2576-18-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2576-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2576-20-0x00000000009C0000-0x0000000000CC3000-memory.dmp

Filesize
3.0MB

Download

description	pid	process	target process
PID 2364 wrote to memory of 2708	2364	01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe	schtasks.exe
PID 2364 wrote to memory of 2708	2364	01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe	schtasks.exe
PID 2364 wrote to memory of 2708	2364	01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe	schtasks.exe
PID 2364 wrote to memory of 2708	2364	01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe	schtasks.exe
PID 2364 wrote to memory of 2584	2364	01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe	01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe
PID 2364 wrote to memory of 2584	2364	01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe	01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe
PID 2364 wrote to memory of 2584	2364	01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe	01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe
PID 2364 wrote to memory of 2584	2364	01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe	01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe
PID 2364 wrote to memory of 2576	2364	01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe	01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe
PID 2364 wrote to memory of 2576	2364	01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe	01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe
PID 2364 wrote to memory of 2576	2364	01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe	01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe
PID 2364 wrote to memory of 2576	2364	01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe	01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe
PID 2364 wrote to memory of 2576	2364	01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe	01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe
PID 2364 wrote to memory of 2576	2364	01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe	01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe
PID 2364 wrote to memory of 2576	2364	01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe	01863136c202a0df665d3c05549f6f0f_JaffaCakes118.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads