formbook | b85055ab3db03b5496bcd19448c54dea594d8f44cc84d17f99cbf6cd9085fa2d

General

Target

fa3f2124cf9b027ca2b8a04df5e27cc2_JaffaCakes118.exe
Size

1.5MB
MD5

fa3f2124cf9b027ca2b8a04df5e27cc2
SHA1

be0968843e1654dd2a5b7f7085226188d9276276
SHA256

b85055ab3db03b5496bcd19448c54dea594d8f44cc84d17f99cbf6cd9085fa2d
SHA512

d40399ed1c72a3907ebd8697fba492da2e71728fb8bbeb39ad01bbbc6edb7931b3902d4782d815a18c4f313b2f2d1c1425da95be6a12a8d005a3506830311c83
SSDEEP

24576:0ZZS5R0pULbNWrOAJPidVEHMvx1vHYY1o:03BpvJPidV5vx1v

Score

10^/10

formbook upio evasion rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

upio

Decoy

thecantonmentcookhouse.com

1for1ecomask.com

thatvintagehome.com

momentbymomentmindfulness.com

denxmedia.com

arc-corner.com

siddharthmakharia.com

meiluk.com

toughu.com

hotelwisatabaru.com

ibluebelt3dbuy.com

bestfootwearhk.com

wbjobalerts.com

radiancenurestoringcleanse.com

xintianlongyeya.com

docauphuhau.com

liberty-furniture.com

ranchhousepizzaonline.com

bednhomes.com

kollakids.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1196-38-0x0000000000400000-0x000000000042E000-memory.dmp	formbook

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

fa3f2124cf9b027ca2b8a04df5e27cc2_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions	fa3f2124cf9b027ca2b8a04df5e27cc2_JaffaCakes118.exe

Looks for VMWare Tools registry key 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

fa3f2124cf9b027ca2b8a04df5e27cc2_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools fa3f2124cf9b027ca2b8a04df5e27cc2_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools	fa3f2124cf9b027ca2b8a04df5e27cc2_JaffaCakes118.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fa3f2124cf9b027ca2b8a04df5e27cc2_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	fa3f2124cf9b027ca2b8a04df5e27cc2_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	fa3f2124cf9b027ca2b8a04df5e27cc2_JaffaCakes118.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

fa3f2124cf9b027ca2b8a04df5e27cc2_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	fa3f2124cf9b027ca2b8a04df5e27cc2_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	fa3f2124cf9b027ca2b8a04df5e27cc2_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

fa3f2124cf9b027ca2b8a04df5e27cc2_JaffaCakes118.exe

description	pid	process	target process
PID 2740 set thread context of 1196	2740	fa3f2124cf9b027ca2b8a04df5e27cc2_JaffaCakes118.exe	fa3f2124cf9b027ca2b8a04df5e27cc2_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2628 schtasks.exe

pid	process
2628	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exefa3f2124cf9b027ca2b8a04df5e27cc2_JaffaCakes118.exepowershell.exefa3f2124cf9b027ca2b8a04df5e27cc2_JaffaCakes118.exe

pid	process
2452	powershell.exe
2808	powershell.exe
2740	fa3f2124cf9b027ca2b8a04df5e27cc2_JaffaCakes118.exe
2740	fa3f2124cf9b027ca2b8a04df5e27cc2_JaffaCakes118.exe
1504	powershell.exe
1196	fa3f2124cf9b027ca2b8a04df5e27cc2_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exefa3f2124cf9b027ca2b8a04df5e27cc2_JaffaCakes118.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2452	powershell.exe
Token: SeDebugPrivilege	2808	powershell.exe
Token: SeDebugPrivilege	2740	fa3f2124cf9b027ca2b8a04df5e27cc2_JaffaCakes118.exe
Token: SeDebugPrivilege	1504	powershell.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

fa3f2124cf9b027ca2b8a04df5e27cc2_JaffaCakes118.exe

description	pid	process	target process
PID 2740 wrote to memory of 2452	2740	fa3f2124cf9b027ca2b8a04df5e27cc2_JaffaCakes118.exe	powershell.exe
PID 2740 wrote to memory of 2452	2740	fa3f2124cf9b027ca2b8a04df5e27cc2_JaffaCakes118.exe	powershell.exe
PID 2740 wrote to memory of 2452	2740	fa3f2124cf9b027ca2b8a04df5e27cc2_JaffaCakes118.exe	powershell.exe
PID 2740 wrote to memory of 2452	2740	fa3f2124cf9b027ca2b8a04df5e27cc2_JaffaCakes118.exe	powershell.exe
PID 2740 wrote to memory of 2808	2740	fa3f2124cf9b027ca2b8a04df5e27cc2_JaffaCakes118.exe	powershell.exe
PID 2740 wrote to memory of 2808	2740	fa3f2124cf9b027ca2b8a04df5e27cc2_JaffaCakes118.exe	powershell.exe
PID 2740 wrote to memory of 2808	2740	fa3f2124cf9b027ca2b8a04df5e27cc2_JaffaCakes118.exe	powershell.exe
PID 2740 wrote to memory of 2808	2740	fa3f2124cf9b027ca2b8a04df5e27cc2_JaffaCakes118.exe	powershell.exe
PID 2740 wrote to memory of 2628	2740	fa3f2124cf9b027ca2b8a04df5e27cc2_JaffaCakes118.exe	schtasks.exe
PID 2740 wrote to memory of 2628	2740	fa3f2124cf9b027ca2b8a04df5e27cc2_JaffaCakes118.exe	schtasks.exe
PID 2740 wrote to memory of 2628	2740	fa3f2124cf9b027ca2b8a04df5e27cc2_JaffaCakes118.exe	schtasks.exe
PID 2740 wrote to memory of 2628	2740	fa3f2124cf9b027ca2b8a04df5e27cc2_JaffaCakes118.exe	schtasks.exe
PID 2740 wrote to memory of 1504	2740	fa3f2124cf9b027ca2b8a04df5e27cc2_JaffaCakes118.exe	powershell.exe
PID 2740 wrote to memory of 1504	2740	fa3f2124cf9b027ca2b8a04df5e27cc2_JaffaCakes118.exe	powershell.exe
PID 2740 wrote to memory of 1504	2740	fa3f2124cf9b027ca2b8a04df5e27cc2_JaffaCakes118.exe	powershell.exe
PID 2740 wrote to memory of 1504	2740	fa3f2124cf9b027ca2b8a04df5e27cc2_JaffaCakes118.exe	powershell.exe
PID 2740 wrote to memory of 2176	2740	fa3f2124cf9b027ca2b8a04df5e27cc2_JaffaCakes118.exe	fa3f2124cf9b027ca2b8a04df5e27cc2_JaffaCakes118.exe
PID 2740 wrote to memory of 2176	2740	fa3f2124cf9b027ca2b8a04df5e27cc2_JaffaCakes118.exe	fa3f2124cf9b027ca2b8a04df5e27cc2_JaffaCakes118.exe
PID 2740 wrote to memory of 2176	2740	fa3f2124cf9b027ca2b8a04df5e27cc2_JaffaCakes118.exe	fa3f2124cf9b027ca2b8a04df5e27cc2_JaffaCakes118.exe
PID 2740 wrote to memory of 2176	2740	fa3f2124cf9b027ca2b8a04df5e27cc2_JaffaCakes118.exe	fa3f2124cf9b027ca2b8a04df5e27cc2_JaffaCakes118.exe
PID 2740 wrote to memory of 1196	2740	fa3f2124cf9b027ca2b8a04df5e27cc2_JaffaCakes118.exe	fa3f2124cf9b027ca2b8a04df5e27cc2_JaffaCakes118.exe
PID 2740 wrote to memory of 1196	2740	fa3f2124cf9b027ca2b8a04df5e27cc2_JaffaCakes118.exe	fa3f2124cf9b027ca2b8a04df5e27cc2_JaffaCakes118.exe
PID 2740 wrote to memory of 1196	2740	fa3f2124cf9b027ca2b8a04df5e27cc2_JaffaCakes118.exe	fa3f2124cf9b027ca2b8a04df5e27cc2_JaffaCakes118.exe
PID 2740 wrote to memory of 1196	2740	fa3f2124cf9b027ca2b8a04df5e27cc2_JaffaCakes118.exe	fa3f2124cf9b027ca2b8a04df5e27cc2_JaffaCakes118.exe
PID 2740 wrote to memory of 1196	2740	fa3f2124cf9b027ca2b8a04df5e27cc2_JaffaCakes118.exe	fa3f2124cf9b027ca2b8a04df5e27cc2_JaffaCakes118.exe
PID 2740 wrote to memory of 1196	2740	fa3f2124cf9b027ca2b8a04df5e27cc2_JaffaCakes118.exe	fa3f2124cf9b027ca2b8a04df5e27cc2_JaffaCakes118.exe
PID 2740 wrote to memory of 1196	2740	fa3f2124cf9b027ca2b8a04df5e27cc2_JaffaCakes118.exe	fa3f2124cf9b027ca2b8a04df5e27cc2_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\fa3f2124cf9b027ca2b8a04df5e27cc2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fa3f2124cf9b027ca2b8a04df5e27cc2_JaffaCakes118.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2740

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\fa3f2124cf9b027ca2b8a04df5e27cc2_JaffaCakes118.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2452

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\YPSemDsygYqHl.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2808

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YPSemDsygYqHl" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF5E3.tmp"
2⤵
- Creates scheduled task(s)
PID:2628

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\YPSemDsygYqHl.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1504

C:\Users\Admin\AppData\Local\Temp\fa3f2124cf9b027ca2b8a04df5e27cc2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fa3f2124cf9b027ca2b8a04df5e27cc2_JaffaCakes118.exe"
2⤵
PID:2176

C:\Users\Admin\AppData\Local\Temp\fa3f2124cf9b027ca2b8a04df5e27cc2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fa3f2124cf9b027ca2b8a04df5e27cc2_JaffaCakes118.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1196

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

4

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpF5E3.tmp
Filesize
1KB

MD5
d85d0e3fef51a478e444a9315e30f7f8

SHA1
b00e3db5c4d8d3e107146f226aa6ece77f6d19f1

SHA256
9b5328e540bd768c78ec57ad406804b2e0a9ca032cdb670c8f944e0b60034884

SHA512
86cca1ec10ce04c6215fe36aaeedaa12252a93d808ca5be1f4d75763152dac2a1b1d7755559cdfc97aab0a8e55876e2a2f054dd436632a81a158a77b257a1014

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
fa65921e8342e084376cd366cc30661e

SHA1
e26a5320a10639ff6cc68c10ce7ba0c34a800856

SHA256
7d4f726da86942b24193492038025b32a4e42637248afe5edc5ccf576ed0e175

SHA512
62965d035fb32127cc9cfa8927890c8eb27e5cab6a0983c24cd4ab7b8a52a2220599811940b65d4aeed9bbfd7a88ac2c2df62e3d66df77a9b91aeef6f42060ec

Download Submit
memory/1196-39-0x00000000009B0000-0x0000000000CB3000-memory.dmp

Filesize
3.0MB

Download
memory/1196-38-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1196-29-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1196-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1196-30-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1504-48-0x000000006F780000-0x000000006FD2B000-memory.dmp

Filesize
5.7MB

Download
memory/1504-45-0x0000000002B00000-0x0000000002B40000-memory.dmp

Filesize
256KB

Download
memory/1504-44-0x0000000002B00000-0x0000000002B40000-memory.dmp

Filesize
256KB

Download
memory/1504-42-0x000000006F780000-0x000000006FD2B000-memory.dmp

Filesize
5.7MB

Download
memory/1504-40-0x000000006F780000-0x000000006FD2B000-memory.dmp

Filesize
5.7MB

Download
memory/1504-41-0x0000000002B00000-0x0000000002B40000-memory.dmp

Filesize
256KB

Download
memory/2452-16-0x0000000002B00000-0x0000000002B40000-memory.dmp

Filesize
256KB

Download
memory/2452-21-0x0000000002B00000-0x0000000002B40000-memory.dmp

Filesize
256KB

Download
memory/2452-22-0x0000000002B00000-0x0000000002B40000-memory.dmp

Filesize
256KB

Download
memory/2452-46-0x000000006F780000-0x000000006FD2B000-memory.dmp

Filesize
5.7MB

Download
memory/2452-27-0x000000006F780000-0x000000006FD2B000-memory.dmp

Filesize
5.7MB

Download
memory/2452-14-0x000000006F780000-0x000000006FD2B000-memory.dmp

Filesize
5.7MB

Download
memory/2740-43-0x0000000074B00000-0x00000000751EE000-memory.dmp

Filesize
6.9MB

Download
memory/2740-3-0x00000000004E0000-0x00000000004FE000-memory.dmp

Filesize
120KB

Download
memory/2740-0-0x0000000000070000-0x00000000001FA000-memory.dmp

Filesize
1.5MB

Download
memory/2740-2-0x00000000043B0000-0x00000000043F0000-memory.dmp

Filesize
256KB

Download
memory/2740-1-0x0000000074B00000-0x00000000751EE000-memory.dmp

Filesize
6.9MB

Download
memory/2740-7-0x0000000000700000-0x0000000000734000-memory.dmp

Filesize
208KB

Download
memory/2740-6-0x00000000058C0000-0x0000000005964000-memory.dmp

Filesize
656KB

Download
memory/2740-4-0x0000000074B00000-0x00000000751EE000-memory.dmp

Filesize
6.9MB

Download
memory/2740-5-0x00000000043B0000-0x00000000043F0000-memory.dmp

Filesize
256KB

Download
memory/2808-24-0x000000006F780000-0x000000006FD2B000-memory.dmp

Filesize
5.7MB

Download
memory/2808-23-0x0000000002830000-0x0000000002870000-memory.dmp

Filesize
256KB

Download
memory/2808-28-0x000000006F780000-0x000000006FD2B000-memory.dmp

Filesize
5.7MB

Download
memory/2808-47-0x000000006F780000-0x000000006FD2B000-memory.dmp

Filesize
5.7MB

Download
memory/2808-25-0x0000000002830000-0x0000000002870000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads