formbook | 2e6fe07659b3d7fd953909856a82866e3927065febbddd09f3e8acb885d12dad

General

Target

fdce18358d597d6df791071d740c425a_JaffaCakes118.exe
Size

855KB
MD5

fdce18358d597d6df791071d740c425a
SHA1

12d29b718d32559ccd7ed233711f4e169ee8908a
SHA256

2e6fe07659b3d7fd953909856a82866e3927065febbddd09f3e8acb885d12dad
SHA512

7eeb95df9696f3265cd42b2c994a491210d5d8a73baa8e8236e6edc9badab3fd255fb66f93d51facd9421aded6ac192921f20e31113825765e24ffbcd2fb26ab
SSDEEP

12288:TZ/mi9YLax040VZpgRpspsWAc+dvshMNEd3f94zEh43d4ptqod+m:T6LIIlhjJf9og4NSqogm

Score

10^/10

formbook vd9n rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

vd9n

Decoy

theunwrappedcollective.com

seckj-ic.com

tyresandover.com

thetrophyworld.com

fonggrconstruction.com

hopiproject.com

sktitle.com

charlotteobscurer.com

qjuhe.com

girlzglitter.com

createmylawn.com

hempcbgpill.com

zzdfdzkj.com

shreehariessential.com

226sm.com

getcupscall.com

neuralviolin.com

sanskaar.life

xn--fhqrm54yyukopc.com

togetherx4fantasy5star.today

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3364-17-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/3364-22-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/4604-28-0x00000000007C0000-0x00000000007EE000-memory.dmp	formbook
behavioral2/memory/4604-34-0x00000000007C0000-0x00000000007EE000-memory.dmp	formbook

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fdce18358d597d6df791071d740c425a_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	fdce18358d597d6df791071d740c425a_JaffaCakes118.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

fdce18358d597d6df791071d740c425a_JaffaCakes118.exeRegSvcs.exeexplorer.exe

description	pid	process	target process
PID 4668 set thread context of 3364	4668	fdce18358d597d6df791071d740c425a_JaffaCakes118.exe	RegSvcs.exe
PID 3364 set thread context of 3188	3364	RegSvcs.exe	Explorer.EXE
PID 4604 set thread context of 3188	4604	explorer.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2148 schtasks.exe

pid	process
2148	schtasks.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

Processes:

fdce18358d597d6df791071d740c425a_JaffaCakes118.exeRegSvcs.exeexplorer.exe

pid	process
4668	fdce18358d597d6df791071d740c425a_JaffaCakes118.exe
3364	RegSvcs.exe
3364	RegSvcs.exe
3364	RegSvcs.exe
3364	RegSvcs.exe
4604	explorer.exe
4604	explorer.exe
4604	explorer.exe
4604	explorer.exe
4604	explorer.exe
4604	explorer.exe
4604	explorer.exe
4604	explorer.exe
4604	explorer.exe
4604	explorer.exe
4604	explorer.exe
4604	explorer.exe
4604	explorer.exe
4604	explorer.exe
4604	explorer.exe
4604	explorer.exe
4604	explorer.exe
4604	explorer.exe
4604	explorer.exe
4604	explorer.exe
4604	explorer.exe
4604	explorer.exe
4604	explorer.exe
4604	explorer.exe
4604	explorer.exe
4604	explorer.exe
4604	explorer.exe
4604	explorer.exe
4604	explorer.exe
4604	explorer.exe
4604	explorer.exe
4604	explorer.exe
4604	explorer.exe
4604	explorer.exe
4604	explorer.exe
4604	explorer.exe
4604	explorer.exe
4604	explorer.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

RegSvcs.exeexplorer.exe

pid process

3364 RegSvcs.exe
3364 RegSvcs.exe
3364 RegSvcs.exe
4604 explorer.exe
4604 explorer.exe

pid	process
3364	RegSvcs.exe
3364	RegSvcs.exe
3364	RegSvcs.exe
4604	explorer.exe
4604	explorer.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

fdce18358d597d6df791071d740c425a_JaffaCakes118.exeRegSvcs.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	4668	fdce18358d597d6df791071d740c425a_JaffaCakes118.exe
Token: SeDebugPrivilege	3364	RegSvcs.exe
Token: SeDebugPrivilege	4604	explorer.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3188 Explorer.EXE

pid	process
3188	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

fdce18358d597d6df791071d740c425a_JaffaCakes118.exeExplorer.EXEexplorer.exe

description	pid	process	target process
PID 4668 wrote to memory of 2148	4668	fdce18358d597d6df791071d740c425a_JaffaCakes118.exe	schtasks.exe
PID 4668 wrote to memory of 2148	4668	fdce18358d597d6df791071d740c425a_JaffaCakes118.exe	schtasks.exe
PID 4668 wrote to memory of 2148	4668	fdce18358d597d6df791071d740c425a_JaffaCakes118.exe	schtasks.exe
PID 4668 wrote to memory of 3364	4668	fdce18358d597d6df791071d740c425a_JaffaCakes118.exe	RegSvcs.exe
PID 4668 wrote to memory of 3364	4668	fdce18358d597d6df791071d740c425a_JaffaCakes118.exe	RegSvcs.exe
PID 4668 wrote to memory of 3364	4668	fdce18358d597d6df791071d740c425a_JaffaCakes118.exe	RegSvcs.exe
PID 4668 wrote to memory of 3364	4668	fdce18358d597d6df791071d740c425a_JaffaCakes118.exe	RegSvcs.exe
PID 4668 wrote to memory of 3364	4668	fdce18358d597d6df791071d740c425a_JaffaCakes118.exe	RegSvcs.exe
PID 4668 wrote to memory of 3364	4668	fdce18358d597d6df791071d740c425a_JaffaCakes118.exe	RegSvcs.exe
PID 3188 wrote to memory of 4604	3188	Explorer.EXE	explorer.exe
PID 3188 wrote to memory of 4604	3188	Explorer.EXE	explorer.exe
PID 3188 wrote to memory of 4604	3188	Explorer.EXE	explorer.exe
PID 4604 wrote to memory of 4976	4604	explorer.exe	cmd.exe
PID 4604 wrote to memory of 4976	4604	explorer.exe	cmd.exe
PID 4604 wrote to memory of 4976	4604	explorer.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3188

C:\Users\Admin\AppData\Local\Temp\fdce18358d597d6df791071d740c425a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fdce18358d597d6df791071d740c425a_JaffaCakes118.exe"
2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4668

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QIJlRuVFAS" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB26.tmp"
3⤵
- Creates scheduled task(s)
PID:2148

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3364

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4604

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:4976

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpB26.tmp
Filesize
1KB

MD5
8596759be3bdd62e43e9b76d10e69a9a

SHA1
5cd279a7bafeaba217ceb7b91e0040dbd33e5e79

SHA256
95f36cd5b822d2b2d9b473725485d9a18f029ee9720c608130e530f92de30342

SHA512
4a27aace5c1d61114746c90cf17c9a94ee1708564e73191ebe7b0e7a25e8812c4a65b7967860e36d9d924ffcb0f11e0d4e4b1fa229a36de1d68b0208744c478a

Download Submit
memory/3188-40-0x0000000008430000-0x0000000008539000-memory.dmp

Filesize
1.0MB

Download
memory/3188-37-0x0000000008430000-0x0000000008539000-memory.dmp

Filesize
1.0MB

Download
memory/3188-36-0x0000000008430000-0x0000000008539000-memory.dmp

Filesize
1.0MB

Download
memory/3188-32-0x0000000002D80000-0x0000000002EFD000-memory.dmp

Filesize
1.5MB

Download
memory/3188-24-0x0000000002D80000-0x0000000002EFD000-memory.dmp

Filesize
1.5MB

Download
memory/3364-23-0x00000000013E0000-0x00000000013F4000-memory.dmp

Filesize
80KB

Download
memory/3364-22-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3364-20-0x0000000001570000-0x00000000018BA000-memory.dmp

Filesize
3.3MB

Download
memory/3364-17-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4604-34-0x00000000007C0000-0x00000000007EE000-memory.dmp

Filesize
184KB

Download
memory/4604-25-0x0000000000CB0000-0x00000000010E3000-memory.dmp

Filesize
4.2MB

Download
memory/4604-27-0x0000000000CB0000-0x00000000010E3000-memory.dmp

Filesize
4.2MB

Download
memory/4604-28-0x00000000007C0000-0x00000000007EE000-memory.dmp

Filesize
184KB

Download
memory/4604-29-0x0000000002DE0000-0x000000000312A000-memory.dmp

Filesize
3.3MB

Download
memory/4604-31-0x0000000002C20000-0x0000000002CB3000-memory.dmp

Filesize
588KB

Download
memory/4668-7-0x0000000005630000-0x0000000005648000-memory.dmp

Filesize
96KB

Download
memory/4668-19-0x00000000746F0000-0x0000000074EA0000-memory.dmp

Filesize
7.7MB

Download
memory/4668-11-0x0000000006DE0000-0x0000000006E1E000-memory.dmp

Filesize
248KB

Download
memory/4668-10-0x0000000007020000-0x00000000070CE000-memory.dmp

Filesize
696KB

Download
memory/4668-9-0x00000000055D0000-0x00000000055E0000-memory.dmp

Filesize
64KB

Download
memory/4668-8-0x00000000746F0000-0x0000000074EA0000-memory.dmp

Filesize
7.7MB

Download
memory/4668-0-0x0000000000880000-0x000000000095C000-memory.dmp

Filesize
880KB

Download
memory/4668-6-0x0000000005310000-0x000000000531A000-memory.dmp

Filesize
40KB

Download
memory/4668-5-0x00000000055D0000-0x00000000055E0000-memory.dmp

Filesize
64KB

Download
memory/4668-4-0x0000000005400000-0x000000000549C000-memory.dmp

Filesize
624KB

Download
memory/4668-3-0x0000000005360000-0x00000000053F2000-memory.dmp

Filesize
584KB

Download
memory/4668-2-0x0000000005910000-0x0000000005EB4000-memory.dmp

Filesize
5.6MB

Download
memory/4668-1-0x00000000746F0000-0x0000000074EA0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads