formbook | 20edf62000816d59f1100dabf3e16f55e7445f4578550a5e89af2c5558571cd3

General

Target

fbdc152b902ae2188e48ee08271321cf_JaffaCakes118.exe
Size

897KB
MD5

fbdc152b902ae2188e48ee08271321cf
SHA1

016c9daf134074eba066378a1355e406340d71a0
SHA256

20edf62000816d59f1100dabf3e16f55e7445f4578550a5e89af2c5558571cd3
SHA512

90219931b5537b6ff783acd7c9df4817803d40d922aa393975464b2b78aa63078d898bd62352e1d1235a309aa475a4a3a042c13cdc8b5d745d66d3186a54de21
SSDEEP

12288:vdfL13IjY/bh7iS/d348C9SvUnJG6uA1zYA/06S5o1lcSVSB0c9Pc20:pLtaeAS/d32sIG4Yu06S5ESB/cJ

Score

10^/10

formbook upio evasion rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

upio

Decoy

thecantonmentcookhouse.com

1for1ecomask.com

thatvintagehome.com

momentbymomentmindfulness.com

denxmedia.com

arc-corner.com

siddharthmakharia.com

meiluk.com

toughu.com

hotelwisatabaru.com

ibluebelt3dbuy.com

bestfootwearhk.com

wbjobalerts.com

radiancenurestoringcleanse.com

xintianlongyeya.com

docauphuhau.com

liberty-furniture.com

ranchhousepizzaonline.com

bednhomes.com

kollakids.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

Processes:

resource	yara_rule
behavioral1/memory/1176-3-0x00000000006F0000-0x0000000000702000-memory.dmp	CustAttr

Formbook payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1964-31-0x0000000000400000-0x000000000042E000-memory.dmp	formbook

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

fbdc152b902ae2188e48ee08271321cf_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions	fbdc152b902ae2188e48ee08271321cf_JaffaCakes118.exe

Looks for VMWare Tools registry key 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

fbdc152b902ae2188e48ee08271321cf_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools fbdc152b902ae2188e48ee08271321cf_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools	fbdc152b902ae2188e48ee08271321cf_JaffaCakes118.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fbdc152b902ae2188e48ee08271321cf_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	fbdc152b902ae2188e48ee08271321cf_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	fbdc152b902ae2188e48ee08271321cf_JaffaCakes118.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

fbdc152b902ae2188e48ee08271321cf_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	fbdc152b902ae2188e48ee08271321cf_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	fbdc152b902ae2188e48ee08271321cf_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

fbdc152b902ae2188e48ee08271321cf_JaffaCakes118.exe

description	pid	process	target process
PID 1176 set thread context of 1964	1176	fbdc152b902ae2188e48ee08271321cf_JaffaCakes118.exe	fbdc152b902ae2188e48ee08271321cf_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1980 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exefbdc152b902ae2188e48ee08271321cf_JaffaCakes118.exe

pid process

2432 powershell.exe
2336 powershell.exe
1812 powershell.exe
1964 fbdc152b902ae2188e48ee08271321cf_JaffaCakes118.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2336 powershell.exe
Token: SeDebugPrivilege 2432 powershell.exe
Token: SeDebugPrivilege 1812 powershell.exe

pid	process
1980	schtasks.exe

pid	process
2432	powershell.exe
2336	powershell.exe
1812	powershell.exe
1964	fbdc152b902ae2188e48ee08271321cf_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	2336	powershell.exe
Token: SeDebugPrivilege	2432	powershell.exe
Token: SeDebugPrivilege	1812	powershell.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

fbdc152b902ae2188e48ee08271321cf_JaffaCakes118.exe

description	pid	process	target process
PID 1176 wrote to memory of 2432	1176	fbdc152b902ae2188e48ee08271321cf_JaffaCakes118.exe	powershell.exe
PID 1176 wrote to memory of 2432	1176	fbdc152b902ae2188e48ee08271321cf_JaffaCakes118.exe	powershell.exe
PID 1176 wrote to memory of 2432	1176	fbdc152b902ae2188e48ee08271321cf_JaffaCakes118.exe	powershell.exe
PID 1176 wrote to memory of 2432	1176	fbdc152b902ae2188e48ee08271321cf_JaffaCakes118.exe	powershell.exe
PID 1176 wrote to memory of 2336	1176	fbdc152b902ae2188e48ee08271321cf_JaffaCakes118.exe	powershell.exe
PID 1176 wrote to memory of 2336	1176	fbdc152b902ae2188e48ee08271321cf_JaffaCakes118.exe	powershell.exe
PID 1176 wrote to memory of 2336	1176	fbdc152b902ae2188e48ee08271321cf_JaffaCakes118.exe	powershell.exe
PID 1176 wrote to memory of 2336	1176	fbdc152b902ae2188e48ee08271321cf_JaffaCakes118.exe	powershell.exe
PID 1176 wrote to memory of 1980	1176	fbdc152b902ae2188e48ee08271321cf_JaffaCakes118.exe	schtasks.exe
PID 1176 wrote to memory of 1980	1176	fbdc152b902ae2188e48ee08271321cf_JaffaCakes118.exe	schtasks.exe
PID 1176 wrote to memory of 1980	1176	fbdc152b902ae2188e48ee08271321cf_JaffaCakes118.exe	schtasks.exe
PID 1176 wrote to memory of 1980	1176	fbdc152b902ae2188e48ee08271321cf_JaffaCakes118.exe	schtasks.exe
PID 1176 wrote to memory of 1812	1176	fbdc152b902ae2188e48ee08271321cf_JaffaCakes118.exe	powershell.exe
PID 1176 wrote to memory of 1812	1176	fbdc152b902ae2188e48ee08271321cf_JaffaCakes118.exe	powershell.exe
PID 1176 wrote to memory of 1812	1176	fbdc152b902ae2188e48ee08271321cf_JaffaCakes118.exe	powershell.exe
PID 1176 wrote to memory of 1812	1176	fbdc152b902ae2188e48ee08271321cf_JaffaCakes118.exe	powershell.exe
PID 1176 wrote to memory of 1964	1176	fbdc152b902ae2188e48ee08271321cf_JaffaCakes118.exe	fbdc152b902ae2188e48ee08271321cf_JaffaCakes118.exe
PID 1176 wrote to memory of 1964	1176	fbdc152b902ae2188e48ee08271321cf_JaffaCakes118.exe	fbdc152b902ae2188e48ee08271321cf_JaffaCakes118.exe
PID 1176 wrote to memory of 1964	1176	fbdc152b902ae2188e48ee08271321cf_JaffaCakes118.exe	fbdc152b902ae2188e48ee08271321cf_JaffaCakes118.exe
PID 1176 wrote to memory of 1964	1176	fbdc152b902ae2188e48ee08271321cf_JaffaCakes118.exe	fbdc152b902ae2188e48ee08271321cf_JaffaCakes118.exe
PID 1176 wrote to memory of 1964	1176	fbdc152b902ae2188e48ee08271321cf_JaffaCakes118.exe	fbdc152b902ae2188e48ee08271321cf_JaffaCakes118.exe
PID 1176 wrote to memory of 1964	1176	fbdc152b902ae2188e48ee08271321cf_JaffaCakes118.exe	fbdc152b902ae2188e48ee08271321cf_JaffaCakes118.exe
PID 1176 wrote to memory of 1964	1176	fbdc152b902ae2188e48ee08271321cf_JaffaCakes118.exe	fbdc152b902ae2188e48ee08271321cf_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\fbdc152b902ae2188e48ee08271321cf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fbdc152b902ae2188e48ee08271321cf_JaffaCakes118.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1176

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\fbdc152b902ae2188e48ee08271321cf_JaffaCakes118.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2432

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\IBaqdJW.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2336

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IBaqdJW" /XML "C:\Users\Admin\AppData\Local\Temp\tmp81EC.tmp"
2⤵
- Creates scheduled task(s)
PID:1980

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\IBaqdJW.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1812

C:\Users\Admin\AppData\Local\Temp\fbdc152b902ae2188e48ee08271321cf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fbdc152b902ae2188e48ee08271321cf_JaffaCakes118.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1964

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

4

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp81EC.tmp
Filesize
1KB

MD5
dae4acb4418896d941947b253936df82

SHA1
c3cb9d8a1bb9ddb9c53a33c0d54ddb0b20c9e587

SHA256
b2c2d6863409414b4dd5313710ef7504e8a1a37cb2b4dd3a0c6ec1e9c47cc853

SHA512
6b1550fe824c5e4956a3f438002eb0ed18fe6e9154ba1ef4ac210ad2c4a2a1375f74b95a0317914acbbcf4ae8153c6debb444e4fd21b50da75d7e88af54dde86

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
b274c9580c1118e5cf238cf80ccc251d

SHA1
363b676d8728a4fc98310532719d8df89a49c693

SHA256
60d3446a1f6773451da8f0918d11a562611ba1a968858e8091605c28953bc480

SHA512
c4f6dba0a5d43b6aebfce16ee4ea908c69bd34a248814191fd6aede8fe473beda157bf5d080b8626a36ec8121f598fe184230200842ad509e7df20f009da604c

Download Submit
memory/1176-32-0x0000000074A00000-0x00000000750EE000-memory.dmp

Filesize
6.9MB

Download
memory/1176-1-0x0000000074A00000-0x00000000750EE000-memory.dmp

Filesize
6.9MB

Download
memory/1176-2-0x0000000004C00000-0x0000000004C40000-memory.dmp

Filesize
256KB

Download
memory/1176-3-0x00000000006F0000-0x0000000000702000-memory.dmp

Filesize
72KB

Download
memory/1176-4-0x0000000074A00000-0x00000000750EE000-memory.dmp

Filesize
6.9MB

Download
memory/1176-5-0x0000000004C00000-0x0000000004C40000-memory.dmp

Filesize
256KB

Download
memory/1176-6-0x00000000059C0000-0x0000000005A64000-memory.dmp

Filesize
656KB

Download
memory/1176-7-0x0000000000BA0000-0x0000000000BD4000-memory.dmp

Filesize
208KB

Download
memory/1176-0-0x00000000012F0000-0x00000000013D6000-memory.dmp

Filesize
920KB

Download
memory/1812-38-0x000000006F5D0000-0x000000006FB7B000-memory.dmp

Filesize
5.7MB

Download
memory/1812-39-0x0000000002680000-0x00000000026C0000-memory.dmp

Filesize
256KB

Download
memory/1812-45-0x000000006F5D0000-0x000000006FB7B000-memory.dmp

Filesize
5.7MB

Download
memory/1812-42-0x0000000002680000-0x00000000026C0000-memory.dmp

Filesize
256KB

Download
memory/1812-41-0x0000000002680000-0x00000000026C0000-memory.dmp

Filesize
256KB

Download
memory/1812-40-0x000000006F5D0000-0x000000006FB7B000-memory.dmp

Filesize
5.7MB

Download
memory/1964-28-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1964-43-0x0000000000910000-0x0000000000C13000-memory.dmp

Filesize
3.0MB

Download
memory/1964-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1964-27-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1964-31-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2336-46-0x000000006F5D0000-0x000000006FB7B000-memory.dmp

Filesize
5.7MB

Download
memory/2336-22-0x000000006F5D0000-0x000000006FB7B000-memory.dmp

Filesize
5.7MB

Download
memory/2336-26-0x0000000002700000-0x0000000002740000-memory.dmp

Filesize
256KB

Download
memory/2336-23-0x0000000002700000-0x0000000002740000-memory.dmp

Filesize
256KB

Download
memory/2432-19-0x000000006F5D0000-0x000000006FB7B000-memory.dmp

Filesize
5.7MB

Download
memory/2432-24-0x0000000002360000-0x00000000023A0000-memory.dmp

Filesize
256KB

Download
memory/2432-44-0x000000006F5D0000-0x000000006FB7B000-memory.dmp

Filesize
5.7MB

Download
memory/2432-25-0x0000000002360000-0x00000000023A0000-memory.dmp

Filesize
256KB

Download
memory/2432-21-0x000000006F5D0000-0x000000006FB7B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads