formbook | fd032e026a2d0dc8f80370acf62e120c4a04fb1fd46318839f162f1949ad0edf

General

Target

fd032e026a2d0dc8f80370acf62e120c4a04fb1fd46318839f162f1949ad0edf_JaffaCakes118.exe
Size

867KB
MD5

86f59231b4d4b92d9d41a16a142380fe
SHA1

3bbadc59af1d5358c0565eadc51ce777d47a0dda
SHA256

fd032e026a2d0dc8f80370acf62e120c4a04fb1fd46318839f162f1949ad0edf
SHA512

1b98f0c970819f7a1f5fb2b8566b4b0c0abb126b747f092f90587189f345a5d3672446b1e762752c3ffcdd0b2f92f28bcb2538e8e14af5abd2b5013a1a0bcaff
SSDEEP

12288:gU6HguXUVUAfIOsgKwDV+nm5vc19ApsWSyO7rbdTrcL/SIIcM8zh:EgzQwB8mhMtV5g8z8zh

Score

10^/10

formbook g11y rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

g11y

Decoy

dianedaily.com

grabius.fun

aboodivesakaran.com

ttasum.site

softlytictechpro.com

charlenenicholls.com

money254.info

saleanycoin.com

zhlnas.top

bushelandabean.com

ggaperformance.com

rm168vip.life

getconsol.com

empower-excellence.com

pompgarden.com

spartanburghistorytour.com

thewrkrbees.com

baoslot-adm.com

bizchatgpt777.com

testdomenkinogid-new-1.buzz

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2596-13-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

fd032e026a2d0dc8f80370acf62e120c4a04fb1fd46318839f162f1949ad0edf_JaffaCakes118.exe

description	pid	process	target process
PID 1688 set thread context of 2596	1688	fd032e026a2d0dc8f80370acf62e120c4a04fb1fd46318839f162f1949ad0edf_JaffaCakes118.exe	fd032e026a2d0dc8f80370acf62e120c4a04fb1fd46318839f162f1949ad0edf_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

fd032e026a2d0dc8f80370acf62e120c4a04fb1fd46318839f162f1949ad0edf_JaffaCakes118.exefd032e026a2d0dc8f80370acf62e120c4a04fb1fd46318839f162f1949ad0edf_JaffaCakes118.exe

pid	process
1688	fd032e026a2d0dc8f80370acf62e120c4a04fb1fd46318839f162f1949ad0edf_JaffaCakes118.exe
2596	fd032e026a2d0dc8f80370acf62e120c4a04fb1fd46318839f162f1949ad0edf_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

fd032e026a2d0dc8f80370acf62e120c4a04fb1fd46318839f162f1949ad0edf_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 1688 fd032e026a2d0dc8f80370acf62e120c4a04fb1fd46318839f162f1949ad0edf_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	1688	fd032e026a2d0dc8f80370acf62e120c4a04fb1fd46318839f162f1949ad0edf_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

fd032e026a2d0dc8f80370acf62e120c4a04fb1fd46318839f162f1949ad0edf_JaffaCakes118.exe

description	pid	process	target process
PID 1688 wrote to memory of 2796	1688	fd032e026a2d0dc8f80370acf62e120c4a04fb1fd46318839f162f1949ad0edf_JaffaCakes118.exe	fd032e026a2d0dc8f80370acf62e120c4a04fb1fd46318839f162f1949ad0edf_JaffaCakes118.exe
PID 1688 wrote to memory of 2796	1688	fd032e026a2d0dc8f80370acf62e120c4a04fb1fd46318839f162f1949ad0edf_JaffaCakes118.exe	fd032e026a2d0dc8f80370acf62e120c4a04fb1fd46318839f162f1949ad0edf_JaffaCakes118.exe
PID 1688 wrote to memory of 2796	1688	fd032e026a2d0dc8f80370acf62e120c4a04fb1fd46318839f162f1949ad0edf_JaffaCakes118.exe	fd032e026a2d0dc8f80370acf62e120c4a04fb1fd46318839f162f1949ad0edf_JaffaCakes118.exe
PID 1688 wrote to memory of 2796	1688	fd032e026a2d0dc8f80370acf62e120c4a04fb1fd46318839f162f1949ad0edf_JaffaCakes118.exe	fd032e026a2d0dc8f80370acf62e120c4a04fb1fd46318839f162f1949ad0edf_JaffaCakes118.exe
PID 1688 wrote to memory of 2596	1688	fd032e026a2d0dc8f80370acf62e120c4a04fb1fd46318839f162f1949ad0edf_JaffaCakes118.exe	fd032e026a2d0dc8f80370acf62e120c4a04fb1fd46318839f162f1949ad0edf_JaffaCakes118.exe
PID 1688 wrote to memory of 2596	1688	fd032e026a2d0dc8f80370acf62e120c4a04fb1fd46318839f162f1949ad0edf_JaffaCakes118.exe	fd032e026a2d0dc8f80370acf62e120c4a04fb1fd46318839f162f1949ad0edf_JaffaCakes118.exe
PID 1688 wrote to memory of 2596	1688	fd032e026a2d0dc8f80370acf62e120c4a04fb1fd46318839f162f1949ad0edf_JaffaCakes118.exe	fd032e026a2d0dc8f80370acf62e120c4a04fb1fd46318839f162f1949ad0edf_JaffaCakes118.exe
PID 1688 wrote to memory of 2596	1688	fd032e026a2d0dc8f80370acf62e120c4a04fb1fd46318839f162f1949ad0edf_JaffaCakes118.exe	fd032e026a2d0dc8f80370acf62e120c4a04fb1fd46318839f162f1949ad0edf_JaffaCakes118.exe
PID 1688 wrote to memory of 2596	1688	fd032e026a2d0dc8f80370acf62e120c4a04fb1fd46318839f162f1949ad0edf_JaffaCakes118.exe	fd032e026a2d0dc8f80370acf62e120c4a04fb1fd46318839f162f1949ad0edf_JaffaCakes118.exe
PID 1688 wrote to memory of 2596	1688	fd032e026a2d0dc8f80370acf62e120c4a04fb1fd46318839f162f1949ad0edf_JaffaCakes118.exe	fd032e026a2d0dc8f80370acf62e120c4a04fb1fd46318839f162f1949ad0edf_JaffaCakes118.exe
PID 1688 wrote to memory of 2596	1688	fd032e026a2d0dc8f80370acf62e120c4a04fb1fd46318839f162f1949ad0edf_JaffaCakes118.exe	fd032e026a2d0dc8f80370acf62e120c4a04fb1fd46318839f162f1949ad0edf_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\fd032e026a2d0dc8f80370acf62e120c4a04fb1fd46318839f162f1949ad0edf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fd032e026a2d0dc8f80370acf62e120c4a04fb1fd46318839f162f1949ad0edf_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688

C:\Users\Admin\AppData\Local\Temp\fd032e026a2d0dc8f80370acf62e120c4a04fb1fd46318839f162f1949ad0edf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fd032e026a2d0dc8f80370acf62e120c4a04fb1fd46318839f162f1949ad0edf_JaffaCakes118.exe"
2⤵
PID:2796

C:\Users\Admin\AppData\Local\Temp\fd032e026a2d0dc8f80370acf62e120c4a04fb1fd46318839f162f1949ad0edf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fd032e026a2d0dc8f80370acf62e120c4a04fb1fd46318839f162f1949ad0edf_JaffaCakes118.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2596

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1688-6-0x0000000004E00000-0x0000000004E80000-memory.dmp

Filesize
512KB

Download
memory/1688-0-0x0000000001230000-0x000000000130E000-memory.dmp

Filesize
888KB

Download
memory/1688-2-0x0000000004EA0000-0x0000000004EE0000-memory.dmp

Filesize
256KB

Download
memory/1688-3-0x00000000004D0000-0x00000000004E4000-memory.dmp

Filesize
80KB

Download
memory/1688-4-0x0000000000500000-0x000000000050A000-memory.dmp

Filesize
40KB

Download
memory/1688-5-0x0000000000510000-0x000000000051E000-memory.dmp

Filesize
56KB

Download
memory/1688-1-0x0000000073FE0000-0x00000000746CE000-memory.dmp

Filesize
6.9MB

Download
memory/1688-14-0x0000000073FE0000-0x00000000746CE000-memory.dmp

Filesize
6.9MB

Download
memory/2596-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2596-9-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2596-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2596-13-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2596-15-0x0000000000700000-0x0000000000A03000-memory.dmp

Filesize
3.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads