formbook | 6e521645df736e76b57cdf6996cee4a5148e649cee75be8f36ccfb008f047fa6

General

Target

18882465f8b6e72a46669d4aa2e78cb1_JaffaCakes118.exe
Size

424KB
MD5

18882465f8b6e72a46669d4aa2e78cb1
SHA1

b05a070b6c3fec5330d1413594a4b17b19099a02
SHA256

6e521645df736e76b57cdf6996cee4a5148e649cee75be8f36ccfb008f047fa6
SHA512

388e34cfc7a43a062e0c389611036b7953a99d4def7699852d875c2fcdc7c6a79205d85fa128aae9d48d9c37888d60611390640086a7e7a3e4b0e38173964e44
SSDEEP

6144:6N9JYSDAzaiTCXkJNlMgpV5Nj3QmlsPt5GM/x1lPWojLWYM+6LpfeR14Kn3r/u/t:67RAzTukj/Nj5OlzW3ppWbhn3TcWId

Score

10^/10

formbook h308 agilenet persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

h308

Decoy

sewrelax.com

southbaycurling.rocks

hongju101.com

nikkismithonline.com

bluprl.net

slursthisshark.com

smootord.com

buyoregonhemp.com

stepstolight.com

mchausverwalter.com

cofidis.cloud

queenartjewellery.com

samoedrasalvageengineers.com

skull.ltd

leapmotors.net

gayo.ltd

philborremans.com

yeezywaverunner700.com

febriananas.com

railor-music.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 2 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\bin.exe	formbook
behavioral2/memory/3556-41-0x0000000000820000-0x000000000084A000-memory.dmp	formbook

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

18882465f8b6e72a46669d4aa2e78cb1_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	18882465f8b6e72a46669d4aa2e78cb1_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

Processes:

bin.exeskypeeApp.exeskypeeApp.exe

pid process

1360 bin.exe
3396 skypeeApp.exe
3556 skypeeApp.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral2/memory/4720-6-0x0000000004D30000-0x0000000004D44000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

skypeeApp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\skypeeApplication = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\skypeeApp.exe -boot"	skypeeApp.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

bin.exemsdt.exeskypeeApp.exe

description	pid	process	target process
PID 1360 set thread context of 3600	1360	bin.exe	Explorer.EXE
PID 5092 set thread context of 3600	5092	msdt.exe	Explorer.EXE
PID 5092 set thread context of 3100	5092	msdt.exe	explorer.exe
PID 5092 set thread context of 4016	5092	msdt.exe	explorer.exe
PID 3396 set thread context of 3556	3396	skypeeApp.exe	skypeeApp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4276 3556 WerFault.exe skypeeApp.exe

pid	pid_target	process	target process
4276	3556	WerFault.exe	skypeeApp.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

Processes:

bin.exemsdt.exe

pid	process
1360	bin.exe
1360	bin.exe
1360	bin.exe
1360	bin.exe
5092	msdt.exe
5092	msdt.exe
5092	msdt.exe
5092	msdt.exe
5092	msdt.exe
5092	msdt.exe
5092	msdt.exe
5092	msdt.exe
5092	msdt.exe
5092	msdt.exe
5092	msdt.exe
5092	msdt.exe
5092	msdt.exe
5092	msdt.exe
5092	msdt.exe
5092	msdt.exe
5092	msdt.exe
5092	msdt.exe
5092	msdt.exe
5092	msdt.exe
5092	msdt.exe
5092	msdt.exe
5092	msdt.exe
5092	msdt.exe
5092	msdt.exe
5092	msdt.exe
5092	msdt.exe
5092	msdt.exe
5092	msdt.exe
5092	msdt.exe
5092	msdt.exe
5092	msdt.exe
5092	msdt.exe
5092	msdt.exe
5092	msdt.exe
5092	msdt.exe
5092	msdt.exe
5092	msdt.exe
5092	msdt.exe
5092	msdt.exe
5092	msdt.exe
5092	msdt.exe
5092	msdt.exe
5092	msdt.exe
5092	msdt.exe
5092	msdt.exe
5092	msdt.exe
5092	msdt.exe
5092	msdt.exe
5092	msdt.exe
5092	msdt.exe
5092	msdt.exe

Suspicious behavior: MapViewOfSection 9 IoCs

Processes:

bin.exemsdt.exe

pid process

1360 bin.exe
1360 bin.exe
1360 bin.exe
5092 msdt.exe
5092 msdt.exe
5092 msdt.exe
5092 msdt.exe
5092 msdt.exe
5092 msdt.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

Processes:

18882465f8b6e72a46669d4aa2e78cb1_JaffaCakes118.exebin.exemsdt.exeExplorer.EXEskypeeApp.exe

description	pid	process
Token: SeDebugPrivilege	4720	18882465f8b6e72a46669d4aa2e78cb1_JaffaCakes118.exe
Token: SeDebugPrivilege	1360	bin.exe
Token: SeDebugPrivilege	5092	msdt.exe
Token: SeShutdownPrivilege	3600	Explorer.EXE
Token: SeCreatePagefilePrivilege	3600	Explorer.EXE
Token: SeDebugPrivilege	3396	skypeeApp.exe
Token: SeShutdownPrivilege	3600	Explorer.EXE
Token: SeCreatePagefilePrivilege	3600	Explorer.EXE
Token: SeShutdownPrivilege	3600	Explorer.EXE
Token: SeCreatePagefilePrivilege	3600	Explorer.EXE
Token: SeShutdownPrivilege	3600	Explorer.EXE
Token: SeCreatePagefilePrivilege	3600	Explorer.EXE
Token: SeShutdownPrivilege	3600	Explorer.EXE
Token: SeCreatePagefilePrivilege	3600	Explorer.EXE
Token: SeShutdownPrivilege	3600	Explorer.EXE
Token: SeCreatePagefilePrivilege	3600	Explorer.EXE
Token: SeShutdownPrivilege	3600	Explorer.EXE
Token: SeCreatePagefilePrivilege	3600	Explorer.EXE
Token: SeShutdownPrivilege	3600	Explorer.EXE
Token: SeCreatePagefilePrivilege	3600	Explorer.EXE
Token: SeShutdownPrivilege	3600	Explorer.EXE
Token: SeCreatePagefilePrivilege	3600	Explorer.EXE
Token: SeShutdownPrivilege	3600	Explorer.EXE
Token: SeCreatePagefilePrivilege	3600	Explorer.EXE
Token: SeShutdownPrivilege	3600	Explorer.EXE
Token: SeCreatePagefilePrivilege	3600	Explorer.EXE
Token: SeShutdownPrivilege	3600	Explorer.EXE
Token: SeCreatePagefilePrivilege	3600	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3600 Explorer.EXE

pid	process
3600	Explorer.EXE

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

18882465f8b6e72a46669d4aa2e78cb1_JaffaCakes118.exeexplorer.exeExplorer.EXEmsdt.exeexplorer.exeskypeeApp.exe

description	pid	process	target process
PID 4720 wrote to memory of 2372	4720	18882465f8b6e72a46669d4aa2e78cb1_JaffaCakes118.exe	explorer.exe
PID 4720 wrote to memory of 2372	4720	18882465f8b6e72a46669d4aa2e78cb1_JaffaCakes118.exe	explorer.exe
PID 4720 wrote to memory of 2372	4720	18882465f8b6e72a46669d4aa2e78cb1_JaffaCakes118.exe	explorer.exe
PID 3100 wrote to memory of 1360	3100	explorer.exe	bin.exe
PID 3100 wrote to memory of 1360	3100	explorer.exe	bin.exe
PID 3100 wrote to memory of 1360	3100	explorer.exe	bin.exe
PID 3600 wrote to memory of 5092	3600	Explorer.EXE	msdt.exe
PID 3600 wrote to memory of 5092	3600	Explorer.EXE	msdt.exe
PID 3600 wrote to memory of 5092	3600	Explorer.EXE	msdt.exe
PID 5092 wrote to memory of 2628	5092	msdt.exe	cmd.exe
PID 5092 wrote to memory of 2628	5092	msdt.exe	cmd.exe
PID 5092 wrote to memory of 2628	5092	msdt.exe	cmd.exe
PID 4720 wrote to memory of 3952	4720	18882465f8b6e72a46669d4aa2e78cb1_JaffaCakes118.exe	cmd.exe
PID 4720 wrote to memory of 3952	4720	18882465f8b6e72a46669d4aa2e78cb1_JaffaCakes118.exe	cmd.exe
PID 4720 wrote to memory of 3952	4720	18882465f8b6e72a46669d4aa2e78cb1_JaffaCakes118.exe	cmd.exe
PID 4720 wrote to memory of 4868	4720	18882465f8b6e72a46669d4aa2e78cb1_JaffaCakes118.exe	explorer.exe
PID 4720 wrote to memory of 4868	4720	18882465f8b6e72a46669d4aa2e78cb1_JaffaCakes118.exe	explorer.exe
PID 4720 wrote to memory of 4868	4720	18882465f8b6e72a46669d4aa2e78cb1_JaffaCakes118.exe	explorer.exe
PID 4016 wrote to memory of 3396	4016	explorer.exe	skypeeApp.exe
PID 4016 wrote to memory of 3396	4016	explorer.exe	skypeeApp.exe
PID 4016 wrote to memory of 3396	4016	explorer.exe	skypeeApp.exe
PID 3396 wrote to memory of 3556	3396	skypeeApp.exe	skypeeApp.exe
PID 3396 wrote to memory of 3556	3396	skypeeApp.exe	skypeeApp.exe
PID 3396 wrote to memory of 3556	3396	skypeeApp.exe	skypeeApp.exe
PID 3396 wrote to memory of 3556	3396	skypeeApp.exe	skypeeApp.exe
PID 3396 wrote to memory of 3556	3396	skypeeApp.exe	skypeeApp.exe
PID 3396 wrote to memory of 3556	3396	skypeeApp.exe	skypeeApp.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3600

C:\Users\Admin\AppData\Local\Temp\18882465f8b6e72a46669d4aa2e78cb1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\18882465f8b6e72a46669d4aa2e78cb1_JaffaCakes118.exe"
2⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4720

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\System32\explorer.exe" /c, "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\bin.exe"
3⤵
PID:2372

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\18882465f8b6e72a46669d4aa2e78cb1_JaffaCakes118.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\skypeeApp.exe"
3⤵
PID:3952

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\System32\explorer.exe" /c, "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\skypeeApp.exe"
3⤵
PID:4868

C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5092

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\bin.exe"
3⤵
PID:2628

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:3100

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\bin.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\bin.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1360

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:4016

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\skypeeApp.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\skypeeApp.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3396

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\skypeeApp.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\skypeeApp.exe"
3⤵
- Executes dropped EXE
PID:3556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3556 -s 220
4⤵
- Program crash
PID:4276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3556 -ip 3556
1⤵
PID:4804

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\bin.exe
Filesize
167KB

MD5
04ff1d14354721ffe522ca7484e4511a

SHA1
c3034af51fe4f44a40eaff41e10fd041f280fe67

SHA256
91d1633f58df12c46b45d091d4dda9ce71006d84383ec0ee63f2e39072bdfea2

SHA512
5954c30a19657128fc73963423421f5365dacfa8d89264a2ac69f6f04fa5e0ea42d458ee0aaf0257cef774a4c2ba3208d35e5193f1103010716f77710d9123ab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\skypeeApp.exe
Filesize
424KB

MD5
18882465f8b6e72a46669d4aa2e78cb1

SHA1
b05a070b6c3fec5330d1413594a4b17b19099a02

SHA256
6e521645df736e76b57cdf6996cee4a5148e649cee75be8f36ccfb008f047fa6

SHA512
388e34cfc7a43a062e0c389611036b7953a99d4def7699852d875c2fcdc7c6a79205d85fa128aae9d48d9c37888d60611390640086a7e7a3e4b0e38173964e44

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\bin.txt
Filesize
32B

MD5
f163396219e4df6dfc3c59d9f82b96fc

SHA1
5d7c990bc1fe606dd14ebb63e07c0ab576ae6932

SHA256
1b017689009780e08d9cbe2b75f050c7b0972b6dbab3f0fb3b1a5a7f17556e48

SHA512
3361cd1172e6127fa160d8aecc107e5e8c5c28b06384d56c5c4b154888132b214aa1d10f280bd03fc3e44e3c6475306c46e2b1db3dc18ba913dc997af80e0f9a

Download Submit
memory/3100-33-0x0000000003B40000-0x0000000003C77000-memory.dmp

Filesize
1.2MB

Download
memory/3100-22-0x0000000003B40000-0x0000000003C77000-memory.dmp

Filesize
1.2MB

Download
memory/3556-41-0x0000000000820000-0x000000000084A000-memory.dmp

Filesize
168KB

Download
memory/3600-20-0x0000000008AD0000-0x0000000008BDF000-memory.dmp

Filesize
1.1MB

Download
memory/4016-43-0x0000000003470000-0x00000000035E1000-memory.dmp

Filesize
1.4MB

Download
memory/4016-37-0x0000000003470000-0x00000000035E1000-memory.dmp

Filesize
1.4MB

Download
memory/4720-15-0x000000007520E000-0x000000007520F000-memory.dmp

Filesize
4KB

Download
memory/4720-0-0x000000007520E000-0x000000007520F000-memory.dmp

Filesize
4KB

Download
memory/4720-16-0x0000000075200000-0x00000000759B0000-memory.dmp

Filesize
7.7MB

Download
memory/4720-7-0x0000000004DF0000-0x0000000004E8C000-memory.dmp

Filesize
624KB

Download
memory/4720-6-0x0000000004D30000-0x0000000004D44000-memory.dmp

Filesize
80KB

Download
memory/4720-28-0x0000000075200000-0x00000000759B0000-memory.dmp

Filesize
7.7MB

Download
memory/4720-5-0x0000000075200000-0x00000000759B0000-memory.dmp

Filesize
7.7MB

Download
memory/4720-4-0x0000000004AC0000-0x0000000004ACA000-memory.dmp

Filesize
40KB

Download
memory/4720-3-0x0000000004B50000-0x0000000004BE2000-memory.dmp

Filesize
584KB

Download
memory/4720-2-0x0000000005060000-0x0000000005604000-memory.dmp

Filesize
5.6MB

Download
memory/4720-1-0x0000000000090000-0x0000000000100000-memory.dmp

Filesize
448KB

Download
memory/5092-13-0x0000000000850000-0x00000000008A7000-memory.dmp

Filesize
348KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads