formbook | 400ce3db41e45539da9cbec4768fe45f31d7ad4bd276fff441c79231d959cff0

General

Target

3e57cda1537e5da871c8f1d97ec7d337_JaffaCakes118.exe
Size

750KB
MD5

3e57cda1537e5da871c8f1d97ec7d337
SHA1

d8840938fc45e5d20a0ca3ebebf794617a81e960
SHA256

400ce3db41e45539da9cbec4768fe45f31d7ad4bd276fff441c79231d959cff0
SHA512

3e06bed588ad457f639e2a9ca17abf26c1d77b827dcb9224963c09a1d31165ff0300b90741160c971902e30fe81918639515e5b45992704765e4b3dcbfeb3357
SSDEEP

6144:7lMdF++8cNR1ykQXQAIvD1U0TV33GqK6fPu6WBis:7fcj1yk1bvD1U0TVmqPHWBis

Score

10^/10

formbook d02 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

d02

Decoy

sanforly.com

alignyourasana.com

savecivilization.solutions

theindiedisco.com

284man.com

sophisticateddining.com

lgzcgs.com

cougarstech.com

osce.info

fromthebeginningtotheend.com

w349cu.com

yumanmusic.com

brehinier.com

4500pe.com

sachionaonlineradio.info

parispolskibus.com

juranfukang.com

dqtv0459.com

chinesesovereigncoin.com

monoclothes.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/1300-23-0x0000000000B40000-0x0000000000B6A000-memory.dmp	formbook
behavioral1/memory/2564-33-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral1/memory/2564-38-0x0000000000400000-0x000000000042A000-memory.dmp	formbook

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XJmdcQ.url	3e57cda1537e5da871c8f1d97ec7d337_JaffaCakes118.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1300 set thread context of 2564	1300	3e57cda1537e5da871c8f1d97ec7d337_JaffaCakes118.exe	31
PID 2564 set thread context of 1224	2564	vbc.exe	21
PID 2564 set thread context of 1224	2564	vbc.exe	21
PID 2652 set thread context of 1224	2652	help.exe	21

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
1300	3e57cda1537e5da871c8f1d97ec7d337_JaffaCakes118.exe
1300	3e57cda1537e5da871c8f1d97ec7d337_JaffaCakes118.exe
2564	vbc.exe
2564	vbc.exe
2564	vbc.exe
2652	help.exe
2652	help.exe
2652	help.exe
2652	help.exe
2652	help.exe
2652	help.exe
2652	help.exe
2652	help.exe
2652	help.exe
2652	help.exe
2652	help.exe
2652	help.exe
2652	help.exe
2652	help.exe
2652	help.exe
2652	help.exe
2652	help.exe
2652	help.exe
2652	help.exe
2652	help.exe
2652	help.exe
2652	help.exe
2652	help.exe
2652	help.exe
2652	help.exe
2652	help.exe
2652	help.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2564	vbc.exe
2564	vbc.exe
2564	vbc.exe
2564	vbc.exe
2652	help.exe
2652	help.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1300	3e57cda1537e5da871c8f1d97ec7d337_JaffaCakes118.exe
Token: SeDebugPrivilege	2564	vbc.exe
Token: SeDebugPrivilege	2652	help.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1300 wrote to memory of 2060	1300	3e57cda1537e5da871c8f1d97ec7d337_JaffaCakes118.exe	28
PID 1300 wrote to memory of 2060	1300	3e57cda1537e5da871c8f1d97ec7d337_JaffaCakes118.exe	28
PID 1300 wrote to memory of 2060	1300	3e57cda1537e5da871c8f1d97ec7d337_JaffaCakes118.exe	28
PID 1300 wrote to memory of 2060	1300	3e57cda1537e5da871c8f1d97ec7d337_JaffaCakes118.exe	28
PID 2060 wrote to memory of 2212	2060	csc.exe	30
PID 2060 wrote to memory of 2212	2060	csc.exe	30
PID 2060 wrote to memory of 2212	2060	csc.exe	30
PID 2060 wrote to memory of 2212	2060	csc.exe	30
PID 1300 wrote to memory of 2564	1300	3e57cda1537e5da871c8f1d97ec7d337_JaffaCakes118.exe	31
PID 1300 wrote to memory of 2564	1300	3e57cda1537e5da871c8f1d97ec7d337_JaffaCakes118.exe	31
PID 1300 wrote to memory of 2564	1300	3e57cda1537e5da871c8f1d97ec7d337_JaffaCakes118.exe	31
PID 1300 wrote to memory of 2564	1300	3e57cda1537e5da871c8f1d97ec7d337_JaffaCakes118.exe	31
PID 1300 wrote to memory of 2564	1300	3e57cda1537e5da871c8f1d97ec7d337_JaffaCakes118.exe	31
PID 1300 wrote to memory of 2564	1300	3e57cda1537e5da871c8f1d97ec7d337_JaffaCakes118.exe	31
PID 1300 wrote to memory of 2564	1300	3e57cda1537e5da871c8f1d97ec7d337_JaffaCakes118.exe	31
PID 1224 wrote to memory of 2652	1224	Explorer.EXE	32
PID 1224 wrote to memory of 2652	1224	Explorer.EXE	32
PID 1224 wrote to memory of 2652	1224	Explorer.EXE	32
PID 1224 wrote to memory of 2652	1224	Explorer.EXE	32
PID 2652 wrote to memory of 2616	2652	help.exe	33
PID 2652 wrote to memory of 2616	2652	help.exe	33
PID 2652 wrote to memory of 2616	2652	help.exe	33
PID 2652 wrote to memory of 2616	2652	help.exe	33

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Users\Admin\AppData\Local\Temp\3e57cda1537e5da871c8f1d97ec7d337_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\3e57cda1537e5da871c8f1d97ec7d337_JaffaCakes118.exe"
  2⤵
  - Drops startup file
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1300
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5xbacq1o\5xbacq1o.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2060
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9D97.tmp" "c:\Users\Admin\AppData\Local\Temp\5xbacq1o\CSC8E41E0AE1F6D4FAC84C0DA2BA364E21.TMP"
      4⤵
      PID:2212
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2564
- C:\Windows\SysWOW64\help.exe
  "C:\Windows\SysWOW64\help.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
    3⤵
    PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5xbacq1o\5xbacq1o.dll

Filesize
14KB

MD5
f7dcecfe589a1b334624783af121916c

SHA1
335ee497e9728275985397f6eba86031bcc902fe

SHA256
34854c0c9c0cc80fa78ec5e4d164e9a2c4a3563e4103552d95389c5adb855a29

SHA512
c9df6dfb1b61fa4911bebc3a8fc9f49fc643b4cb2a8375b1ada2db3ade8ca2285fbd36c4e315630d434bb1368ceffcbd838fe1e825ce472bc75175f005404af4

Download Submit
C:\Users\Admin\AppData\Local\Temp\5xbacq1o\5xbacq1o.pdb

Filesize
49KB

MD5
be6921b0cfdb7b0d4b5dba1c7ff46bd5

SHA1
e49d506eba606e7f927393e0c054e2c6ea3e5894

SHA256
7af0f6e14623b216d6f9f8939a6f4ceff09278a3f086a2aa1f85cc2489d79522

SHA512
ad6417e7ca5de2798212f430df417e1a95aaa9a2761ef974dcd61a2b85f3e07ce5dfb5e7fee219cdc0e4874061cf1d05f29f1a476833f600aaa30b66c9f8aab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9D97.tmp

Filesize
1KB

MD5
a57067617aed17a79e56a188db04f777

SHA1
93bd065338f14a5e72442ac497e40de3fdb97bd4

SHA256
d0929d656cb1954f0b105bbdf488555323eb9d14eb98411700edd3dd0b70707d

SHA512
a3acdedfaf59626f030132c89b0b4fd8630e01a1afc1a40eafe9e6cf0610f7486cb4aa90d0dd8f43dfe0a5376f3db5c4dc72e4b9358fed46a38b996eaf6b404d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XJmdcQ.url

Filesize
99B

MD5
6f69676efffdc8fa9b6dfc62f41dcc1e

SHA1
a5f577a3db74afd126faf434137ad6b755219de7

SHA256
e67fa6e528340d121bf61a896281262415397d2b0c650af054b3df644027e545

SHA512
619b0acfca3ae004b98ce5a3cbb757397fc71e4e96a7edd16aafdc417d423c01d507ff0fa05d60c56576bd080bda2ace3c9349125e336833d13cf6283784f299

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5xbacq1o\5xbacq1o.0.cs

Filesize
28KB

MD5
ba7e581d0ab64da6a7d72e37cec7bd93

SHA1
be9ab2c2c3bdc2910a129880d691128649eac036

SHA256
619456ada2c155a1373cefa29d1c593af0e4c8043525c9ef55e4391a7390f9fe

SHA512
f35beaac3ba381176455ef82ad849441af82b64bc8eec8f800a786a2f66c9deaf627162814dfa3784d94f7f176a0d8bb2f92315d25576aaf5cb5c1e1ef0d5f11

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5xbacq1o\5xbacq1o.cmdline

Filesize
312B

MD5
e4661a8dd5ff93d5efcef5bafa21d10c

SHA1
a338230a60be2638faa79540b9ed7544668f979a

SHA256
efbafd0e971bf92d6bce08ab546a3dfde7e6b6f5b38b0f4e478d02209eedcdc1

SHA512
c97721b2529f70405231f174d1b8afbae0010170cb74a73f8053608ea3d2eb67fefe943765424fce72972ce083cc0cf2c12d8976d2e0178af21b9228481da6f1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5xbacq1o\CSC8E41E0AE1F6D4FAC84C0DA2BA364E21.TMP

Filesize
1KB

MD5
451afd6e9d1299071c5e89dfd1437f66

SHA1
c1655464cbb576f737cd0a8ca5b466a009a90c18

SHA256
a0b5f87fe782141da78dd72cbeab9ab530019402c27925df03834f619ed7eff4

SHA512
b5d3dddbf2ecdb5920455ead2d55ff0da830ba9152976184023e99834c2487481ada739c0b352c5cc6376fcf795ffc5e425c889c68e0a787f2e2962deaab8e8c

Download Submit
memory/1224-34-0x0000000003760000-0x0000000003860000-memory.dmp

Filesize
1024KB

Download
memory/1224-47-0x0000000006D80000-0x0000000006ED9000-memory.dmp

Filesize
1.3MB

Download
memory/1224-40-0x0000000006EE0000-0x000000000702A000-memory.dmp

Filesize
1.3MB

Download
memory/1224-39-0x0000000003760000-0x0000000003860000-memory.dmp

Filesize
1024KB

Download
memory/1224-49-0x0000000006EE0000-0x000000000702A000-memory.dmp

Filesize
1.3MB

Download
memory/1224-35-0x0000000006D80000-0x0000000006ED9000-memory.dmp

Filesize
1.3MB

Download
memory/1300-31-0x0000000073FF0000-0x00000000746DE000-memory.dmp

Filesize
6.9MB

Download
memory/1300-17-0x0000000000360000-0x000000000036A000-memory.dmp

Filesize
40KB

Download
memory/1300-1-0x0000000000E50000-0x0000000000F12000-memory.dmp

Filesize
776KB

Download
memory/1300-5-0x0000000073FF0000-0x00000000746DE000-memory.dmp

Filesize
6.9MB

Download
memory/1300-0-0x0000000073FFE000-0x0000000073FFF000-memory.dmp

Filesize
4KB

Download
memory/1300-19-0x0000000000A10000-0x0000000000A4A000-memory.dmp

Filesize
232KB

Download
memory/1300-23-0x0000000000B40000-0x0000000000B6A000-memory.dmp

Filesize
168KB

Download
memory/1300-20-0x0000000000660000-0x000000000066C000-memory.dmp

Filesize
48KB

Download
memory/2564-38-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2564-26-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2564-33-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2564-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2564-24-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2652-44-0x0000000000220000-0x0000000000226000-memory.dmp

Filesize
24KB

Download
memory/2652-42-0x0000000000220000-0x0000000000226000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing