formbook | 400ce3db41e45539da9cbec4768fe45f31d7ad4bd276fff441c79231d959cff0

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
13/05/2024, 07:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3e57cda1537e5da871c8f1d97ec7d337_JaffaCakes118.exe
Size

750KB
MD5

3e57cda1537e5da871c8f1d97ec7d337
SHA1

d8840938fc45e5d20a0ca3ebebf794617a81e960
SHA256

400ce3db41e45539da9cbec4768fe45f31d7ad4bd276fff441c79231d959cff0
SHA512

3e06bed588ad457f639e2a9ca17abf26c1d77b827dcb9224963c09a1d31165ff0300b90741160c971902e30fe81918639515e5b45992704765e4b3dcbfeb3357
SSDEEP

6144:7lMdF++8cNR1ykQXQAIvD1U0TV33GqK6fPu6WBis:7fcj1yk1bvD1U0TVmqPHWBis

Score

10^/10

formbook d02 persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

d02

Decoy

sanforly.com

alignyourasana.com

savecivilization.solutions

theindiedisco.com

284man.com

sophisticateddining.com

lgzcgs.com

cougarstech.com

osce.info

fromthebeginningtotheend.com

w349cu.com

yumanmusic.com

brehinier.com

4500pe.com

sachionaonlineradio.info

parispolskibus.com

juranfukang.com

dqtv0459.com

chinesesovereigncoin.com

monoclothes.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/1852-24-0x00000000058B0000-0x00000000058DA000-memory.dmp	formbook
behavioral2/memory/1780-30-0x0000000000400000-0x000000000042A000-memory.dmp	formbook

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	mstsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\0TD0GLUH3T4 = "C:\\Program Files (x86)\\Iffip\\mpxip5dani.exe"	mstsc.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XJmdcQ.url	3e57cda1537e5da871c8f1d97ec7d337_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1852 set thread context of 1780	1852	3e57cda1537e5da871c8f1d97ec7d337_JaffaCakes118.exe	88
PID 1780 set thread context of 3452	1780	vbc.exe	57
PID 5000 set thread context of 3452	5000	mstsc.exe	57

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Iffip\mpxip5dani.exe	mstsc.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	mstsc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1852	3e57cda1537e5da871c8f1d97ec7d337_JaffaCakes118.exe
1852	3e57cda1537e5da871c8f1d97ec7d337_JaffaCakes118.exe
1780	vbc.exe
1780	vbc.exe
1780	vbc.exe
1780	vbc.exe
5000	mstsc.exe
5000	mstsc.exe
5000	mstsc.exe
5000	mstsc.exe
5000	mstsc.exe
5000	mstsc.exe
5000	mstsc.exe
5000	mstsc.exe
5000	mstsc.exe
5000	mstsc.exe
5000	mstsc.exe
5000	mstsc.exe
5000	mstsc.exe
5000	mstsc.exe
5000	mstsc.exe
5000	mstsc.exe
5000	mstsc.exe
5000	mstsc.exe
5000	mstsc.exe
5000	mstsc.exe
5000	mstsc.exe
5000	mstsc.exe
5000	mstsc.exe
5000	mstsc.exe
5000	mstsc.exe
5000	mstsc.exe
5000	mstsc.exe
5000	mstsc.exe
5000	mstsc.exe
5000	mstsc.exe
5000	mstsc.exe
5000	mstsc.exe
5000	mstsc.exe
5000	mstsc.exe
5000	mstsc.exe
5000	mstsc.exe
5000	mstsc.exe
5000	mstsc.exe
5000	mstsc.exe
5000	mstsc.exe
5000	mstsc.exe
5000	mstsc.exe
5000	mstsc.exe
5000	mstsc.exe
5000	mstsc.exe
5000	mstsc.exe
5000	mstsc.exe
5000	mstsc.exe
5000	mstsc.exe
5000	mstsc.exe
5000	mstsc.exe
5000	mstsc.exe
5000	mstsc.exe
5000	mstsc.exe
5000	mstsc.exe
5000	mstsc.exe
5000	mstsc.exe
5000	mstsc.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
1780	vbc.exe
1780	vbc.exe
1780	vbc.exe
5000	mstsc.exe
5000	mstsc.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1852	3e57cda1537e5da871c8f1d97ec7d337_JaffaCakes118.exe
Token: SeDebugPrivilege	1780	vbc.exe
Token: SeDebugPrivilege	5000	mstsc.exe
Token: SeShutdownPrivilege	3452	Explorer.EXE
Token: SeCreatePagefilePrivilege	3452	Explorer.EXE
Token: SeShutdownPrivilege	3452	Explorer.EXE
Token: SeCreatePagefilePrivilege	3452	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3452	Explorer.EXE

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1852 wrote to memory of 1684	1852	3e57cda1537e5da871c8f1d97ec7d337_JaffaCakes118.exe	83
PID 1852 wrote to memory of 1684	1852	3e57cda1537e5da871c8f1d97ec7d337_JaffaCakes118.exe	83
PID 1852 wrote to memory of 1684	1852	3e57cda1537e5da871c8f1d97ec7d337_JaffaCakes118.exe	83
PID 1684 wrote to memory of 2156	1684	csc.exe	86
PID 1684 wrote to memory of 2156	1684	csc.exe	86
PID 1684 wrote to memory of 2156	1684	csc.exe	86
PID 1852 wrote to memory of 1780	1852	3e57cda1537e5da871c8f1d97ec7d337_JaffaCakes118.exe	88
PID 1852 wrote to memory of 1780	1852	3e57cda1537e5da871c8f1d97ec7d337_JaffaCakes118.exe	88
PID 1852 wrote to memory of 1780	1852	3e57cda1537e5da871c8f1d97ec7d337_JaffaCakes118.exe	88
PID 1852 wrote to memory of 1780	1852	3e57cda1537e5da871c8f1d97ec7d337_JaffaCakes118.exe	88
PID 1852 wrote to memory of 1780	1852	3e57cda1537e5da871c8f1d97ec7d337_JaffaCakes118.exe	88
PID 1852 wrote to memory of 1780	1852	3e57cda1537e5da871c8f1d97ec7d337_JaffaCakes118.exe	88
PID 3452 wrote to memory of 5000	3452	Explorer.EXE	90
PID 3452 wrote to memory of 5000	3452	Explorer.EXE	90
PID 3452 wrote to memory of 5000	3452	Explorer.EXE	90
PID 5000 wrote to memory of 4984	5000	mstsc.exe	95
PID 5000 wrote to memory of 4984	5000	mstsc.exe	95
PID 5000 wrote to memory of 4984	5000	mstsc.exe	95
PID 5000 wrote to memory of 2024	5000	mstsc.exe	103
PID 5000 wrote to memory of 2024	5000	mstsc.exe	103
PID 5000 wrote to memory of 2024	5000	mstsc.exe	103

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3452
- C:\Users\Admin\AppData\Local\Temp\3e57cda1537e5da871c8f1d97ec7d337_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\3e57cda1537e5da871c8f1d97ec7d337_JaffaCakes118.exe"
  2⤵
  - Drops startup file
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1852
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zdidaep3\zdidaep3.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1684
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES370E.tmp" "c:\Users\Admin\AppData\Local\Temp\zdidaep3\CSC6EC7E5FEA0A4F9DB3EC98CDA3558263.TMP"
      4⤵
      PID:2156
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:1780
- C:\Windows\SysWOW64\mstsc.exe
  "C:\Windows\SysWOW64\mstsc.exe"
  2⤵
  - Adds policy Run key to start application
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5000
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
    3⤵
    PID:4984
- - C:\Windows\SysWOW64\cmd.exe
    /c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
    3⤵
    PID:2024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DB1

Filesize
46KB

MD5
8f5942354d3809f865f9767eddf51314

SHA1
20be11c0d42fc0cef53931ea9152b55082d1a11e

SHA256
776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea

SHA512
fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES370E.tmp

Filesize
1KB

MD5
d0a8c9e236643b2c08245824d1c473e0

SHA1
683c2e9ffe0a30b499774a684589598bcb3d6160

SHA256
bdd10e835a62bd4c2889d350531900ee732f1c424425b53f6ed0dcb8e34a97ce

SHA512
b05b164b8be522d06bed73f63f43dcccd9d81a113b640be9c595cd2d9bcf9d0b23a45a543bbbc8da158a6163d62132f890cd66856db9125b933ac58445acd9e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\zdidaep3\zdidaep3.dll

Filesize
14KB

MD5
d90b2bedb0f0c663da6b91a1aa0f61fd

SHA1
04992ca0f95c72191fe2a0cfd3e029442abb438a

SHA256
81d35f9c41f39b191793f77266a846144de75fdca8000ac082c96e4b32d43fdf

SHA512
82437a77d9cabdca6c37f09024c96354543694f83eed6d8a05b7fc14e4b0766697fc5bb6dd506759d3fdfedb9c503e4c3318c63755d7d1bff3cd95486690d450

Download Submit
C:\Users\Admin\AppData\Local\Temp\zdidaep3\zdidaep3.pdb

Filesize
49KB

MD5
dbb5bdd815c30e5e3048dbffce8d394a

SHA1
7d73e243544365c15ba8d828cbd3013cedbc877f

SHA256
12f9421f21573bba7d9e7a4129467fbcd8691b8650027be083e35f47b62efd0a

SHA512
388aa5b6a8cc444cf33c077c37adde14e3ff6bf1bc48f235217318a47b5cab8a62ac736d60152d470a8eac607abff9488e40d0dd99f86812c3e90bec8b0b2a87

Download Submit
C:\Users\Admin\AppData\Roaming\J029SU2F\J02logim.jpeg

Filesize
85KB

MD5
54664480ef7aabdc419f40a36d95af7a

SHA1
ea746f5c217e773157fb00b5eaed694773bef1cf

SHA256
48ae28b87b0c511c3c678f55e1d7a60ace3ef38b871f64aefb46b37a9ea448e2

SHA512
3af31df41d6b2445bbe4eebc881e85d9b1a22352d291ec06c306c44dced8ebc21ece6aec2fed5305069e77c1dd1bc491e446432d8a285c34d5dc0dcbfadee499

Download Submit
C:\Users\Admin\AppData\Roaming\J029SU2F\J02logrg.ini

Filesize
38B

MD5
4aadf49fed30e4c9b3fe4a3dd6445ebe

SHA1
1e332822167c6f351b99615eada2c30a538ff037

SHA256
75034beb7bded9aeab5748f4592b9e1419256caec474065d43e531ec5cc21c56

SHA512
eb5b3908d5e7b43ba02165e092f05578f45f15a148b4c3769036aa542c23a0f7cd2bc2770cf4119a7e437de3f681d9e398511f69f66824c516d9b451bb95f945

Download Submit
C:\Users\Admin\AppData\Roaming\J029SU2F\J02logri.ini

Filesize
40B

MD5
d63a82e5d81e02e399090af26db0b9cb

SHA1
91d0014c8f54743bba141fd60c9d963f869d76c9

SHA256
eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae

SHA512
38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad

Download Submit
C:\Users\Admin\AppData\Roaming\J029SU2F\J02logrv.ini

Filesize
872B

MD5
bbc41c78bae6c71e63cb544a6a284d94

SHA1
33f2c1d9fa0e9c99b80bc2500621e95af38b1f9a

SHA256
ee83c6bcea9353c74bfc0a7e739f3c4a765ace894470e09cdcdebba700b8d4cb

SHA512
0aea424b57adae3e14ad6491cab585f554b4dffe601b5a17bad6ee6177d2f0f995e419cde576e2d1782b9bddc0661aada11a2c9f1454ae625d9e3223635ec9f4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zdidaep3\CSC6EC7E5FEA0A4F9DB3EC98CDA3558263.TMP

Filesize
1KB

MD5
e472ca01751d5562313243e3a897c202

SHA1
e05ba76edeead342c3dda3a0b71955bc4246cdfb

SHA256
3b9a1c5f57904ee3ee8a65369ea693e1ae359f69288ace8faba44a95ac7e95ff

SHA512
2bad0138589349063bb5b2f2f6e09119d6d794d533435178ca44d15e188c06ebd26f9c946825f0221dda2fbfcdb21a61a5130a126f09dd363f112291194386e8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zdidaep3\zdidaep3.0.cs

Filesize
28KB

MD5
ba7e581d0ab64da6a7d72e37cec7bd93

SHA1
be9ab2c2c3bdc2910a129880d691128649eac036

SHA256
619456ada2c155a1373cefa29d1c593af0e4c8043525c9ef55e4391a7390f9fe

SHA512
f35beaac3ba381176455ef82ad849441af82b64bc8eec8f800a786a2f66c9deaf627162814dfa3784d94f7f176a0d8bb2f92315d25576aaf5cb5c1e1ef0d5f11

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zdidaep3\zdidaep3.cmdline

Filesize
312B

MD5
eb21c726824f22b708f9de81381806ba

SHA1
d2cd1dacd4bf9c57bcf74891a97f5eb494a19a5b

SHA256
1ab64df669233df3159e9bd416b0c586e16d892d3467d10e14853baf055761f2

SHA512
3e970f55010724891be18c3ec2aedc99a5e1f4f8d4f06ef45c6b1d1311beadc5e6df0e31063c4019b234477adef8c53b3b9a3885c3e7c60a270ca839013d6a91

Download Submit
memory/1780-30-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1852-21-0x0000000005730000-0x000000000573C000-memory.dmp

Filesize
48KB

Download
memory/1852-24-0x00000000058B0000-0x00000000058DA000-memory.dmp

Filesize
168KB

Download
memory/1852-25-0x0000000005F90000-0x000000000602C000-memory.dmp

Filesize
624KB

Download
memory/1852-28-0x00000000745D0000-0x0000000074D80000-memory.dmp

Filesize
7.7MB

Download
memory/1852-20-0x0000000005850000-0x000000000588A000-memory.dmp

Filesize
232KB

Download
memory/1852-0-0x00000000745DE000-0x00000000745DF000-memory.dmp

Filesize
4KB

Download
memory/1852-1-0x0000000000CB0000-0x0000000000D72000-memory.dmp

Filesize
776KB

Download
memory/1852-5-0x00000000745D0000-0x0000000074D80000-memory.dmp

Filesize
7.7MB

Download
memory/1852-19-0x0000000005740000-0x00000000057D2000-memory.dmp

Filesize
584KB

Download
memory/1852-17-0x0000000001790000-0x000000000179A000-memory.dmp

Filesize
40KB

Download
memory/3452-31-0x0000000003530000-0x000000000362D000-memory.dmp

Filesize
1012KB

Download
memory/3452-41-0x0000000008CC0000-0x0000000008DB0000-memory.dmp

Filesize
960KB

Download
memory/3452-38-0x0000000003530000-0x000000000362D000-memory.dmp

Filesize
1012KB

Download
memory/5000-36-0x0000000000B90000-0x0000000000CCA000-memory.dmp

Filesize
1.2MB

Download
memory/5000-33-0x0000000000B90000-0x0000000000CCA000-memory.dmp

Filesize
1.2MB

Download