formbook | 6999f846f01515ae48c049e1114b0cebad84d0eb047c10684eff81e9d391ad0b

General

Target

4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe
Size

327KB
MD5

4b580aef493e3c12ff7c8c059cb73973
SHA1

efd2ba7c60ecd1d4e70850406d3d62f4c979eeef
SHA256

6999f846f01515ae48c049e1114b0cebad84d0eb047c10684eff81e9d391ad0b
SHA512

3822cd04861c1497241ac611bbc89b313df0d2bbd43b09f3cf1cf43ae796e4cf1254a73619f421480e5b0cd1b5e7bb36dd5d398a344e08e7f4ef091b939f22c7
SSDEEP

6144:r5L8cieNER8g5TNAKzLB1/1VS7EcsAFhr6RY6NLAnswHeGgoSKJLiWkFdDPNXcKd:Z8ciqEJViO1rSR56n0swHLjiBSKB9Z

Score

10^/10

formbook c191 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

c191

Decoy

yegua.rocks

retouraffectifrapide.com

mediacionelite.com

carrosseriemartins.com

filminglombokindonesia.com

rwpygl.info

wkwlkj.com

yjeoevqdaf.info

margaretaphotographs.com

damaskfabricandtextiles.com

woofgang.life

goodhabitsapp.com

kunweishidai.com

kuaizhilian.com

parkaraya.com

globallogic-us.com

charlottephotoboothrental.com

pouchbagsupplier.com

njlgmq.com

nazreenakhtar.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2448-100046-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral1/memory/2448-100049-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral1/memory/2448-100055-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral1/memory/1844-100060-0x00000000000D0000-0x00000000000FA000-memory.dmp	formbook
behavioral1/memory/1844-100065-0x00000000000D0000-0x00000000000FA000-memory.dmp	formbook

Loads dropped DLL 4 IoCs

Processes:

4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe

pid	process
1728	4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe
1728	4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe
1728	4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe
1728	4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

nslookup.execmstp.exe

description	pid	process	target process
PID 2448 set thread context of 1264	2448	nslookup.exe	Explorer.EXE
PID 2448 set thread context of 1264	2448	nslookup.exe	Explorer.EXE
PID 1844 set thread context of 1264	1844	cmstp.exe	Explorer.EXE

Drops file in Windows directory 1 IoCs

Processes:

4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe

description ioc process

File opened for modification C:\Windows\win.ini 4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\win.ini	4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exenslookup.execmstp.exe

pid	process
1728	4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe
2448	nslookup.exe
2448	nslookup.exe
2448	nslookup.exe
1844	cmstp.exe
1844	cmstp.exe
1844	cmstp.exe
1844	cmstp.exe
1844	cmstp.exe
1844	cmstp.exe
1844	cmstp.exe
1844	cmstp.exe
1844	cmstp.exe
1844	cmstp.exe
1844	cmstp.exe
1844	cmstp.exe

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exenslookup.execmstp.exe

pid	process
1728	4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe
2448	nslookup.exe
2448	nslookup.exe
2448	nslookup.exe
2448	nslookup.exe
1844	cmstp.exe
1844	cmstp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

nslookup.execmstp.exe

description pid process

Token: SeDebugPrivilege 2448 nslookup.exe
Token: SeDebugPrivilege 1844 cmstp.exe

description	pid	process
Token: SeDebugPrivilege	2448	nslookup.exe
Token: SeDebugPrivilege	1844	cmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe

description	pid	process	target process
PID 1728 wrote to memory of 2448	1728	4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe	nslookup.exe
PID 1728 wrote to memory of 2448	1728	4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe	nslookup.exe
PID 1728 wrote to memory of 2448	1728	4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe	nslookup.exe
PID 1728 wrote to memory of 2448	1728	4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe	nslookup.exe
PID 1728 wrote to memory of 2448	1728	4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe	nslookup.exe
PID 1728 wrote to memory of 2448	1728	4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe	nslookup.exe
PID 1728 wrote to memory of 2448	1728	4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe	nslookup.exe
PID 1728 wrote to memory of 2448	1728	4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe	nslookup.exe
PID 1728 wrote to memory of 2448	1728	4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe	nslookup.exe
PID 1728 wrote to memory of 2448	1728	4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe	nslookup.exe
PID 1728 wrote to memory of 2448	1728	4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe	nslookup.exe
PID 1728 wrote to memory of 2448	1728	4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe	nslookup.exe
PID 1728 wrote to memory of 2448	1728	4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe	nslookup.exe
PID 1728 wrote to memory of 2448	1728	4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe	nslookup.exe
PID 1728 wrote to memory of 2448	1728	4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe	nslookup.exe
PID 1728 wrote to memory of 2448	1728	4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe	nslookup.exe
PID 1728 wrote to memory of 2448	1728	4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe	nslookup.exe
PID 1728 wrote to memory of 2448	1728	4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe	nslookup.exe
PID 1728 wrote to memory of 2448	1728	4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe	nslookup.exe
PID 1728 wrote to memory of 2448	1728	4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe	nslookup.exe
PID 1728 wrote to memory of 2448	1728	4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe	nslookup.exe
PID 1728 wrote to memory of 2448	1728	4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe	nslookup.exe
PID 1728 wrote to memory of 2448	1728	4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe	nslookup.exe
PID 1728 wrote to memory of 2448	1728	4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe	nslookup.exe
PID 1728 wrote to memory of 2448	1728	4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe	nslookup.exe
PID 1728 wrote to memory of 2448	1728	4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe	nslookup.exe
PID 1728 wrote to memory of 2448	1728	4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe	nslookup.exe
PID 1728 wrote to memory of 2448	1728	4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe	nslookup.exe
PID 1728 wrote to memory of 2448	1728	4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe	nslookup.exe
PID 1728 wrote to memory of 2448	1728	4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe	nslookup.exe
PID 1728 wrote to memory of 2448	1728	4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe	nslookup.exe
PID 1728 wrote to memory of 2448	1728	4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe	nslookup.exe
PID 1728 wrote to memory of 2448	1728	4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe	nslookup.exe
PID 1728 wrote to memory of 2448	1728	4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe	nslookup.exe
PID 1728 wrote to memory of 2448	1728	4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe	nslookup.exe
PID 1728 wrote to memory of 2448	1728	4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe	nslookup.exe
PID 1728 wrote to memory of 2448	1728	4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe	nslookup.exe
PID 1728 wrote to memory of 2448	1728	4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe	nslookup.exe
PID 1728 wrote to memory of 2448	1728	4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe	nslookup.exe
PID 1728 wrote to memory of 2448	1728	4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe	nslookup.exe
PID 1728 wrote to memory of 2448	1728	4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe	nslookup.exe
PID 1728 wrote to memory of 2448	1728	4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe	nslookup.exe
PID 1728 wrote to memory of 2448	1728	4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe	nslookup.exe
PID 1728 wrote to memory of 2448	1728	4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe	nslookup.exe
PID 1728 wrote to memory of 2448	1728	4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe	nslookup.exe
PID 1728 wrote to memory of 2448	1728	4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe	nslookup.exe
PID 1728 wrote to memory of 2448	1728	4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe	nslookup.exe
PID 1728 wrote to memory of 2448	1728	4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe	nslookup.exe
PID 1728 wrote to memory of 2448	1728	4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe	nslookup.exe
PID 1728 wrote to memory of 2448	1728	4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe	nslookup.exe
PID 1728 wrote to memory of 2448	1728	4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe	nslookup.exe
PID 1728 wrote to memory of 2448	1728	4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe	nslookup.exe
PID 1728 wrote to memory of 2448	1728	4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe	nslookup.exe
PID 1728 wrote to memory of 2448	1728	4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe	nslookup.exe
PID 1728 wrote to memory of 2448	1728	4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe	nslookup.exe
PID 1728 wrote to memory of 2448	1728	4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe	nslookup.exe
PID 1728 wrote to memory of 2448	1728	4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe	nslookup.exe
PID 1728 wrote to memory of 2448	1728	4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe	nslookup.exe
PID 1728 wrote to memory of 2448	1728	4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe	nslookup.exe
PID 1728 wrote to memory of 2448	1728	4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe	nslookup.exe
PID 1728 wrote to memory of 2448	1728	4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe	nslookup.exe
PID 1728 wrote to memory of 2448	1728	4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe	nslookup.exe
PID 1728 wrote to memory of 2448	1728	4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe	nslookup.exe
PID 1728 wrote to memory of 2448	1728	4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe	nslookup.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1264
- C:\Users\Admin\AppData\Local\Temp\4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\4b580aef493e3c12ff7c8c059cb73973_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Windows\SysWOW64\nslookup.exe
    "C:\Windows\system32\nslookup.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2448
- C:\Windows\SysWOW64\cmstp.exe
  "C:\Windows\SysWOW64\cmstp.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  PID:1844
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\SysWOW64\nslookup.exe"
    3⤵
    PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\win.ini

Filesize
517B

MD5
893cae59ab5945a94a7da007d47a1255

SHA1
d4cfd81c6647ca64022bd307c08a7fb4bbbd4c06

SHA256
edfa0f2d3bea9f737e0315971c6f81d3d8e7d460b60a19351ada0316a093c938

SHA512
d66e454781f54f45df814ad32d687b0f100578c2a4ffca62de81add04281fb881a550702bd2d058933d3736d14e88624af268a86ce24b0c3935242b206ffdcc9

Download Submit
\Users\Admin\AppData\Local\Temp\alerting.dll

Filesize
9KB

MD5
899df66ecc89a8b62a4e01e719790daf

SHA1
81a289f7fe4560995b11c344ffe145df570a14e2

SHA256
b798c94ed8f6832b83fb5c6ca5c071dcac11e363fbfd4ce34dc68ff02a77678c

SHA512
300e7ac987ca9d012758ed9521c27f50a9f89440e2b5fe0ed3b3c0a48b13496c82f9ad1761a3d12e21f8622ef5a52082dd44aa30e3b97a2d6c054d2ca924cd7d

Download Submit
\Users\Admin\AppData\Local\Temp\nsd9935.tmp\Splash.dll

Filesize
4KB

MD5
3f35f73787f0c3bb5e59445fb18ade0d

SHA1
f1566faff96c3988cfc28dc7d433094b6348cdbf

SHA256
5570969d22a33c23b60c5f5536f781219e458a869b77b8dde4a94cc124ee4de6

SHA512
45c42ea95f53a3b8a3fd74bd55ad6f0b3f2b91dd969104de845fd819fe307dec2b4d472bee45554500b0c51052ee82ac98196e894af806edf67a947328474e57

Download Submit
\Users\Admin\AppData\Local\Temp\nsd9935.tmp\System.dll

Filesize
11KB

MD5
fbe295e5a1acfbd0a6271898f885fe6a

SHA1
d6d205922e61635472efb13c2bb92c9ac6cb96da

SHA256
a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1

SHA512
2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

Download Submit
memory/1264-100064-0x0000000006500000-0x00000000065DC000-memory.dmp

Filesize
880KB

Download
memory/1264-100052-0x00000000061A0000-0x00000000062DA000-memory.dmp

Filesize
1.2MB

Download
memory/1264-100051-0x0000000004BB0000-0x0000000004CB0000-memory.dmp

Filesize
1024KB

Download
memory/1264-100058-0x0000000006500000-0x00000000065DC000-memory.dmp

Filesize
880KB

Download
memory/1264-100057-0x00000000061A0000-0x00000000062DA000-memory.dmp

Filesize
1.2MB

Download
memory/1728-100032-0x0000000000440000-0x0000000000449000-memory.dmp

Filesize
36KB

Download
memory/1728-100033-0x0000000076D00000-0x0000000076EA9000-memory.dmp

Filesize
1.7MB

Download
memory/1728-23-0x00000000003F0000-0x00000000003F7000-memory.dmp

Filesize
28KB

Download
memory/1728-33-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1728-34-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1844-100065-0x00000000000D0000-0x00000000000FA000-memory.dmp

Filesize
168KB

Download
memory/1844-100060-0x00000000000D0000-0x00000000000FA000-memory.dmp

Filesize
168KB

Download
memory/1844-100059-0x00000000003D0000-0x00000000003E8000-memory.dmp

Filesize
96KB

Download
memory/2448-100047-0x0000000002AD0000-0x0000000002DD3000-memory.dmp

Filesize
3.0MB

Download
memory/2448-100056-0x0000000000430000-0x0000000000444000-memory.dmp

Filesize
80KB

Download
memory/2448-100055-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2448-100053-0x00000000000D0000-0x00000000000D5000-memory.dmp

Filesize
20KB

Download
memory/2448-100049-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2448-100050-0x00000000003C0000-0x00000000003D4000-memory.dmp

Filesize
80KB

Download
memory/2448-100046-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2448-100035-0x0000000076D00000-0x0000000076EA9000-memory.dmp

Filesize
1.7MB

Download
memory/2448-100034-0x00000000000D0000-0x00000000000D5000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads