formbook | ca49aa362621679944ff2bb5c323dbb64ef5f0364dff1be6168c0657962296ec

General

Target

50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe
Size

264KB
MD5

50282da5093e3086fcde377c5e8e28bd
SHA1

f8468c9953686b0b77dfb6949866c68b628ce73d
SHA256

ca49aa362621679944ff2bb5c323dbb64ef5f0364dff1be6168c0657962296ec
SHA512

7a60e543a0b918591c7dcec8286175ce3c2e746c18055ac5439a9790469b9152ab2f50be6dc7d8f70d0b4002e7b51a9e32a685befb83dc971311deca65c46818
SSDEEP

6144:G/HhXZxNiTGAATtFH0zpVVDkYx7pvX9GD:iXZykBFHApVVLFdXsD

Score

10^/10

formbook j0g2z5t rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

j0g2z5t

Decoy

nikolajslot.com

buysellhkonline.com

citytireandmuffler.com

moodichocolate.com

hiresses.com

1577584.com

chantaljamet.com

madamrichest.com

catfooddude.com

the9-city.com

dota2.red

risottomyway.com

cmbgw.com

ospreylandingfl.com

nmkindustries.com

video-cuentos.com

rktcont.net

suresourcetreatment.com

molinaroscollision.com

femmefetefashions.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/3052-14-0x0000000000400000-0x000000000042A000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe

description	pid	process	target process
PID 1424 set thread context of 3052	1424	50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe	50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2724 schtasks.exe

pid	process
2724	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe

pid	process
1424	50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe
1424	50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe
3052	50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 1424 50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	1424	50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VvxEzXiV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp18ED.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2724
- C:\Users\Admin\AppData\Local\Temp\50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe"
  2⤵
  PID:2632
- C:\Users\Admin\AppData\Local\Temp\50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp18ED.tmp

Filesize
1KB

MD5
d139e30049c8809b88b9c2c9d860e0d3

SHA1
5764fc4e58b1832757fe5f07b021fb6b774f2771

SHA256
22a42d5798a0c1e40502b47ee508e0c20d9bdb8d21709f562f893cc1c4244631

SHA512
44dd6d72811f145522d9b8c758f6220de31909084c956d9c93d08f9fc7ad609863c430371ce69e2e2b2b873db96b05f9c955e4429da9f8aea145ed6e8ca1fbe7

Download Submit
memory/1424-0-0x0000000074F31000-0x0000000074F32000-memory.dmp

Filesize
4KB

Download
memory/1424-1-0x0000000074F30000-0x00000000754DB000-memory.dmp

Filesize
5.7MB

Download
memory/1424-2-0x0000000074F30000-0x00000000754DB000-memory.dmp

Filesize
5.7MB

Download
memory/1424-15-0x0000000074F30000-0x00000000754DB000-memory.dmp

Filesize
5.7MB

Download
memory/1424-16-0x0000000074F30000-0x00000000754DB000-memory.dmp

Filesize
5.7MB

Download
memory/3052-8-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3052-10-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3052-14-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3052-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3052-17-0x0000000000BD0000-0x0000000000ED3000-memory.dmp

Filesize
3.0MB

Download

description	pid	process	target process
PID 1424 wrote to memory of 2724	1424	50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe	schtasks.exe
PID 1424 wrote to memory of 2724	1424	50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe	schtasks.exe
PID 1424 wrote to memory of 2724	1424	50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe	schtasks.exe
PID 1424 wrote to memory of 2724	1424	50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe	schtasks.exe
PID 1424 wrote to memory of 2632	1424	50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe	50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe
PID 1424 wrote to memory of 2632	1424	50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe	50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe
PID 1424 wrote to memory of 2632	1424	50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe	50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe
PID 1424 wrote to memory of 2632	1424	50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe	50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe
PID 1424 wrote to memory of 3052	1424	50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe	50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe
PID 1424 wrote to memory of 3052	1424	50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe	50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe
PID 1424 wrote to memory of 3052	1424	50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe	50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe
PID 1424 wrote to memory of 3052	1424	50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe	50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe
PID 1424 wrote to memory of 3052	1424	50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe	50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe
PID 1424 wrote to memory of 3052	1424	50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe	50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe
PID 1424 wrote to memory of 3052	1424	50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe	50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads