formbook | ca49aa362621679944ff2bb5c323dbb64ef5f0364dff1be6168c0657962296ec

General

Target

50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe
Size

264KB
MD5

50282da5093e3086fcde377c5e8e28bd
SHA1

f8468c9953686b0b77dfb6949866c68b628ce73d
SHA256

ca49aa362621679944ff2bb5c323dbb64ef5f0364dff1be6168c0657962296ec
SHA512

7a60e543a0b918591c7dcec8286175ce3c2e746c18055ac5439a9790469b9152ab2f50be6dc7d8f70d0b4002e7b51a9e32a685befb83dc971311deca65c46818
SSDEEP

6144:G/HhXZxNiTGAATtFH0zpVVDkYx7pvX9GD:iXZykBFHApVVLFdXsD

Score

10^/10

formbook j0g2z5t rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

j0g2z5t

Decoy

nikolajslot.com

buysellhkonline.com

citytireandmuffler.com

moodichocolate.com

hiresses.com

1577584.com

chantaljamet.com

madamrichest.com

catfooddude.com

the9-city.com

dota2.red

risottomyway.com

cmbgw.com

ospreylandingfl.com

nmkindustries.com

video-cuentos.com

rktcont.net

suresourcetreatment.com

molinaroscollision.com

femmefetefashions.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2428-8-0x0000000000400000-0x000000000042A000-memory.dmp	formbook

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe

description	pid	process	target process
PID 3812 set thread context of 2428	3812	50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe	50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

932 schtasks.exe

pid	process
932	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe

pid	process
3812	50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe
2428	50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe
2428	50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 3812 50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	3812	50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe

description	pid	process	target process
PID 3812 wrote to memory of 932	3812	50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe	schtasks.exe
PID 3812 wrote to memory of 932	3812	50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe	schtasks.exe
PID 3812 wrote to memory of 932	3812	50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe	schtasks.exe
PID 3812 wrote to memory of 2428	3812	50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe	50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe
PID 3812 wrote to memory of 2428	3812	50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe	50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe
PID 3812 wrote to memory of 2428	3812	50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe	50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe
PID 3812 wrote to memory of 2428	3812	50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe	50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe
PID 3812 wrote to memory of 2428	3812	50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe	50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe
PID 3812 wrote to memory of 2428	3812	50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe	50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3812
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VvxEzXiV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4E3F.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:932
- C:\Users\Admin\AppData\Local\Temp\50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\50282da5093e3086fcde377c5e8e28bdJaffaCakes118.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp4E3F.tmp

Filesize
1KB

MD5
78f9992e5c2ea93a72077a101d6b99db

SHA1
17054c9674c3736b1b6b888e542a4be0dff826b7

SHA256
fdab9bdab2abffd89d195752efd4b740bedd894eadd6c09495bcebeee83d4cbd

SHA512
c705664731f15949521f2146fb25a790e1e5b7abbc2f31f70675acc282e5efdb09726f604b703eea54976f1f8e221daf5e2f6ab0d8203a941831084e6b2baaa9

Download Submit
memory/2428-8-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2428-11-0x00000000016B0000-0x00000000019FA000-memory.dmp

Filesize
3.3MB

Download
memory/3812-0-0x0000000075032000-0x0000000075033000-memory.dmp

Filesize
4KB

Download
memory/3812-1-0x0000000075030000-0x00000000755E1000-memory.dmp

Filesize
5.7MB

Download
memory/3812-2-0x0000000075030000-0x00000000755E1000-memory.dmp

Filesize
5.7MB

Download
memory/3812-10-0x0000000075030000-0x00000000755E1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads