formbook | 5567b917f6a654268f367ca76a663f87c1e9b44a997cdac64935cc4105014c08

General

Target

5c92714c7fc8fcd425c5e2ef0b4a217b_JaffaCakes118.exe
Size

19KB
MD5

5c92714c7fc8fcd425c5e2ef0b4a217b
SHA1

d86c2586952d0082ee0b9d8f62e88356f52a4faf
SHA256

5567b917f6a654268f367ca76a663f87c1e9b44a997cdac64935cc4105014c08
SHA512

eaa139da94753953fb2b5bc02b5a9eb34913c8eb1e13a5e4dc3f81822e9c4702048e581c1725a989ed2733b528ed2da125923084c414620841b8eebc802c9179
SSDEEP

384:LBA6H714HOnS7B1scgfYdfeB68EDgf2h8:LBWHuS5gQEREUf2h8

Score

10^/10

formbook nds persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

nds

Decoy

superiortelecare.com

banxtube.com

tartonsprconstruction.com

r3msportsgroup.net

gcpplusquote-qa.com

ny004.xyz

solomonislandsforum.com

credit2wealthuniversity.com

parkavenueheightscd.com

millhillattorneys.com

gofoodreport.com

szylgy.com

bcsleadership.com

bestmichigancharters.com

financiant.com

alimentosmonteolivo.com

marastrawberry.com

centraxix.com

indexofscience.com

editorialpoints.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

5c92714c7fc8fcd425c5e2ef0b4a217b_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\5c92714c7fc8fcd425c5e2ef0b4a217b_JaffaCakes118.exe\""	5c92714c7fc8fcd425c5e2ef0b4a217b_JaffaCakes118.exe

Formbook payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/748-8-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/748-11-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Drops startup file 2 IoCs

Processes:

5c92714c7fc8fcd425c5e2ef0b4a217b_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5c92714c7fc8fcd425c5e2ef0b4a217b_JaffaCakes118.exe	5c92714c7fc8fcd425c5e2ef0b4a217b_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5c92714c7fc8fcd425c5e2ef0b4a217b_JaffaCakes118.exe	5c92714c7fc8fcd425c5e2ef0b4a217b_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

5c92714c7fc8fcd425c5e2ef0b4a217b_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5c92714c7fc8fcd425c5e2ef0b4a217b_JaffaCakes118.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5c92714c7fc8fcd425c5e2ef0b4a217b_JaffaCakes118.exe"	5c92714c7fc8fcd425c5e2ef0b4a217b_JaffaCakes118.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

27 pastebin.com
28 pastebin.com

flow	ioc
27	pastebin.com
28	pastebin.com

Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs

Processes:

5c92714c7fc8fcd425c5e2ef0b4a217b_JaffaCakes118.exe

pid	process
4740	5c92714c7fc8fcd425c5e2ef0b4a217b_JaffaCakes118.exe
4740	5c92714c7fc8fcd425c5e2ef0b4a217b_JaffaCakes118.exe
4740	5c92714c7fc8fcd425c5e2ef0b4a217b_JaffaCakes118.exe
4740	5c92714c7fc8fcd425c5e2ef0b4a217b_JaffaCakes118.exe
4740	5c92714c7fc8fcd425c5e2ef0b4a217b_JaffaCakes118.exe
4740	5c92714c7fc8fcd425c5e2ef0b4a217b_JaffaCakes118.exe
4740	5c92714c7fc8fcd425c5e2ef0b4a217b_JaffaCakes118.exe
4740	5c92714c7fc8fcd425c5e2ef0b4a217b_JaffaCakes118.exe
4740	5c92714c7fc8fcd425c5e2ef0b4a217b_JaffaCakes118.exe
4740	5c92714c7fc8fcd425c5e2ef0b4a217b_JaffaCakes118.exe
4740	5c92714c7fc8fcd425c5e2ef0b4a217b_JaffaCakes118.exe
4740	5c92714c7fc8fcd425c5e2ef0b4a217b_JaffaCakes118.exe
4740	5c92714c7fc8fcd425c5e2ef0b4a217b_JaffaCakes118.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

5c92714c7fc8fcd425c5e2ef0b4a217b_JaffaCakes118.exeinstallutil.exemsdt.exe

description	pid	process	target process
PID 4740 set thread context of 748	4740	5c92714c7fc8fcd425c5e2ef0b4a217b_JaffaCakes118.exe	installutil.exe
PID 748 set thread context of 3456	748	installutil.exe	Explorer.EXE
PID 1264 set thread context of 3456	1264	msdt.exe	Explorer.EXE

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1724 4740 WerFault.exe 5c92714c7fc8fcd425c5e2ef0b4a217b_JaffaCakes118.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3620 timeout.exe

pid	pid_target	process	target process
1724	4740	WerFault.exe	5c92714c7fc8fcd425c5e2ef0b4a217b_JaffaCakes118.exe

pid	process
3620	timeout.exe

Suspicious behavior: EnumeratesProcesses 63 IoCs

Processes:

5c92714c7fc8fcd425c5e2ef0b4a217b_JaffaCakes118.exeinstallutil.exemsdt.exe

pid	process
4740	5c92714c7fc8fcd425c5e2ef0b4a217b_JaffaCakes118.exe
4740	5c92714c7fc8fcd425c5e2ef0b4a217b_JaffaCakes118.exe
4740	5c92714c7fc8fcd425c5e2ef0b4a217b_JaffaCakes118.exe
748	installutil.exe
748	installutil.exe
748	installutil.exe
748	installutil.exe
1264	msdt.exe
1264	msdt.exe
1264	msdt.exe
1264	msdt.exe
1264	msdt.exe
1264	msdt.exe
1264	msdt.exe
1264	msdt.exe
1264	msdt.exe
1264	msdt.exe
1264	msdt.exe
1264	msdt.exe
1264	msdt.exe
1264	msdt.exe
1264	msdt.exe
1264	msdt.exe
1264	msdt.exe
1264	msdt.exe
1264	msdt.exe
1264	msdt.exe
1264	msdt.exe
1264	msdt.exe
1264	msdt.exe
1264	msdt.exe
1264	msdt.exe
1264	msdt.exe
1264	msdt.exe
1264	msdt.exe
1264	msdt.exe
1264	msdt.exe
1264	msdt.exe
1264	msdt.exe
1264	msdt.exe
1264	msdt.exe
1264	msdt.exe
1264	msdt.exe
1264	msdt.exe
1264	msdt.exe
1264	msdt.exe
1264	msdt.exe
1264	msdt.exe
1264	msdt.exe
1264	msdt.exe
1264	msdt.exe
1264	msdt.exe
1264	msdt.exe
1264	msdt.exe
1264	msdt.exe
1264	msdt.exe
1264	msdt.exe
1264	msdt.exe
1264	msdt.exe
1264	msdt.exe
1264	msdt.exe
1264	msdt.exe
1264	msdt.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

installutil.exemsdt.exe

pid process

748 installutil.exe
748 installutil.exe
748 installutil.exe
1264 msdt.exe
1264 msdt.exe

pid	process
748	installutil.exe
748	installutil.exe
748	installutil.exe
1264	msdt.exe
1264	msdt.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

5c92714c7fc8fcd425c5e2ef0b4a217b_JaffaCakes118.exeinstallutil.exeExplorer.EXEmsdt.exe

description	pid	process
Token: SeDebugPrivilege	4740	5c92714c7fc8fcd425c5e2ef0b4a217b_JaffaCakes118.exe
Token: SeDebugPrivilege	748	installutil.exe
Token: SeShutdownPrivilege	3456	Explorer.EXE
Token: SeCreatePagefilePrivilege	3456	Explorer.EXE
Token: SeDebugPrivilege	1264	msdt.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3456 Explorer.EXE

pid	process
3456	Explorer.EXE

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

5c92714c7fc8fcd425c5e2ef0b4a217b_JaffaCakes118.exeExplorer.EXEmsdt.exe

description	pid	process	target process
PID 4740 wrote to memory of 3620	4740	5c92714c7fc8fcd425c5e2ef0b4a217b_JaffaCakes118.exe	timeout.exe
PID 4740 wrote to memory of 3620	4740	5c92714c7fc8fcd425c5e2ef0b4a217b_JaffaCakes118.exe	timeout.exe
PID 4740 wrote to memory of 3620	4740	5c92714c7fc8fcd425c5e2ef0b4a217b_JaffaCakes118.exe	timeout.exe
PID 4740 wrote to memory of 748	4740	5c92714c7fc8fcd425c5e2ef0b4a217b_JaffaCakes118.exe	installutil.exe
PID 4740 wrote to memory of 748	4740	5c92714c7fc8fcd425c5e2ef0b4a217b_JaffaCakes118.exe	installutil.exe
PID 4740 wrote to memory of 748	4740	5c92714c7fc8fcd425c5e2ef0b4a217b_JaffaCakes118.exe	installutil.exe
PID 4740 wrote to memory of 748	4740	5c92714c7fc8fcd425c5e2ef0b4a217b_JaffaCakes118.exe	installutil.exe
PID 4740 wrote to memory of 748	4740	5c92714c7fc8fcd425c5e2ef0b4a217b_JaffaCakes118.exe	installutil.exe
PID 4740 wrote to memory of 748	4740	5c92714c7fc8fcd425c5e2ef0b4a217b_JaffaCakes118.exe	installutil.exe
PID 4740 wrote to memory of 748	4740	5c92714c7fc8fcd425c5e2ef0b4a217b_JaffaCakes118.exe	installutil.exe
PID 3456 wrote to memory of 1264	3456	Explorer.EXE	msdt.exe
PID 3456 wrote to memory of 1264	3456	Explorer.EXE	msdt.exe
PID 3456 wrote to memory of 1264	3456	Explorer.EXE	msdt.exe
PID 1264 wrote to memory of 5012	1264	msdt.exe	cmd.exe
PID 1264 wrote to memory of 5012	1264	msdt.exe	cmd.exe
PID 1264 wrote to memory of 5012	1264	msdt.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3456

C:\Users\Admin\AppData\Local\Temp\5c92714c7fc8fcd425c5e2ef0b4a217b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5c92714c7fc8fcd425c5e2ef0b4a217b_JaffaCakes118.exe"
2⤵
- Modifies WinLogon for persistence
- Drops startup file
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4740

C:\Windows\SysWOW64\timeout.exe
timeout 4
3⤵
- Delays execution with timeout.exe
PID:3620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 1812
3⤵
- Program crash
PID:1724

C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1264

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
3⤵
PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4740 -ip 4740
1⤵
PID:3336

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/748-11-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/748-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/748-9-0x0000000000A10000-0x0000000000D5A000-memory.dmp

Filesize
3.3MB

Download
memory/748-12-0x00000000009F0000-0x0000000000A04000-memory.dmp

Filesize
80KB

Download
memory/1264-16-0x0000000000990000-0x00000000009E7000-memory.dmp

Filesize
348KB

Download
memory/1264-15-0x0000000000990000-0x00000000009E7000-memory.dmp

Filesize
348KB

Download
memory/3456-24-0x000000000A930000-0x000000000AA9E000-memory.dmp

Filesize
1.4MB

Download
memory/3456-22-0x000000000A930000-0x000000000AA9E000-memory.dmp

Filesize
1.4MB

Download
memory/3456-20-0x000000000A930000-0x000000000AA9E000-memory.dmp

Filesize
1.4MB

Download
memory/3456-18-0x0000000009330000-0x0000000009414000-memory.dmp

Filesize
912KB

Download
memory/3456-13-0x0000000009330000-0x0000000009414000-memory.dmp

Filesize
912KB

Download
memory/4740-4-0x0000000005C60000-0x0000000005CAC000-memory.dmp

Filesize
304KB

Download
memory/4740-14-0x0000000074500000-0x0000000074CB0000-memory.dmp

Filesize
7.7MB

Download
memory/4740-5-0x0000000006260000-0x0000000006804000-memory.dmp

Filesize
5.6MB

Download
memory/4740-6-0x0000000074500000-0x0000000074CB0000-memory.dmp

Filesize
7.7MB

Download
memory/4740-0-0x000000007450E000-0x000000007450F000-memory.dmp

Filesize
4KB

Download
memory/4740-3-0x0000000074500000-0x0000000074CB0000-memory.dmp

Filesize
7.7MB

Download
memory/4740-2-0x00000000050E0000-0x000000000517C000-memory.dmp

Filesize
624KB

Download
memory/4740-1-0x0000000000860000-0x000000000086A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads