formbook | 092604ea968c54cd13c04fe2e85a4f5ec9e5b6ad5c83577160d1108c69156bf2

General

Target

5ee46295b565a80943c79c4adee9dec7_JaffaCakes118.exe
Size

237KB
MD5

5ee46295b565a80943c79c4adee9dec7
SHA1

088040d934fc1f30424def22adf3a8063c09bfda
SHA256

092604ea968c54cd13c04fe2e85a4f5ec9e5b6ad5c83577160d1108c69156bf2
SHA512

b77b40775ef3581f8d6dade14d8672cf55c9e433c76956a59182e3d01971f6e5209d5e3ed30ba0bd989d73aa9d3956b0dc8bd99427c5179f9c4e7efb9824b406
SSDEEP

6144:VIH3fprvmAlYazYP+FqKfr0w6T+J0qwHkbAhfUKE6R3o:OXxuCYaFZB07QA+K3J

Score

10^/10

formbook b4630 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

b4630

Decoy

touchlessfund.com

tokenizemortgage.com

suninfosystem.net

eugeneskeef.com

comprindoameta.com

simonhousecopake.com

mastergrannyflats.net

hocahanim-dogalurunler.com

skoolsoftware.com

remoteittrainer.com

digitalchurchchallenge.com

poslenastishina.com

officialamandacoppotelli.com

nomadadventuretours.com

prayforlouisiana.com

prochain.finance

heroesrisingtocurecancer.com

caresalt.com

vizslatshirt.com

defengineer.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1508-8-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/1508-11-0x0000000000400000-0x000000000042E000-memory.dmp	formbook

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 3 IoCs

Processes:

5ee46295b565a80943c79c4adee9dec7_JaffaCakes118.exevbc.exeraserver.exe

description	pid	process	target process
PID 1608 set thread context of 1508	1608	5ee46295b565a80943c79c4adee9dec7_JaffaCakes118.exe	vbc.exe
PID 1508 set thread context of 3516	1508	vbc.exe	Explorer.EXE
PID 4620 set thread context of 3516	4620	raserver.exe	Explorer.EXE

Modifies registry class 2 IoCs

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

5ee46295b565a80943c79c4adee9dec7_JaffaCakes118.exevbc.exeraserver.exe

pid	process
1608	5ee46295b565a80943c79c4adee9dec7_JaffaCakes118.exe
1608	5ee46295b565a80943c79c4adee9dec7_JaffaCakes118.exe
1508	vbc.exe
1508	vbc.exe
1508	vbc.exe
1508	vbc.exe
4620	raserver.exe
4620	raserver.exe
4620	raserver.exe
4620	raserver.exe
4620	raserver.exe
4620	raserver.exe
4620	raserver.exe
4620	raserver.exe
4620	raserver.exe
4620	raserver.exe
4620	raserver.exe
4620	raserver.exe
4620	raserver.exe
4620	raserver.exe
4620	raserver.exe
4620	raserver.exe
4620	raserver.exe
4620	raserver.exe
4620	raserver.exe
4620	raserver.exe
4620	raserver.exe
4620	raserver.exe
4620	raserver.exe
4620	raserver.exe
4620	raserver.exe
4620	raserver.exe
4620	raserver.exe
4620	raserver.exe
4620	raserver.exe
4620	raserver.exe
4620	raserver.exe
4620	raserver.exe
4620	raserver.exe
4620	raserver.exe
4620	raserver.exe
4620	raserver.exe
4620	raserver.exe
4620	raserver.exe
4620	raserver.exe
4620	raserver.exe
4620	raserver.exe
4620	raserver.exe
4620	raserver.exe
4620	raserver.exe
4620	raserver.exe
4620	raserver.exe
4620	raserver.exe
4620	raserver.exe
4620	raserver.exe
4620	raserver.exe
4620	raserver.exe
4620	raserver.exe
4620	raserver.exe
4620	raserver.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

vbc.exeraserver.exe

pid process

1508 vbc.exe
1508 vbc.exe
1508 vbc.exe
4620 raserver.exe
4620 raserver.exe

pid	process
1508	vbc.exe
1508	vbc.exe
1508	vbc.exe
4620	raserver.exe
4620	raserver.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

5ee46295b565a80943c79c4adee9dec7_JaffaCakes118.exevbc.exeraserver.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1608	5ee46295b565a80943c79c4adee9dec7_JaffaCakes118.exe
Token: SeDebugPrivilege	1508	vbc.exe
Token: SeDebugPrivilege	4620	raserver.exe
Token: SeShutdownPrivilege	3516	Explorer.EXE
Token: SeCreatePagefilePrivilege	3516	Explorer.EXE
Token: SeShutdownPrivilege	3516	Explorer.EXE
Token: SeCreatePagefilePrivilege	3516	Explorer.EXE
Token: SeShutdownPrivilege	3516	Explorer.EXE
Token: SeCreatePagefilePrivilege	3516	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3516 Explorer.EXE

pid	process
3516	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

5ee46295b565a80943c79c4adee9dec7_JaffaCakes118.exeExplorer.EXEraserver.exe

description	pid	process	target process
PID 1608 wrote to memory of 1508	1608	5ee46295b565a80943c79c4adee9dec7_JaffaCakes118.exe	vbc.exe
PID 1608 wrote to memory of 1508	1608	5ee46295b565a80943c79c4adee9dec7_JaffaCakes118.exe	vbc.exe
PID 1608 wrote to memory of 1508	1608	5ee46295b565a80943c79c4adee9dec7_JaffaCakes118.exe	vbc.exe
PID 1608 wrote to memory of 1508	1608	5ee46295b565a80943c79c4adee9dec7_JaffaCakes118.exe	vbc.exe
PID 1608 wrote to memory of 1508	1608	5ee46295b565a80943c79c4adee9dec7_JaffaCakes118.exe	vbc.exe
PID 1608 wrote to memory of 1508	1608	5ee46295b565a80943c79c4adee9dec7_JaffaCakes118.exe	vbc.exe
PID 3516 wrote to memory of 4620	3516	Explorer.EXE	raserver.exe
PID 3516 wrote to memory of 4620	3516	Explorer.EXE	raserver.exe
PID 3516 wrote to memory of 4620	3516	Explorer.EXE	raserver.exe
PID 4620 wrote to memory of 3312	4620	raserver.exe	cmd.exe
PID 4620 wrote to memory of 3312	4620	raserver.exe	cmd.exe
PID 4620 wrote to memory of 3312	4620	raserver.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3516

C:\Users\Admin\AppData\Local\Temp\5ee46295b565a80943c79c4adee9dec7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5ee46295b565a80943c79c4adee9dec7_JaffaCakes118.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1608

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1508

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4620

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:3312

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1508-8-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1508-11-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1508-12-0x0000000001160000-0x0000000001174000-memory.dmp

Filesize
80KB

Download
memory/1508-9-0x0000000001700000-0x0000000001A4A000-memory.dmp

Filesize
3.3MB

Download
memory/1608-5-0x0000000074C50000-0x0000000075400000-memory.dmp

Filesize
7.7MB

Download
memory/1608-14-0x0000000074C5E000-0x0000000074C5F000-memory.dmp

Filesize
4KB

Download
memory/1608-6-0x0000000005380000-0x000000000538A000-memory.dmp

Filesize
40KB

Download
memory/1608-7-0x0000000005430000-0x000000000543A000-memory.dmp

Filesize
40KB

Download
memory/1608-4-0x0000000005120000-0x000000000512A000-memory.dmp

Filesize
40KB

Download
memory/1608-3-0x0000000005170000-0x0000000005202000-memory.dmp

Filesize
584KB

Download
memory/1608-2-0x0000000005680000-0x0000000005C24000-memory.dmp

Filesize
5.6MB

Download
memory/1608-1-0x0000000000710000-0x0000000000752000-memory.dmp

Filesize
264KB

Download
memory/1608-20-0x0000000074C50000-0x0000000075400000-memory.dmp

Filesize
7.7MB

Download
memory/1608-0-0x0000000074C5E000-0x0000000074C5F000-memory.dmp

Filesize
4KB

Download
memory/1608-18-0x0000000074C50000-0x0000000075400000-memory.dmp

Filesize
7.7MB

Download
memory/3516-13-0x0000000003550000-0x0000000003607000-memory.dmp

Filesize
732KB

Download
memory/3516-22-0x0000000003550000-0x0000000003607000-memory.dmp

Filesize
732KB

Download
memory/3516-25-0x0000000007950000-0x00000000079ED000-memory.dmp

Filesize
628KB

Download
memory/3516-27-0x0000000007950000-0x00000000079ED000-memory.dmp

Filesize
628KB

Download
memory/3516-30-0x0000000007950000-0x00000000079ED000-memory.dmp

Filesize
628KB

Download
memory/4620-17-0x0000000000240000-0x000000000025F000-memory.dmp

Filesize
124KB

Download
memory/4620-15-0x0000000000240000-0x000000000025F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads