formbook | 9294d9ac18fc397c3c00df5c4a666f7e4f93e624afd0f44f9626c55cf924d7d9

General

Target

6828f30ad0bc6e1bbd3fd67afa24ebd9_JaffaCakes118.exe
Size

359KB
MD5

6828f30ad0bc6e1bbd3fd67afa24ebd9
SHA1

4fb3cd6028de717756dd111d300ac8d2f7f0d7e9
SHA256

9294d9ac18fc397c3c00df5c4a666f7e4f93e624afd0f44f9626c55cf924d7d9
SHA512

eca4506fa425160f0a48dbb26f92ead9002e8a24337ebb3034c29af08b1beb51b2264f9473d44cdb932424e61d48e28bf6f9d84ce51768e8bf1a72a3e735d874
SSDEEP

6144:78HZLiBye6H49w+zj2B+B/qy9/HjqSVywQ+6KV/meQrJ9SFfL6JR3Cs:IHZLK6HYwSqm/hpH2E3Q7PP9SFfL6D3

Score

10^/10

formbook h343 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

h343

Decoy

adelphai-llc.com

lzck05xn1.biz

15sheridan.info

bmscustomz.com

djrhub.com

banjoconnect.com

educationtranslators.com

pauldmoch.com

almagspanish.com

wwwjinsha581.com

schrodesign.com

jstello.com

bostontaxextensions.com

schubbink.com

bahis10girisi.info

nevadaclear.com

rajgagantravels.com

emoneyinsurance.ltd

workshop-blog.com

sc-corp.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2316-11-0x0000000000400000-0x000000000042A000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

6828f30ad0bc6e1bbd3fd67afa24ebd9_JaffaCakes118.exe

description	pid	process	target process
PID 2284 set thread context of 2316	2284	6828f30ad0bc6e1bbd3fd67afa24ebd9_JaffaCakes118.exe	6828f30ad0bc6e1bbd3fd67afa24ebd9_JaffaCakes118.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2728 2284 WerFault.exe 6828f30ad0bc6e1bbd3fd67afa24ebd9_JaffaCakes118.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

6828f30ad0bc6e1bbd3fd67afa24ebd9_JaffaCakes118.exe

pid process

2316 6828f30ad0bc6e1bbd3fd67afa24ebd9_JaffaCakes118.exe

pid	pid_target	process	target process
2728	2284	WerFault.exe	6828f30ad0bc6e1bbd3fd67afa24ebd9_JaffaCakes118.exe

pid	process
2316	6828f30ad0bc6e1bbd3fd67afa24ebd9_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

6828f30ad0bc6e1bbd3fd67afa24ebd9_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	2284	6828f30ad0bc6e1bbd3fd67afa24ebd9_JaffaCakes118.exe
Token: 33	2284	6828f30ad0bc6e1bbd3fd67afa24ebd9_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2284	6828f30ad0bc6e1bbd3fd67afa24ebd9_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

6828f30ad0bc6e1bbd3fd67afa24ebd9_JaffaCakes118.exe

description	pid	process	target process
PID 2284 wrote to memory of 2316	2284	6828f30ad0bc6e1bbd3fd67afa24ebd9_JaffaCakes118.exe	6828f30ad0bc6e1bbd3fd67afa24ebd9_JaffaCakes118.exe
PID 2284 wrote to memory of 2316	2284	6828f30ad0bc6e1bbd3fd67afa24ebd9_JaffaCakes118.exe	6828f30ad0bc6e1bbd3fd67afa24ebd9_JaffaCakes118.exe
PID 2284 wrote to memory of 2316	2284	6828f30ad0bc6e1bbd3fd67afa24ebd9_JaffaCakes118.exe	6828f30ad0bc6e1bbd3fd67afa24ebd9_JaffaCakes118.exe
PID 2284 wrote to memory of 2316	2284	6828f30ad0bc6e1bbd3fd67afa24ebd9_JaffaCakes118.exe	6828f30ad0bc6e1bbd3fd67afa24ebd9_JaffaCakes118.exe
PID 2284 wrote to memory of 2316	2284	6828f30ad0bc6e1bbd3fd67afa24ebd9_JaffaCakes118.exe	6828f30ad0bc6e1bbd3fd67afa24ebd9_JaffaCakes118.exe
PID 2284 wrote to memory of 2316	2284	6828f30ad0bc6e1bbd3fd67afa24ebd9_JaffaCakes118.exe	6828f30ad0bc6e1bbd3fd67afa24ebd9_JaffaCakes118.exe
PID 2284 wrote to memory of 2316	2284	6828f30ad0bc6e1bbd3fd67afa24ebd9_JaffaCakes118.exe	6828f30ad0bc6e1bbd3fd67afa24ebd9_JaffaCakes118.exe
PID 2284 wrote to memory of 2728	2284	6828f30ad0bc6e1bbd3fd67afa24ebd9_JaffaCakes118.exe	WerFault.exe
PID 2284 wrote to memory of 2728	2284	6828f30ad0bc6e1bbd3fd67afa24ebd9_JaffaCakes118.exe	WerFault.exe
PID 2284 wrote to memory of 2728	2284	6828f30ad0bc6e1bbd3fd67afa24ebd9_JaffaCakes118.exe	WerFault.exe
PID 2284 wrote to memory of 2728	2284	6828f30ad0bc6e1bbd3fd67afa24ebd9_JaffaCakes118.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\6828f30ad0bc6e1bbd3fd67afa24ebd9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6828f30ad0bc6e1bbd3fd67afa24ebd9_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2284

C:\Users\Admin\AppData\Local\Temp\6828f30ad0bc6e1bbd3fd67afa24ebd9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6828f30ad0bc6e1bbd3fd67afa24ebd9_JaffaCakes118.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 1012
2⤵
- Program crash
PID:2728

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2284-0-0x00000000742DE000-0x00000000742DF000-memory.dmp

Filesize
4KB

Download
memory/2284-1-0x0000000001020000-0x0000000001080000-memory.dmp

Filesize
384KB

Download
memory/2284-2-0x0000000000320000-0x0000000000340000-memory.dmp

Filesize
128KB

Download
memory/2284-3-0x00000000742D0000-0x00000000749BE000-memory.dmp

Filesize
6.9MB

Download
memory/2284-4-0x00000000742D0000-0x00000000749BE000-memory.dmp

Filesize
6.9MB

Download
memory/2284-5-0x00000000742D0000-0x00000000749BE000-memory.dmp

Filesize
6.9MB

Download
memory/2284-6-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/2316-7-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2316-8-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2316-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2316-11-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2316-12-0x0000000000870000-0x0000000000B73000-memory.dmp

Filesize
3.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads