formbook | 9294d9ac18fc397c3c00df5c4a666f7e4f93e624afd0f44f9626c55cf924d7d9

Analysis

max time kernel
131s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 18:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6828f30ad0bc6e1bbd3fd67afa24ebd9_JaffaCakes118.exe
Size

359KB
MD5

6828f30ad0bc6e1bbd3fd67afa24ebd9
SHA1

4fb3cd6028de717756dd111d300ac8d2f7f0d7e9
SHA256

9294d9ac18fc397c3c00df5c4a666f7e4f93e624afd0f44f9626c55cf924d7d9
SHA512

eca4506fa425160f0a48dbb26f92ead9002e8a24337ebb3034c29af08b1beb51b2264f9473d44cdb932424e61d48e28bf6f9d84ce51768e8bf1a72a3e735d874
SSDEEP

6144:78HZLiBye6H49w+zj2B+B/qy9/HjqSVywQ+6KV/meQrJ9SFfL6JR3Cs:IHZLK6HYwSqm/hpH2E3Q7PP9SFfL6D3

Score

10^/10

formbook h343 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

h343

Decoy

adelphai-llc.com

lzck05xn1.biz

15sheridan.info

bmscustomz.com

djrhub.com

banjoconnect.com

educationtranslators.com

pauldmoch.com

almagspanish.com

wwwjinsha581.com

schrodesign.com

jstello.com

bostontaxextensions.com

schubbink.com

bahis10girisi.info

nevadaclear.com

rajgagantravels.com

emoneyinsurance.ltd

workshop-blog.com

sc-corp.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2652-10-0x0000000000400000-0x000000000042A000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

6828f30ad0bc6e1bbd3fd67afa24ebd9_JaffaCakes118.exe

description	pid	process	target process
PID 1108 set thread context of 2652	1108	6828f30ad0bc6e1bbd3fd67afa24ebd9_JaffaCakes118.exe	6828f30ad0bc6e1bbd3fd67afa24ebd9_JaffaCakes118.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4556 1108 WerFault.exe 6828f30ad0bc6e1bbd3fd67afa24ebd9_JaffaCakes118.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

6828f30ad0bc6e1bbd3fd67afa24ebd9_JaffaCakes118.exe

pid process

2652 6828f30ad0bc6e1bbd3fd67afa24ebd9_JaffaCakes118.exe
2652 6828f30ad0bc6e1bbd3fd67afa24ebd9_JaffaCakes118.exe

pid	pid_target	process	target process
4556	1108	WerFault.exe	6828f30ad0bc6e1bbd3fd67afa24ebd9_JaffaCakes118.exe

pid	process
2652	6828f30ad0bc6e1bbd3fd67afa24ebd9_JaffaCakes118.exe
2652	6828f30ad0bc6e1bbd3fd67afa24ebd9_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

6828f30ad0bc6e1bbd3fd67afa24ebd9_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	1108	6828f30ad0bc6e1bbd3fd67afa24ebd9_JaffaCakes118.exe
Token: 33	1108	6828f30ad0bc6e1bbd3fd67afa24ebd9_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1108	6828f30ad0bc6e1bbd3fd67afa24ebd9_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

6828f30ad0bc6e1bbd3fd67afa24ebd9_JaffaCakes118.exe

description	pid	process	target process
PID 1108 wrote to memory of 2652	1108	6828f30ad0bc6e1bbd3fd67afa24ebd9_JaffaCakes118.exe	6828f30ad0bc6e1bbd3fd67afa24ebd9_JaffaCakes118.exe
PID 1108 wrote to memory of 2652	1108	6828f30ad0bc6e1bbd3fd67afa24ebd9_JaffaCakes118.exe	6828f30ad0bc6e1bbd3fd67afa24ebd9_JaffaCakes118.exe
PID 1108 wrote to memory of 2652	1108	6828f30ad0bc6e1bbd3fd67afa24ebd9_JaffaCakes118.exe	6828f30ad0bc6e1bbd3fd67afa24ebd9_JaffaCakes118.exe
PID 1108 wrote to memory of 2652	1108	6828f30ad0bc6e1bbd3fd67afa24ebd9_JaffaCakes118.exe	6828f30ad0bc6e1bbd3fd67afa24ebd9_JaffaCakes118.exe
PID 1108 wrote to memory of 2652	1108	6828f30ad0bc6e1bbd3fd67afa24ebd9_JaffaCakes118.exe	6828f30ad0bc6e1bbd3fd67afa24ebd9_JaffaCakes118.exe
PID 1108 wrote to memory of 2652	1108	6828f30ad0bc6e1bbd3fd67afa24ebd9_JaffaCakes118.exe	6828f30ad0bc6e1bbd3fd67afa24ebd9_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\6828f30ad0bc6e1bbd3fd67afa24ebd9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6828f30ad0bc6e1bbd3fd67afa24ebd9_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1108

C:\Users\Admin\AppData\Local\Temp\6828f30ad0bc6e1bbd3fd67afa24ebd9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6828f30ad0bc6e1bbd3fd67afa24ebd9_JaffaCakes118.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 1036
2⤵
- Program crash
PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1108 -ip 1108
1⤵
PID:396

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1108-6-0x000000007484E000-0x000000007484F000-memory.dmp

Filesize
4KB

Download
memory/1108-1-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1108-2-0x00000000056C0000-0x00000000056E0000-memory.dmp

Filesize
128KB

Download
memory/1108-3-0x0000000005CC0000-0x0000000006264000-memory.dmp

Filesize
5.6MB

Download
memory/1108-4-0x0000000005820000-0x00000000058B2000-memory.dmp

Filesize
584KB

Download
memory/1108-5-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/1108-0-0x000000007484E000-0x000000007484F000-memory.dmp

Filesize
4KB

Download
memory/1108-7-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/1108-8-0x0000000005A80000-0x0000000005A8C000-memory.dmp

Filesize
48KB

Download
memory/1108-9-0x0000000006650000-0x00000000066EC000-memory.dmp

Filesize
624KB

Download
memory/1108-12-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/2652-10-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2652-11-0x00000000016C0000-0x0000000001A0A000-memory.dmp

Filesize
3.3MB

Download