formbook | bca3d5eb15bb32ab76803b529838de3cf0217f3f247473e77dcb112d4b5a2517

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25-05-2024 05:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

70eef5e2aeb9f20bd43597aa829a95e2_JaffaCakes118.exe
Size

357KB
MD5

70eef5e2aeb9f20bd43597aa829a95e2
SHA1

179331204a07257d0a8a5b43284fc2873ce9e620
SHA256

bca3d5eb15bb32ab76803b529838de3cf0217f3f247473e77dcb112d4b5a2517
SHA512

e5cd3b9405e8e2e79c2870082e60318364432c6cba3a1151fb74eed289c84d5133ae730bab715a810ed32b42c25386c9b422bfa6e9fad3c007749cad6dd15125
SSDEEP

6144:u/7ZlzuEeOtPY9jsrWzhLSwdMVsTrj5qwN4S3Fzs4+Xr0DP6:u/FbNY9jL9Swd+s39qzSRtKwDP

Score

10^/10

formbook ek rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

Decoy

zhongyaoqiao.com

jeffstoolbox.com

flychemnb.com

charismigi.com

peoplerush.com

liyachun.com

fdjszp168.com

beautydepilation.info

yq173.com

tanwenbin.com

besttrustloan.com

batdongsanminhanh.com

jimanwendy.com

heresfrosty.com

bkdkc.info

5534nn.com

foundweb.info

westroam.com

danielleautumn.com

82zhan7728.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2532-8-0x0000000000400000-0x000000000042A000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

70eef5e2aeb9f20bd43597aa829a95e2_JaffaCakes118.exe

description	pid	process	target process
PID 2948 set thread context of 2532	2948	70eef5e2aeb9f20bd43597aa829a95e2_JaffaCakes118.exe	70eef5e2aeb9f20bd43597aa829a95e2_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

70eef5e2aeb9f20bd43597aa829a95e2_JaffaCakes118.exe

pid process

2532 70eef5e2aeb9f20bd43597aa829a95e2_JaffaCakes118.exe

pid	process
2532	70eef5e2aeb9f20bd43597aa829a95e2_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

70eef5e2aeb9f20bd43597aa829a95e2_JaffaCakes118.exe

description	pid	process	target process
PID 2948 wrote to memory of 2532	2948	70eef5e2aeb9f20bd43597aa829a95e2_JaffaCakes118.exe	70eef5e2aeb9f20bd43597aa829a95e2_JaffaCakes118.exe
PID 2948 wrote to memory of 2532	2948	70eef5e2aeb9f20bd43597aa829a95e2_JaffaCakes118.exe	70eef5e2aeb9f20bd43597aa829a95e2_JaffaCakes118.exe
PID 2948 wrote to memory of 2532	2948	70eef5e2aeb9f20bd43597aa829a95e2_JaffaCakes118.exe	70eef5e2aeb9f20bd43597aa829a95e2_JaffaCakes118.exe
PID 2948 wrote to memory of 2532	2948	70eef5e2aeb9f20bd43597aa829a95e2_JaffaCakes118.exe	70eef5e2aeb9f20bd43597aa829a95e2_JaffaCakes118.exe
PID 2948 wrote to memory of 2532	2948	70eef5e2aeb9f20bd43597aa829a95e2_JaffaCakes118.exe	70eef5e2aeb9f20bd43597aa829a95e2_JaffaCakes118.exe
PID 2948 wrote to memory of 2532	2948	70eef5e2aeb9f20bd43597aa829a95e2_JaffaCakes118.exe	70eef5e2aeb9f20bd43597aa829a95e2_JaffaCakes118.exe
PID 2948 wrote to memory of 2532	2948	70eef5e2aeb9f20bd43597aa829a95e2_JaffaCakes118.exe	70eef5e2aeb9f20bd43597aa829a95e2_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\70eef5e2aeb9f20bd43597aa829a95e2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\70eef5e2aeb9f20bd43597aa829a95e2_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Users\Admin\AppData\Local\Temp\70eef5e2aeb9f20bd43597aa829a95e2_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\70eef5e2aeb9f20bd43597aa829a95e2_JaffaCakes118.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2532

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2532-4-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2532-5-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2532-8-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2532-6-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2532-10-0x00000000008A0000-0x0000000000BA3000-memory.dmp

Filesize
3.0MB

Download
memory/2948-0-0x0000000074071000-0x0000000074072000-memory.dmp

Filesize
4KB

Download
memory/2948-1-0x0000000074070000-0x000000007461B000-memory.dmp

Filesize
5.7MB

Download
memory/2948-2-0x0000000074070000-0x000000007461B000-memory.dmp

Filesize
5.7MB

Download
memory/2948-3-0x0000000074070000-0x000000007461B000-memory.dmp

Filesize
5.7MB

Download
memory/2948-9-0x0000000074070000-0x000000007461B000-memory.dmp

Filesize
5.7MB

Download