formbook | da111408d9dccb99b2c429d535ca55f6e970d911da4c24553e75d02fe9c00489

General

Target

85c3d336415e2d1d331b6565559d475b_JaffaCakes118.exe
Size

676KB
MD5

85c3d336415e2d1d331b6565559d475b
SHA1

f117eb6b482560f7db100f6bc2a5d97c983a1506
SHA256

da111408d9dccb99b2c429d535ca55f6e970d911da4c24553e75d02fe9c00489
SHA512

25061663551ac20347d2263fdbb21f4c79f51c30623938bd02179dbb778291646423430c42d2a23367dd06f226ae590cf87f238699f312c5abb1bade22bfdd76
SSDEEP

12288:8zmWSemlxC2WQXoyfNb2tALwvogLDiD/PkVCAkJca:8edl0YhvLwvo+mccJca

Score

10^/10

formbook k8b rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

k8b

Decoy

lulubellsgraphicsanddesigns.com

metyx.info

www423337.com

stayliveclothing.com

daluotech.com

thetruthpublished.com

pqlzlnwpz.icu

bilginhayvancilik.com

ismartdvr.com

currenibtc.com

dalesj.com

restaurantlemontblanc.com

lunarstores.com

pho-huy.com

liquidhardrive.com

bcheaplivebuy.com

evisaagency.com

houstonemergencycenter.com

alioverstreet.com

nutrhyp.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2540-14-0x0000000000400000-0x000000000042E000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

85c3d336415e2d1d331b6565559d475b_JaffaCakes118.exe

description	pid	process	target process
PID 2428 set thread context of 2540	2428	85c3d336415e2d1d331b6565559d475b_JaffaCakes118.exe	85c3d336415e2d1d331b6565559d475b_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2552 schtasks.exe

pid	process
2552	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

85c3d336415e2d1d331b6565559d475b_JaffaCakes118.exe85c3d336415e2d1d331b6565559d475b_JaffaCakes118.exe

pid	process
2428	85c3d336415e2d1d331b6565559d475b_JaffaCakes118.exe
2428	85c3d336415e2d1d331b6565559d475b_JaffaCakes118.exe
2540	85c3d336415e2d1d331b6565559d475b_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

85c3d336415e2d1d331b6565559d475b_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 2428 85c3d336415e2d1d331b6565559d475b_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	2428	85c3d336415e2d1d331b6565559d475b_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

85c3d336415e2d1d331b6565559d475b_JaffaCakes118.exe

description	pid	process	target process
PID 2428 wrote to memory of 2552	2428	85c3d336415e2d1d331b6565559d475b_JaffaCakes118.exe	schtasks.exe
PID 2428 wrote to memory of 2552	2428	85c3d336415e2d1d331b6565559d475b_JaffaCakes118.exe	schtasks.exe
PID 2428 wrote to memory of 2552	2428	85c3d336415e2d1d331b6565559d475b_JaffaCakes118.exe	schtasks.exe
PID 2428 wrote to memory of 2552	2428	85c3d336415e2d1d331b6565559d475b_JaffaCakes118.exe	schtasks.exe
PID 2428 wrote to memory of 2540	2428	85c3d336415e2d1d331b6565559d475b_JaffaCakes118.exe	85c3d336415e2d1d331b6565559d475b_JaffaCakes118.exe
PID 2428 wrote to memory of 2540	2428	85c3d336415e2d1d331b6565559d475b_JaffaCakes118.exe	85c3d336415e2d1d331b6565559d475b_JaffaCakes118.exe
PID 2428 wrote to memory of 2540	2428	85c3d336415e2d1d331b6565559d475b_JaffaCakes118.exe	85c3d336415e2d1d331b6565559d475b_JaffaCakes118.exe
PID 2428 wrote to memory of 2540	2428	85c3d336415e2d1d331b6565559d475b_JaffaCakes118.exe	85c3d336415e2d1d331b6565559d475b_JaffaCakes118.exe
PID 2428 wrote to memory of 2540	2428	85c3d336415e2d1d331b6565559d475b_JaffaCakes118.exe	85c3d336415e2d1d331b6565559d475b_JaffaCakes118.exe
PID 2428 wrote to memory of 2540	2428	85c3d336415e2d1d331b6565559d475b_JaffaCakes118.exe	85c3d336415e2d1d331b6565559d475b_JaffaCakes118.exe
PID 2428 wrote to memory of 2540	2428	85c3d336415e2d1d331b6565559d475b_JaffaCakes118.exe	85c3d336415e2d1d331b6565559d475b_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\85c3d336415e2d1d331b6565559d475b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\85c3d336415e2d1d331b6565559d475b_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XGhcHGJqJd" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1B6.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2552
- C:\Users\Admin\AppData\Local\Temp\85c3d336415e2d1d331b6565559d475b_JaffaCakes118.exe
  "{path}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1B6.tmp

Filesize
1KB

MD5
5fac177fd16d448cb9b99e974ebad2d4

SHA1
6ef325739f69a064bf4ea3f4652ca4fba066e41f

SHA256
34c9c5e173577d53daea0b7961884a50d6d053292eca48b3e7dad806ffbc4854

SHA512
f13d7220450a6bd358674adbdbb844a09b36a58131b1c3ef6656fa1e2d4fa0445a7e795fc88c9609b95b37c3287aacbca6e2ab07823cb1125388152b29fe0d73

Download Submit
memory/2428-0-0x0000000074641000-0x0000000074642000-memory.dmp

Filesize
4KB

Download
memory/2428-1-0x0000000074640000-0x0000000074BEB000-memory.dmp

Filesize
5.7MB

Download
memory/2428-2-0x0000000074640000-0x0000000074BEB000-memory.dmp

Filesize
5.7MB

Download
memory/2428-3-0x0000000074640000-0x0000000074BEB000-memory.dmp

Filesize
5.7MB

Download
memory/2428-4-0x0000000074640000-0x0000000074BEB000-memory.dmp

Filesize
5.7MB

Download
memory/2428-16-0x0000000074640000-0x0000000074BEB000-memory.dmp

Filesize
5.7MB

Download
memory/2540-14-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2540-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2540-10-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2540-8-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2540-15-0x00000000009C0000-0x0000000000CC3000-memory.dmp

Filesize
3.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads