formbook | d1a50d7dff2d6e797a91bb21476340b6b6f38149602e78e8c67285e629ab5582

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11/06/2024, 15:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e96b0ca6af610467e378ce574c46ac8_JaffaCakes118.exe
Size

336KB
MD5

9e96b0ca6af610467e378ce574c46ac8
SHA1

f0b6b0ba3b3837ea5045ddc67aca09b30929ba25
SHA256

d1a50d7dff2d6e797a91bb21476340b6b6f38149602e78e8c67285e629ab5582
SHA512

f371a472d328d0c09a714ff4002fed0f85d75971c187f1418adb2524c5787635dccd1b5dba810fe3806ad587bf5030934809777463636ba4792d511787590ee9
SSDEEP

6144:KLRglTOTgZB2LmLqMTU5KJMQPesmX/YmRMW:KLRdTxauMsKaQPtmAmRM

Score

10^/10

formbook he rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

Decoy

wwws8884.com

kingofcat.com

tv17890.info

mayohomes.properties

digitaltaj.com

5x000.com

guoguoxiansen.com

712manbetx.com

subastacalicar.com

online-rueckbildung.com

cruisekaribu.com

chaomojia.com

dropmefile.info

cellcity.photography

gmckeeptexasrolling.net

peoplesinc.biz

pi3kinbreastcancer.com

kudstaxi.com

xhtd842.com

saverioscattaglia.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

resource	yara_rule
behavioral2/memory/4208-18-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral2/memory/4208-21-0x0000000000400000-0x000000000045B000-memory.dmp	formbook
behavioral2/memory/4208-20-0x0000000000400000-0x000000000042A000-memory.dmp	formbook

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	9e96b0ca6af610467e378ce574c46ac8_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
4208	Pops.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4208 set thread context of 3528	4208	Pops.exe	56
PID 1692 set thread context of 3528	1692	raserver.exe	56

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\win.ini	9e96b0ca6af610467e378ce574c46ac8_JaffaCakes118.exe
File opened for modification	C:\Windows\win.ini	Pops.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1540	schtasks.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

pid	Process
4208	Pops.exe
4208	Pops.exe
4208	Pops.exe
4208	Pops.exe
1692	raserver.exe
1692	raserver.exe
1692	raserver.exe
1692	raserver.exe
1692	raserver.exe
1692	raserver.exe
1692	raserver.exe
1692	raserver.exe
1692	raserver.exe
1692	raserver.exe
1692	raserver.exe
1692	raserver.exe
1692	raserver.exe
1692	raserver.exe
1692	raserver.exe
1692	raserver.exe
1692	raserver.exe
1692	raserver.exe
1692	raserver.exe
1692	raserver.exe
1692	raserver.exe
1692	raserver.exe
1692	raserver.exe
1692	raserver.exe
1692	raserver.exe
1692	raserver.exe
1692	raserver.exe
1692	raserver.exe
1692	raserver.exe
1692	raserver.exe
1692	raserver.exe
1692	raserver.exe
1692	raserver.exe
1692	raserver.exe
1692	raserver.exe
1692	raserver.exe
1692	raserver.exe
1692	raserver.exe
1692	raserver.exe
1692	raserver.exe
1692	raserver.exe
1692	raserver.exe
1692	raserver.exe
1692	raserver.exe
1692	raserver.exe
1692	raserver.exe
1692	raserver.exe
1692	raserver.exe
1692	raserver.exe
1692	raserver.exe
1692	raserver.exe
1692	raserver.exe
1692	raserver.exe
1692	raserver.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
4208	Pops.exe
4208	Pops.exe
4208	Pops.exe
1692	raserver.exe
1692	raserver.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4208	Pops.exe
Token: SeDebugPrivilege	1692	raserver.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3528	Explorer.EXE
3528	Explorer.EXE
3528	Explorer.EXE

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3528	Explorer.EXE
3528	Explorer.EXE
3528	Explorer.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1804	9e96b0ca6af610467e378ce574c46ac8_JaffaCakes118.exe
4208	Pops.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3528	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1804 wrote to memory of 1540	1804	9e96b0ca6af610467e378ce574c46ac8_JaffaCakes118.exe	85
PID 1804 wrote to memory of 1540	1804	9e96b0ca6af610467e378ce574c46ac8_JaffaCakes118.exe	85
PID 1804 wrote to memory of 1540	1804	9e96b0ca6af610467e378ce574c46ac8_JaffaCakes118.exe	85
PID 1804 wrote to memory of 1148	1804	9e96b0ca6af610467e378ce574c46ac8_JaffaCakes118.exe	87
PID 1804 wrote to memory of 1148	1804	9e96b0ca6af610467e378ce574c46ac8_JaffaCakes118.exe	87
PID 1804 wrote to memory of 1148	1804	9e96b0ca6af610467e378ce574c46ac8_JaffaCakes118.exe	87
PID 3528 wrote to memory of 1692	3528	Explorer.EXE	90
PID 3528 wrote to memory of 1692	3528	Explorer.EXE	90
PID 3528 wrote to memory of 1692	3528	Explorer.EXE	90
PID 1692 wrote to memory of 3212	1692	raserver.exe	91
PID 1692 wrote to memory of 3212	1692	raserver.exe	91
PID 1692 wrote to memory of 3212	1692	raserver.exe	91

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3528
- C:\Users\Admin\AppData\Local\Temp\9e96b0ca6af610467e378ce574c46ac8_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\9e96b0ca6af610467e378ce574c46ac8_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1804
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN "Tipoldemoders" /TR "\"C:\ProgramData\Pops.exe\""
    3⤵
    - Creates scheduled task(s)
    PID:1540
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /run /tn "Tipoldemoders"
    3⤵
    PID:1148
- C:\Windows\SysWOW64\raserver.exe
  "C:\Windows\SysWOW64\raserver.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\ProgramData\Pops.exe"
    3⤵
    PID:3212

C:\ProgramData\Pops.exe
C:\ProgramData\Pops.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Pops.exe

Filesize
336KB

MD5
47d10e4979ec37caf4470d9eecc63d62

SHA1
b6ed2aebf5f2c6614229243f1f4339cd39cafaeb

SHA256
6a805ed7c6010967f32ac972cb416f0f24db71b5116871a440e33c4dc84c17c4

SHA512
a1f868c920b31053d07ccc3e46c8d6ea97aef0c2d0465af6dac426527f7940e53d23301b59254613e500f99b1b2d926b38e67b4e818539b5f493659e1fb18494

Download Submit
C:\Windows\win.ini

Filesize
132B

MD5
2193775c058184445c3acbaca7420d30

SHA1
f47873f29e64d87712444a634585a1bc9349c71a

SHA256
97e439b4a97a6f1ec97eab2a901380c0613d57cce644b1877362610abf0dfacc

SHA512
d1dec49f3b5873812cec8c36121d43534fd28d0ce7429d40858de53191e7aa4986883506c9fdc90aceb5bf04032b5d6a1d4549563e502fc36cc555b69616ab63

Download Submit
memory/1692-24-0x0000000000DA0000-0x0000000000DBF000-memory.dmp

Filesize
124KB

Download
memory/1692-27-0x0000000000DA0000-0x0000000000DBF000-memory.dmp

Filesize
124KB

Download
memory/1804-6-0x0000000077A81000-0x0000000077BA1000-memory.dmp

Filesize
1.1MB

Download
memory/1804-5-0x00000000030B0000-0x00000000031B0000-memory.dmp

Filesize
1024KB

Download
memory/1804-4-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/3528-22-0x0000000003330000-0x00000000033F8000-memory.dmp

Filesize
800KB

Download
memory/3528-30-0x0000000003330000-0x00000000033F8000-memory.dmp

Filesize
800KB

Download
memory/3528-37-0x0000000007630000-0x0000000007762000-memory.dmp

Filesize
1.2MB

Download
memory/4208-19-0x000000000B490000-0x000000000B7DA000-memory.dmp

Filesize
3.3MB

Download
memory/4208-18-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4208-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4208-20-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4208-16-0x0000000003020000-0x0000000003120000-memory.dmp

Filesize
1024KB

Download
memory/4208-28-0x0000000075740000-0x0000000075860000-memory.dmp

Filesize
1.1MB

Download
memory/4208-15-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download