formbook | 2f074d479236e1b4b36733f1e071d6c053a135025cbc62ccc233776b23604390

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
29/07/2024, 14:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b21b233b4fb9b116477fb24cdd8e376_JaffaCakes118.exe
Size

463KB
MD5

4b21b233b4fb9b116477fb24cdd8e376
SHA1

8e88400d1292aac8462b0413e039fd16a95112cd
SHA256

2f074d479236e1b4b36733f1e071d6c053a135025cbc62ccc233776b23604390
SHA512

a0d1871e551fc1cd45e7bc8e05841a79aa8e59743425a56a66ee3bb8e68c55dcaa395bd33f5a5eb4629f97c80a428055b966ad0af1c471742764c79b6de3e19e
SSDEEP

6144:R5iXq4NYHjLS1hxsvAwC0LhvBb4f5YghFZByCgWfF5fJloa:2x2HUhuvj8fBZBzv5fo

Score

10^/10

formbook a43 defense_evasion discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

a43

Decoy

lanaztouch.com

gse-global-p.com

seniorcareconsultant.info

jmstodocasero.com

deyigule.com

flourishmouth.com

morgantownspiritwear.com

edyscleaning.com

simplifyhydro.com

global-water-solution.com

associacaocasafraterna.com

violindna.com

scvipl.com

secure1advancedemedia.com

bcroadside.com

bllccoffee.com

anodesigns.com

ms00852.com

privatecomfortinghands.com

how2adult101.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/1000-209-0x0000000000090000-0x00000000000BE000-memory.dmp	formbook

System Binary Proxy Execution: InstallUtil 1 TTPs 2 IoCs

Abuse InstallUtil to proxy execution of malicious code.

defense_evasion

InstallUtil

T1218.004

description	ioc	Process
Key opened	\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\InstallUtil.exe	4b21b233b4fb9b116477fb24cdd8e376_JaffaCakes118.exe
File created	C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe	4b21b233b4fb9b116477fb24cdd8e376_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
1000	InstallUtil.exe

Loads dropped DLL 2 IoCs

pid	Process
2776	4b21b233b4fb9b116477fb24cdd8e376_JaffaCakes118.exe
2776	4b21b233b4fb9b116477fb24cdd8e376_JaffaCakes118.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2776 set thread context of 1000	2776	4b21b233b4fb9b116477fb24cdd8e376_JaffaCakes118.exe	31
PID 1000 set thread context of 1220	1000	InstallUtil.exe	21
PID 1684 set thread context of 1220	1684	rundll32.exe	21

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1040	2776	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4b21b233b4fb9b116477fb24cdd8e376_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
2776	4b21b233b4fb9b116477fb24cdd8e376_JaffaCakes118.exe
1000	InstallUtil.exe
1000	InstallUtil.exe
1684	rundll32.exe
1684	rundll32.exe
1684	rundll32.exe
1684	rundll32.exe
1684	rundll32.exe
1684	rundll32.exe
1684	rundll32.exe
1684	rundll32.exe
1684	rundll32.exe
1684	rundll32.exe
1684	rundll32.exe
1684	rundll32.exe
1684	rundll32.exe
1684	rundll32.exe
1684	rundll32.exe
1684	rundll32.exe
1684	rundll32.exe
1684	rundll32.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
1000	InstallUtil.exe
1000	InstallUtil.exe
1000	InstallUtil.exe
1684	rundll32.exe
1684	rundll32.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2776	4b21b233b4fb9b116477fb24cdd8e376_JaffaCakes118.exe
Token: SeDebugPrivilege	1000	InstallUtil.exe
Token: SeDebugPrivilege	1684	rundll32.exe
Token: SeShutdownPrivilege	1220	Explorer.EXE

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 1000	2776	4b21b233b4fb9b116477fb24cdd8e376_JaffaCakes118.exe	31
PID 2776 wrote to memory of 1000	2776	4b21b233b4fb9b116477fb24cdd8e376_JaffaCakes118.exe	31
PID 2776 wrote to memory of 1000	2776	4b21b233b4fb9b116477fb24cdd8e376_JaffaCakes118.exe	31
PID 2776 wrote to memory of 1000	2776	4b21b233b4fb9b116477fb24cdd8e376_JaffaCakes118.exe	31
PID 2776 wrote to memory of 1000	2776	4b21b233b4fb9b116477fb24cdd8e376_JaffaCakes118.exe	31
PID 2776 wrote to memory of 1000	2776	4b21b233b4fb9b116477fb24cdd8e376_JaffaCakes118.exe	31
PID 2776 wrote to memory of 1000	2776	4b21b233b4fb9b116477fb24cdd8e376_JaffaCakes118.exe	31
PID 2776 wrote to memory of 1000	2776	4b21b233b4fb9b116477fb24cdd8e376_JaffaCakes118.exe	31
PID 2776 wrote to memory of 1000	2776	4b21b233b4fb9b116477fb24cdd8e376_JaffaCakes118.exe	31
PID 2776 wrote to memory of 1000	2776	4b21b233b4fb9b116477fb24cdd8e376_JaffaCakes118.exe	31
PID 1220 wrote to memory of 1684	1220	Explorer.EXE	32
PID 1220 wrote to memory of 1684	1220	Explorer.EXE	32
PID 1220 wrote to memory of 1684	1220	Explorer.EXE	32
PID 1220 wrote to memory of 1684	1220	Explorer.EXE	32
PID 1220 wrote to memory of 1684	1220	Explorer.EXE	32
PID 1220 wrote to memory of 1684	1220	Explorer.EXE	32
PID 1220 wrote to memory of 1684	1220	Explorer.EXE	32
PID 1684 wrote to memory of 1560	1684	rundll32.exe	33
PID 1684 wrote to memory of 1560	1684	rundll32.exe	33
PID 1684 wrote to memory of 1560	1684	rundll32.exe	33
PID 1684 wrote to memory of 1560	1684	rundll32.exe	33
PID 2776 wrote to memory of 1040	2776	4b21b233b4fb9b116477fb24cdd8e376_JaffaCakes118.exe	35
PID 2776 wrote to memory of 1040	2776	4b21b233b4fb9b116477fb24cdd8e376_JaffaCakes118.exe	35
PID 2776 wrote to memory of 1040	2776	4b21b233b4fb9b116477fb24cdd8e376_JaffaCakes118.exe	35
PID 2776 wrote to memory of 1040	2776	4b21b233b4fb9b116477fb24cdd8e376_JaffaCakes118.exe	35

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Users\Admin\AppData\Local\Temp\4b21b233b4fb9b116477fb24cdd8e376_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\4b21b233b4fb9b116477fb24cdd8e376_JaffaCakes118.exe"
  2⤵
  - System Binary Proxy Execution: InstallUtil
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:1000
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 2996
    3⤵
    - Program crash
    PID:1040
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\SysWOW64\rundll32.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1684
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

System Binary Proxy Execution

T1218

InstallUtil

T1218.004

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\InstallUtil.exe

Filesize
40KB

MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
\Users\Admin\AppData\Local\Temp\b1f92ac9-345d-4ee6-83d6-512dab76f3b9\i.dll

Filesize
94KB

MD5
14ff402962ad21b78ae0b4c43cd1f194

SHA1
f8a510eb26666e875a5bdd1cadad40602763ad72

SHA256
fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b

SHA512
daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

Download Submit
memory/1000-208-0x0000000000830000-0x0000000000B33000-memory.dmp

Filesize
3.0MB

Download
memory/1000-209-0x0000000000090000-0x00000000000BE000-memory.dmp

Filesize
184KB

Download
memory/1000-210-0x00000000001C0000-0x00000000001D4000-memory.dmp

Filesize
80KB

Download
memory/1220-229-0x0000000006B20000-0x0000000006C33000-memory.dmp

Filesize
1.1MB

Download
memory/1220-224-0x0000000006B20000-0x0000000006C33000-memory.dmp

Filesize
1.1MB

Download
memory/1220-221-0x0000000005660000-0x00000000057B1000-memory.dmp

Filesize
1.3MB

Download
memory/1220-212-0x0000000005660000-0x00000000057B1000-memory.dmp

Filesize
1.3MB

Download
memory/1684-217-0x0000000000CF0000-0x0000000000CFE000-memory.dmp

Filesize
56KB

Download
memory/2776-14-0x0000000000630000-0x0000000000656000-memory.dmp

Filesize
152KB

Download
memory/2776-70-0x0000000000630000-0x0000000000656000-memory.dmp

Filesize
152KB

Download
memory/2776-42-0x0000000000630000-0x0000000000656000-memory.dmp

Filesize
152KB

Download
memory/2776-40-0x0000000000630000-0x0000000000656000-memory.dmp

Filesize
152KB

Download
memory/2776-38-0x0000000000630000-0x0000000000656000-memory.dmp

Filesize
152KB

Download
memory/2776-36-0x0000000000630000-0x0000000000656000-memory.dmp

Filesize
152KB

Download
memory/2776-34-0x0000000000630000-0x0000000000656000-memory.dmp

Filesize
152KB

Download
memory/2776-32-0x0000000000630000-0x0000000000656000-memory.dmp

Filesize
152KB

Download
memory/2776-30-0x0000000000630000-0x0000000000656000-memory.dmp

Filesize
152KB

Download
memory/2776-28-0x0000000000630000-0x0000000000656000-memory.dmp

Filesize
152KB

Download
memory/2776-26-0x0000000000630000-0x0000000000656000-memory.dmp

Filesize
152KB

Download
memory/2776-24-0x0000000000630000-0x0000000000656000-memory.dmp

Filesize
152KB

Download
memory/2776-22-0x0000000000630000-0x0000000000656000-memory.dmp

Filesize
152KB

Download
memory/2776-20-0x0000000000630000-0x0000000000656000-memory.dmp

Filesize
152KB

Download
memory/2776-18-0x0000000000630000-0x0000000000656000-memory.dmp

Filesize
152KB

Download
memory/2776-16-0x0000000000630000-0x0000000000656000-memory.dmp

Filesize
152KB

Download
memory/2776-46-0x0000000000630000-0x0000000000656000-memory.dmp

Filesize
152KB

Download
memory/2776-12-0x0000000000630000-0x0000000000656000-memory.dmp

Filesize
152KB

Download
memory/2776-11-0x0000000000630000-0x0000000000656000-memory.dmp

Filesize
152KB

Download
memory/2776-10-0x0000000073F40000-0x0000000073FC0000-memory.dmp

Filesize
512KB

Download
memory/2776-72-0x0000000000630000-0x0000000000656000-memory.dmp

Filesize
152KB

Download
memory/2776-44-0x0000000000630000-0x0000000000656000-memory.dmp

Filesize
152KB

Download
memory/2776-68-0x0000000000630000-0x0000000000656000-memory.dmp

Filesize
152KB

Download
memory/2776-66-0x0000000000630000-0x0000000000656000-memory.dmp

Filesize
152KB

Download
memory/2776-64-0x0000000000630000-0x0000000000656000-memory.dmp

Filesize
152KB

Download
memory/2776-62-0x0000000000630000-0x0000000000656000-memory.dmp

Filesize
152KB

Download
memory/2776-60-0x0000000000630000-0x0000000000656000-memory.dmp

Filesize
152KB

Download
memory/2776-58-0x0000000000630000-0x0000000000656000-memory.dmp

Filesize
152KB

Download
memory/2776-56-0x0000000000630000-0x0000000000656000-memory.dmp

Filesize
152KB

Download
memory/2776-54-0x0000000000630000-0x0000000000656000-memory.dmp

Filesize
152KB

Download
memory/2776-52-0x0000000000630000-0x0000000000656000-memory.dmp

Filesize
152KB

Download
memory/2776-50-0x0000000000630000-0x0000000000656000-memory.dmp

Filesize
152KB

Download
memory/2776-191-0x000000007414E000-0x000000007414F000-memory.dmp

Filesize
4KB

Download
memory/2776-48-0x0000000000630000-0x0000000000656000-memory.dmp

Filesize
152KB

Download
memory/2776-3-0x0000000000630000-0x000000000065C000-memory.dmp

Filesize
176KB

Download
memory/2776-2-0x0000000074140000-0x000000007482E000-memory.dmp

Filesize
6.9MB

Download
memory/2776-1-0x0000000000AD0000-0x0000000000B4A000-memory.dmp

Filesize
488KB

Download
memory/2776-0-0x000000007414E000-0x000000007414F000-memory.dmp

Filesize
4KB

Download
memory/2776-192-0x0000000074140000-0x000000007482E000-memory.dmp

Filesize
6.9MB

Download
memory/2776-194-0x0000000074140000-0x000000007482E000-memory.dmp

Filesize
6.9MB

Download
memory/2776-195-0x0000000074140000-0x000000007482E000-memory.dmp

Filesize
6.9MB

Download
memory/2776-196-0x0000000000520000-0x000000000052C000-memory.dmp

Filesize
48KB

Download