formbook | b44ee52856f84ec787ba1c374c756932c713d3a93b8a610b0c4e362b008bb5eb

General

Target

ad50c081824b04713a98c32b22e487f8_JaffaCakes118.exe
Size

994KB
MD5

ad50c081824b04713a98c32b22e487f8
SHA1

757ca6a028d1e38efbedf24a8f957043ae22e694
SHA256

b44ee52856f84ec787ba1c374c756932c713d3a93b8a610b0c4e362b008bb5eb
SHA512

14af69699b174feea717cf92ecf97070878969596ed10f56dd871b57a52d09fcfb154a753e0a160dbdc813e96adea63c7139744751d5a645d5c1ed530abe96e0
SSDEEP

12288:87mFpBYj6jRPLjRPqjBjjyjBjBjBjBjLjkeJ28I4Php94J8JVIQkxHiZ3jJDOK8H:GyBJVIQeIIpgOG75

Score

10^/10

formbook dei5 discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dei5

Decoy

studiomullerphoto.com

reallionairewear.com

dogsalondoggy-tail.com

excelmache.net

bigdiscounters.com

7986799.com

ignition.guru

xiaoxu.info

jpinpd.com

solpool.info

uchooswrewards.com

everestengineeringworks.com

qianglongzhipin.com

deepimper-325.com

appliedrate.com

radsazemehr.com

vivabematividadesfisicas.com

capacitalo.com

somecore.com

listingclass.net

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/2348-21-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/2348-24-0x00000000008B0000-0x0000000000BB3000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2756 set thread context of 2348	2756	ad50c081824b04713a98c32b22e487f8_JaffaCakes118.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ad50c081824b04713a98c32b22e487f8_JaffaCakes118.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2976	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2348	ad50c081824b04713a98c32b22e487f8_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 2976	2756	ad50c081824b04713a98c32b22e487f8_JaffaCakes118.exe	32
PID 2756 wrote to memory of 2976	2756	ad50c081824b04713a98c32b22e487f8_JaffaCakes118.exe	32
PID 2756 wrote to memory of 2976	2756	ad50c081824b04713a98c32b22e487f8_JaffaCakes118.exe	32
PID 2756 wrote to memory of 2976	2756	ad50c081824b04713a98c32b22e487f8_JaffaCakes118.exe	32
PID 2756 wrote to memory of 2348	2756	ad50c081824b04713a98c32b22e487f8_JaffaCakes118.exe	34
PID 2756 wrote to memory of 2348	2756	ad50c081824b04713a98c32b22e487f8_JaffaCakes118.exe	34
PID 2756 wrote to memory of 2348	2756	ad50c081824b04713a98c32b22e487f8_JaffaCakes118.exe	34
PID 2756 wrote to memory of 2348	2756	ad50c081824b04713a98c32b22e487f8_JaffaCakes118.exe	34
PID 2756 wrote to memory of 2348	2756	ad50c081824b04713a98c32b22e487f8_JaffaCakes118.exe	34
PID 2756 wrote to memory of 2348	2756	ad50c081824b04713a98c32b22e487f8_JaffaCakes118.exe	34
PID 2756 wrote to memory of 2348	2756	ad50c081824b04713a98c32b22e487f8_JaffaCakes118.exe	34

C:\Users\Admin\AppData\Local\Temp\ad50c081824b04713a98c32b22e487f8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ad50c081824b04713a98c32b22e487f8_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DIvKOnF" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2961.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2976
- C:\Users\Admin\AppData\Local\Temp\ad50c081824b04713a98c32b22e487f8_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\ad50c081824b04713a98c32b22e487f8_JaffaCakes118.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2348

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
- System Location Discovery: System Language Discovery
PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp2961.tmp

Filesize
1KB

MD5
3cc8ef6442555cfd4691aa93e4a1d7c5

SHA1
263b5d4b187a3e0da7d75f4080fc12b3b94cfb76

SHA256
2e786bba80f88d3082865454aa33f0c90de3443473706264b4ca0dd5d7ffa8d6

SHA512
c099ef46449c9cb25e74d58a1390fc54c8161d76820a7c66da0bee0203c9a048a558397034877841972f7d8cdaaa75f81054e2662d87a48d7a03432cfd55fdf7

Download Submit
memory/2348-24-0x00000000008B0000-0x0000000000BB3000-memory.dmp

Filesize
3.0MB

Download
memory/2348-23-0x00000000008B0000-0x0000000000BB3000-memory.dmp

Filesize
3.0MB

Download
memory/2348-17-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2348-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2348-21-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2348-15-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2756-6-0x0000000000620000-0x000000000062A000-memory.dmp

Filesize
40KB

Download
memory/2756-9-0x0000000005680000-0x00000000056DC000-memory.dmp

Filesize
368KB

Download
memory/2756-8-0x0000000074240000-0x000000007492E000-memory.dmp

Filesize
6.9MB

Download
memory/2756-7-0x000000007424E000-0x000000007424F000-memory.dmp

Filesize
4KB

Download
memory/2756-0-0x000000007424E000-0x000000007424F000-memory.dmp

Filesize
4KB

Download
memory/2756-22-0x0000000074240000-0x000000007492E000-memory.dmp

Filesize
6.9MB

Download
memory/2756-2-0x0000000074240000-0x000000007492E000-memory.dmp

Filesize
6.9MB

Download
memory/2756-1-0x0000000001180000-0x000000000127E000-memory.dmp

Filesize
1016KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads