formbook | a308003882167974d1a1f6334f0f9ee1599c50d33ec2883c856de84bf82365f4

General

Target

c064ec37ffd4521397a436a9d0c3da18_JaffaCakes118.exe
Size

1.1MB
MD5

c064ec37ffd4521397a436a9d0c3da18
SHA1

03ba9be491d49752464ffa0755f0d8926e1925e7
SHA256

a308003882167974d1a1f6334f0f9ee1599c50d33ec2883c856de84bf82365f4
SHA512

2186f2f8f28efdde84d196468b00f5df27417b65a10ba6589ee0e57d30ffef121ec04973db8ffc7d6ec935e8bdcf0a98d72cad057f131e6caf7c7455d72379ba
SSDEEP

24576:f9aok2Jbtfcp5l3E5zXVHjx9NMezB3xmSj:f9aSho45xDvZh

Score

10^/10

formbook an discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

an

Decoy

setzesegel.com

freeyrself.com

searchshoppingonline.com

tv16282.info

unitedtur.com

168jlb.com

blockee.info

ryd5.com

kucun108.com

castcmi.red

ufc202.info

goldendawnequipment.com

anlatacaklarimvar.com

szgty.info

realtorlubbock.com

digitalumsetzbar.com

buy9voltblaster.com

naughtytingz.com

phstructuredwater.com

energettic.download

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/8-6-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral2/memory/8-12-0x0000000000400000-0x000000000042A000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 856 set thread context of 8	856	c064ec37ffd4521397a436a9d0c3da18_JaffaCakes118.exe	98
PID 8 set thread context of 3396	8	diskperf.exe	55
PID 4700 set thread context of 3396	4700	svchost.exe	55

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c064ec37ffd4521397a436a9d0c3da18_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
8	diskperf.exe
8	diskperf.exe
8	diskperf.exe
8	diskperf.exe
4700	svchost.exe
4700	svchost.exe
4700	svchost.exe
4700	svchost.exe
4700	svchost.exe
4700	svchost.exe
4700	svchost.exe
4700	svchost.exe
4700	svchost.exe
4700	svchost.exe
4700	svchost.exe
4700	svchost.exe
4700	svchost.exe
4700	svchost.exe
4700	svchost.exe
4700	svchost.exe
4700	svchost.exe
4700	svchost.exe
4700	svchost.exe
4700	svchost.exe
4700	svchost.exe
4700	svchost.exe
4700	svchost.exe
4700	svchost.exe
4700	svchost.exe
4700	svchost.exe
4700	svchost.exe
4700	svchost.exe
4700	svchost.exe
4700	svchost.exe
4700	svchost.exe
4700	svchost.exe
4700	svchost.exe
4700	svchost.exe
4700	svchost.exe
4700	svchost.exe
4700	svchost.exe
4700	svchost.exe
4700	svchost.exe
4700	svchost.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
8	diskperf.exe
8	diskperf.exe
8	diskperf.exe
4700	svchost.exe
4700	svchost.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	8	diskperf.exe
Token: SeDebugPrivilege	4700	svchost.exe
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3396	Explorer.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 856 wrote to memory of 8	856	c064ec37ffd4521397a436a9d0c3da18_JaffaCakes118.exe	98
PID 856 wrote to memory of 8	856	c064ec37ffd4521397a436a9d0c3da18_JaffaCakes118.exe	98
PID 856 wrote to memory of 8	856	c064ec37ffd4521397a436a9d0c3da18_JaffaCakes118.exe	98
PID 856 wrote to memory of 8	856	c064ec37ffd4521397a436a9d0c3da18_JaffaCakes118.exe	98
PID 856 wrote to memory of 8	856	c064ec37ffd4521397a436a9d0c3da18_JaffaCakes118.exe	98
PID 3396 wrote to memory of 4700	3396	Explorer.EXE	100
PID 3396 wrote to memory of 4700	3396	Explorer.EXE	100
PID 3396 wrote to memory of 4700	3396	Explorer.EXE	100
PID 4700 wrote to memory of 620	4700	svchost.exe	101
PID 4700 wrote to memory of 620	4700	svchost.exe	101
PID 4700 wrote to memory of 620	4700	svchost.exe	101

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3396
- C:\Users\Admin\AppData\Local\Temp\c064ec37ffd4521397a436a9d0c3da18_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\c064ec37ffd4521397a436a9d0c3da18_JaffaCakes118.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:856
- - C:\Windows\SysWOW64\diskperf.exe
    "C:\Windows\SysWOW64\diskperf.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:8
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:3656
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\SysWOW64\svchost.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4700
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\SysWOW64\diskperf.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/8-9-0x0000000000E80000-0x00000000011CA000-memory.dmp

Filesize
3.3MB

Download
memory/8-6-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/8-10-0x0000000000840000-0x0000000000854000-memory.dmp

Filesize
80KB

Download
memory/8-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/856-0-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/856-1-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/856-7-0x0000000000400000-0x000000000051F000-memory.dmp

Filesize
1.1MB

Download
memory/856-2-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/3396-11-0x0000000002A00000-0x0000000002ACF000-memory.dmp

Filesize
828KB

Download
memory/3396-16-0x0000000002A00000-0x0000000002ACF000-memory.dmp

Filesize
828KB

Download
memory/3396-20-0x0000000008A70000-0x0000000008BD8000-memory.dmp

Filesize
1.4MB

Download
memory/3396-21-0x0000000008A70000-0x0000000008BD8000-memory.dmp

Filesize
1.4MB

Download
memory/3396-23-0x0000000008A70000-0x0000000008BD8000-memory.dmp

Filesize
1.4MB

Download
memory/4700-15-0x0000000000B70000-0x0000000000B7E000-memory.dmp

Filesize
56KB

Download
memory/4700-13-0x0000000000B70000-0x0000000000B7E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing