formbook | 426ffa75739fe8c76f9b42c13944cbde5de6715394131f8e02fa83027de328f2

General

Target

c33c1121b6648782476182e7364d95c0_JaffaCakes118.exe
Size

835KB
MD5

c33c1121b6648782476182e7364d95c0
SHA1

bdea9a1f15f73a285de33a5aeb485fbda59d912e
SHA256

426ffa75739fe8c76f9b42c13944cbde5de6715394131f8e02fa83027de328f2
SHA512

3ce494908861b9bab0c5f2fb78dabe748c197d094bcd6070e6085f16a28b4f87e2d2ec8b137e2f465aa0b8c183d22d1892333ed4cc7cd189cecd8daf3c678066
SSDEEP

12288:QyBwjP6eP9QMN6cuL7o9rMeeugDd7/a3Z77tWhw2LZT3npZCfJi/pV:QyBwjP6+v6cUo9rfmhO3Z77uB3fqc

Score

10^/10

formbook pu1i discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

pu1i

Decoy

academiechaptal.com

kraftcopyagency.com

ds901.com

redtailchillisauce.com

joppamountainclub.com

online-dbm.net

nautilusfoundation.com

psm-gen.com

perpely.com

natwest-services.com

muxviet.mobi

blackmantech.loans

dominantgoal.com

sky-iron.net

sweeten-kneel.xyz

ricardoimports.com

hzzyn.com

cawholesaler.com

tgshydroponics.com

weliketopartytoronto.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/2740-16-0x0000000000400000-0x000000000042E000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2524 set thread context of 2740	2524	c33c1121b6648782476182e7364d95c0_JaffaCakes118.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c33c1121b6648782476182e7364d95c0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2624	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2524	c33c1121b6648782476182e7364d95c0_JaffaCakes118.exe
2524	c33c1121b6648782476182e7364d95c0_JaffaCakes118.exe
2524	c33c1121b6648782476182e7364d95c0_JaffaCakes118.exe
2740	c33c1121b6648782476182e7364d95c0_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2524	c33c1121b6648782476182e7364d95c0_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 2624	2524	c33c1121b6648782476182e7364d95c0_JaffaCakes118.exe	31
PID 2524 wrote to memory of 2624	2524	c33c1121b6648782476182e7364d95c0_JaffaCakes118.exe	31
PID 2524 wrote to memory of 2624	2524	c33c1121b6648782476182e7364d95c0_JaffaCakes118.exe	31
PID 2524 wrote to memory of 2624	2524	c33c1121b6648782476182e7364d95c0_JaffaCakes118.exe	31
PID 2524 wrote to memory of 2740	2524	c33c1121b6648782476182e7364d95c0_JaffaCakes118.exe	33
PID 2524 wrote to memory of 2740	2524	c33c1121b6648782476182e7364d95c0_JaffaCakes118.exe	33
PID 2524 wrote to memory of 2740	2524	c33c1121b6648782476182e7364d95c0_JaffaCakes118.exe	33
PID 2524 wrote to memory of 2740	2524	c33c1121b6648782476182e7364d95c0_JaffaCakes118.exe	33
PID 2524 wrote to memory of 2740	2524	c33c1121b6648782476182e7364d95c0_JaffaCakes118.exe	33
PID 2524 wrote to memory of 2740	2524	c33c1121b6648782476182e7364d95c0_JaffaCakes118.exe	33
PID 2524 wrote to memory of 2740	2524	c33c1121b6648782476182e7364d95c0_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\c33c1121b6648782476182e7364d95c0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c33c1121b6648782476182e7364d95c0_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Egwtoi" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9750.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2624
- C:\Users\Admin\AppData\Local\Temp\c33c1121b6648782476182e7364d95c0_JaffaCakes118.exe
  "{path}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9750.tmp

Filesize
1KB

MD5
e527b15b71d91df3789aeaf5757808b9

SHA1
014eb16ce8ad1bc5b5773847751be72df4be1c6e

SHA256
64850aa448196cd4d9d34cf7a8350f59c4f6ba9b844ecb7ca0adda0c92ca2449

SHA512
9f431eb157f5c3d495a768902a6d2dbcdd173e2a2f7e6b92e47bbd1273058c6feb341903da85d7e127cc2de9c5b4222fdc4698496fec136f5c57205cf0705ad7

Download Submit
memory/2524-6-0x0000000007940000-0x00000000079C2000-memory.dmp

Filesize
520KB

Download
memory/2524-1-0x0000000000F40000-0x0000000001018000-memory.dmp

Filesize
864KB

Download
memory/2524-3-0x00000000749AE000-0x00000000749AF000-memory.dmp

Filesize
4KB

Download
memory/2524-4-0x00000000749A0000-0x000000007508E000-memory.dmp

Filesize
6.9MB

Download
memory/2524-5-0x0000000005410000-0x00000000054A6000-memory.dmp

Filesize
600KB

Download
memory/2524-0-0x00000000749AE000-0x00000000749AF000-memory.dmp

Filesize
4KB

Download
memory/2524-7-0x00000000749A0000-0x000000007508E000-memory.dmp

Filesize
6.9MB

Download
memory/2524-2-0x0000000000300000-0x0000000000312000-memory.dmp

Filesize
72KB

Download
memory/2524-17-0x00000000749A0000-0x000000007508E000-memory.dmp

Filesize
6.9MB

Download
memory/2740-16-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2740-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2740-12-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2740-11-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2740-18-0x0000000000910000-0x0000000000C13000-memory.dmp

Filesize
3.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads