formbook | 55e4fe94a51a73a2201d449c54315c5428a4a7a2e778cf33ba387bd0b158e6df

General

Target

c7db2f2dc554de12f13d17e18475c84d_JaffaCakes118.exe
Size

247KB
MD5

c7db2f2dc554de12f13d17e18475c84d
SHA1

a361998306839cd8eac711734232c049c4471e81
SHA256

55e4fe94a51a73a2201d449c54315c5428a4a7a2e778cf33ba387bd0b158e6df
SHA512

699b49da272a1bcab2ffc73ad46192d99a3857ad1e716cf3f53097d1c29b11001109a8408e4a5083a3ade51658dc37f89d01ed96c448d885fad73de672e98dfc
SSDEEP

6144:iOKil6SOuF+Phe4v0Xt8Jy4UskF5HIxU0q8BhcHNs33m:/wG+J1vE8JyFi7dBqHmH

Score

10^/10

formbook bi discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

bi

Decoy

frspin.com

voron.black

in296.com

exportar.biz

19138537.com

de-play-games.com

suitmine.com

obedenie.com

inventoswiki.com

ahchoices.com

hushopgawd.com

uvalleconcrete.com

milospetstuff.com

vip-ships.com

huiyuetech.com

realestatewithswann.biz

investbuycoin.com

wememebusiness.info

stringapp.net

monikawaronska.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/2384-13-0x0000000000080000-0x00000000000AA000-memory.dmp	formbook
behavioral1/memory/2384-16-0x0000000000080000-0x00000000000AA000-memory.dmp	formbook
behavioral1/memory/2384-21-0x0000000000080000-0x00000000000AA000-memory.dmp	formbook

Executes dropped EXE 1 IoCs

pid	Process
2384	svhost.exe

Loads dropped DLL 1 IoCs

pid	Process
2616	c7db2f2dc554de12f13d17e18475c84d_JaffaCakes118.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2616 set thread context of 2384	2616	c7db2f2dc554de12f13d17e18475c84d_JaffaCakes118.exe	29
PID 2384 set thread context of 1184	2384	svhost.exe	20
PID 2384 set thread context of 1184	2384	svhost.exe	20

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7db2f2dc554de12f13d17e18475c84d_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2616	c7db2f2dc554de12f13d17e18475c84d_JaffaCakes118.exe
2384	svhost.exe
2384	svhost.exe
2384	svhost.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2384	svhost.exe
2384	svhost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2616	c7db2f2dc554de12f13d17e18475c84d_JaffaCakes118.exe
Token: SeDebugPrivilege	2384	svhost.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2616 wrote to memory of 2384	2616	c7db2f2dc554de12f13d17e18475c84d_JaffaCakes118.exe	29
PID 2616 wrote to memory of 2384	2616	c7db2f2dc554de12f13d17e18475c84d_JaffaCakes118.exe	29
PID 2616 wrote to memory of 2384	2616	c7db2f2dc554de12f13d17e18475c84d_JaffaCakes118.exe	29
PID 2616 wrote to memory of 2384	2616	c7db2f2dc554de12f13d17e18475c84d_JaffaCakes118.exe	29
PID 2616 wrote to memory of 2384	2616	c7db2f2dc554de12f13d17e18475c84d_JaffaCakes118.exe	29
PID 2616 wrote to memory of 2384	2616	c7db2f2dc554de12f13d17e18475c84d_JaffaCakes118.exe	29
PID 2616 wrote to memory of 2384	2616	c7db2f2dc554de12f13d17e18475c84d_JaffaCakes118.exe	29

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1184
- C:\Users\Admin\AppData\Local\Temp\c7db2f2dc554de12f13d17e18475c84d_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\c7db2f2dc554de12f13d17e18475c84d_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Users\Admin\AppData\Local\Temp\svhost.exe
    "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
1.6MB

MD5
32827e69b293b99013bbbe37d029245d

SHA1
bc9f80a38f09354d71467a05b0c5a82c3f7dac53

SHA256
9250b89157770e3ab59a2c7e2dd6b12b3c61d9b7c6620c3b4727e4bfff10f01f

SHA512
58c9a072e2bea0a8f22b4e69512abafad271ca91f2e3d2b4233796dd3d83021aad1c6da69fc8f7e7ca7919d34bde941cb8b5d185b668168866d1180558b93cf5

Download Submit
memory/1184-18-0x0000000006C40000-0x0000000006D4D000-memory.dmp

Filesize
1.1MB

Download
memory/1184-26-0x0000000004080000-0x0000000004164000-memory.dmp

Filesize
912KB

Download
memory/1184-24-0x0000000004080000-0x0000000004164000-memory.dmp

Filesize
912KB

Download
memory/1184-23-0x0000000006C40000-0x0000000006D4D000-memory.dmp

Filesize
1.1MB

Download
memory/2384-15-0x0000000000920000-0x0000000000C23000-memory.dmp

Filesize
3.0MB

Download
memory/2384-21-0x0000000000080000-0x00000000000AA000-memory.dmp

Filesize
168KB

Download
memory/2384-7-0x0000000000080000-0x00000000000AA000-memory.dmp

Filesize
168KB

Download
memory/2384-13-0x0000000000080000-0x00000000000AA000-memory.dmp

Filesize
168KB

Download
memory/2384-16-0x0000000000080000-0x00000000000AA000-memory.dmp

Filesize
168KB

Download
memory/2384-17-0x00000000002D0000-0x00000000002E4000-memory.dmp

Filesize
80KB

Download
memory/2384-9-0x0000000000080000-0x00000000000AA000-memory.dmp

Filesize
168KB

Download
memory/2384-22-0x0000000000650000-0x0000000000664000-memory.dmp

Filesize
80KB

Download
memory/2384-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2616-19-0x0000000074680000-0x0000000074C2B000-memory.dmp

Filesize
5.7MB

Download
memory/2616-0-0x0000000074681000-0x0000000074682000-memory.dmp

Filesize
4KB

Download
memory/2616-2-0x0000000074680000-0x0000000074C2B000-memory.dmp

Filesize
5.7MB

Download
memory/2616-25-0x0000000074680000-0x0000000074C2B000-memory.dmp

Filesize
5.7MB

Download
memory/2616-1-0x0000000074680000-0x0000000074C2B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing