formbook | 659b0101cf2a80010a2254f632a3964ca0917c65694e6cdcdb258f2ea36c30b4

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30-08-2024 23:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cbd7b03a1410f9d9c404a33020c2c49f_JaffaCakes118.msi
Size

484KB
MD5

cbd7b03a1410f9d9c404a33020c2c49f
SHA1

46873e92417016950176968517a80cd4f83f2927
SHA256

659b0101cf2a80010a2254f632a3964ca0917c65694e6cdcdb258f2ea36c30b4
SHA512

8b4163b6d94a3fdc71331461626bf9b6a4af1687e9f155a55122d6152ed12e1d2880c4dd01b6b3ee7f953fed247e35b09d6b28a78c115b4dae8488e451767c2c
SSDEEP

12288:uE4cI068+xWfFSAUadblygLj69i4r8dO2C7qM:uEB6kNBlygy9brsO2C7qM

Score

10^/10

formbook ai discovery persistence privilege_escalation rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

Decoy

theapschool.com

riseupfloridakeys.com

xn--mgbb2awa9dm20i.com

apnee-coach.com

christianmarketinggifts.com

eurothereum.biz

solutionfull.com

equifaxqsecurity2017.com

roboeye-tech.com

living-isar.immo

cable-online-zone.sale

parfumirza.com

civilizationsprice.com

zealasia.com

billet-bateau-tanger.com

andrewkurtsummers.net

darylandkaitlyn.com

ddaak.com

seattlepetadventures.com

iopuern.online

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/1908-21-0x0000000000400000-0x000000000042A000-memory.dmp	formbook

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 664 set thread context of 1908	664	MSI12C9.tmp	112
PID 1908 set thread context of 3428	1908	MSI12C9.tmp	56
PID 1900 set thread context of 3428	1900	cmmon32.exe	56

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{29EF7317-DCA1-4159-97B2-C883AD400AC6}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI126A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI12C9.tmp	msiexec.exe
File created	C:\Windows\Installer\e58119f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e58119f.msi	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
664	MSI12C9.tmp
1908	MSI12C9.tmp

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2548	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSI12C9.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmmon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000082ad35faf8c7b7730000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000082ad35fa0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090082ad35fa000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d82ad35fa000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000082ad35fa00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
3908	msiexec.exe
3908	msiexec.exe
1908	MSI12C9.tmp
1908	MSI12C9.tmp
1908	MSI12C9.tmp
1908	MSI12C9.tmp
1908	MSI12C9.tmp
1908	MSI12C9.tmp
1900	cmmon32.exe
1900	cmmon32.exe
1900	cmmon32.exe
1900	cmmon32.exe
1900	cmmon32.exe
1900	cmmon32.exe
1900	cmmon32.exe
1900	cmmon32.exe
1900	cmmon32.exe
1900	cmmon32.exe
1900	cmmon32.exe
1900	cmmon32.exe
1900	cmmon32.exe
1900	cmmon32.exe
1900	cmmon32.exe
1900	cmmon32.exe
1900	cmmon32.exe
1900	cmmon32.exe
1900	cmmon32.exe
1900	cmmon32.exe
1900	cmmon32.exe
1900	cmmon32.exe
1900	cmmon32.exe
1900	cmmon32.exe
1900	cmmon32.exe
1900	cmmon32.exe
1900	cmmon32.exe
1900	cmmon32.exe
1900	cmmon32.exe
1900	cmmon32.exe
1900	cmmon32.exe
1900	cmmon32.exe
1900	cmmon32.exe
1900	cmmon32.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
1908	MSI12C9.tmp
1908	MSI12C9.tmp
1908	MSI12C9.tmp
1900	cmmon32.exe
1900	cmmon32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2548	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2548	msiexec.exe
Token: SeSecurityPrivilege	3908	msiexec.exe
Token: SeCreateTokenPrivilege	2548	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2548	msiexec.exe
Token: SeLockMemoryPrivilege	2548	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2548	msiexec.exe
Token: SeMachineAccountPrivilege	2548	msiexec.exe
Token: SeTcbPrivilege	2548	msiexec.exe
Token: SeSecurityPrivilege	2548	msiexec.exe
Token: SeTakeOwnershipPrivilege	2548	msiexec.exe
Token: SeLoadDriverPrivilege	2548	msiexec.exe
Token: SeSystemProfilePrivilege	2548	msiexec.exe
Token: SeSystemtimePrivilege	2548	msiexec.exe
Token: SeProfSingleProcessPrivilege	2548	msiexec.exe
Token: SeIncBasePriorityPrivilege	2548	msiexec.exe
Token: SeCreatePagefilePrivilege	2548	msiexec.exe
Token: SeCreatePermanentPrivilege	2548	msiexec.exe
Token: SeBackupPrivilege	2548	msiexec.exe
Token: SeRestorePrivilege	2548	msiexec.exe
Token: SeShutdownPrivilege	2548	msiexec.exe
Token: SeDebugPrivilege	2548	msiexec.exe
Token: SeAuditPrivilege	2548	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2548	msiexec.exe
Token: SeChangeNotifyPrivilege	2548	msiexec.exe
Token: SeRemoteShutdownPrivilege	2548	msiexec.exe
Token: SeUndockPrivilege	2548	msiexec.exe
Token: SeSyncAgentPrivilege	2548	msiexec.exe
Token: SeEnableDelegationPrivilege	2548	msiexec.exe
Token: SeManageVolumePrivilege	2548	msiexec.exe
Token: SeImpersonatePrivilege	2548	msiexec.exe
Token: SeCreateGlobalPrivilege	2548	msiexec.exe
Token: SeBackupPrivilege	4280	vssvc.exe
Token: SeRestorePrivilege	4280	vssvc.exe
Token: SeAuditPrivilege	4280	vssvc.exe
Token: SeBackupPrivilege	3908	msiexec.exe
Token: SeRestorePrivilege	3908	msiexec.exe
Token: SeRestorePrivilege	3908	msiexec.exe
Token: SeTakeOwnershipPrivilege	3908	msiexec.exe
Token: SeRestorePrivilege	3908	msiexec.exe
Token: SeTakeOwnershipPrivilege	3908	msiexec.exe
Token: SeRestorePrivilege	3908	msiexec.exe
Token: SeTakeOwnershipPrivilege	3908	msiexec.exe
Token: SeBackupPrivilege	4288	srtasks.exe
Token: SeRestorePrivilege	4288	srtasks.exe
Token: SeSecurityPrivilege	4288	srtasks.exe
Token: SeTakeOwnershipPrivilege	4288	srtasks.exe
Token: SeBackupPrivilege	4288	srtasks.exe
Token: SeRestorePrivilege	4288	srtasks.exe
Token: SeSecurityPrivilege	4288	srtasks.exe
Token: SeTakeOwnershipPrivilege	4288	srtasks.exe
Token: SeDebugPrivilege	664	MSI12C9.tmp
Token: SeDebugPrivilege	1908	MSI12C9.tmp
Token: SeRestorePrivilege	3908	msiexec.exe
Token: SeTakeOwnershipPrivilege	3908	msiexec.exe
Token: SeRestorePrivilege	3908	msiexec.exe
Token: SeTakeOwnershipPrivilege	3908	msiexec.exe
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE
Token: SeShutdownPrivilege	3428	Explorer.EXE
Token: SeCreatePagefilePrivilege	3428	Explorer.EXE
Token: SeShutdownPrivilege	3428	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2548	msiexec.exe
2548	msiexec.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3428	Explorer.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3908 wrote to memory of 4288	3908	msiexec.exe	99
PID 3908 wrote to memory of 4288	3908	msiexec.exe	99
PID 3908 wrote to memory of 664	3908	msiexec.exe	101
PID 3908 wrote to memory of 664	3908	msiexec.exe	101
PID 3908 wrote to memory of 664	3908	msiexec.exe	101
PID 664 wrote to memory of 1908	664	MSI12C9.tmp	112
PID 664 wrote to memory of 1908	664	MSI12C9.tmp	112
PID 664 wrote to memory of 1908	664	MSI12C9.tmp	112
PID 664 wrote to memory of 1908	664	MSI12C9.tmp	112
PID 664 wrote to memory of 1908	664	MSI12C9.tmp	112
PID 664 wrote to memory of 1908	664	MSI12C9.tmp	112
PID 3428 wrote to memory of 1900	3428	Explorer.EXE	113
PID 3428 wrote to memory of 1900	3428	Explorer.EXE	113
PID 3428 wrote to memory of 1900	3428	Explorer.EXE	113
PID 1900 wrote to memory of 4492	1900	cmmon32.exe	114
PID 1900 wrote to memory of 4492	1900	cmmon32.exe	114
PID 1900 wrote to memory of 4492	1900	cmmon32.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3428
- C:\Windows\system32\msiexec.exe
  msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\cbd7b03a1410f9d9c404a33020c2c49f_JaffaCakes118.msi
  2⤵
  - Enumerates connected drives
  - Event Triggered Execution: Installer Packages
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2548
- C:\Windows\SysWOW64\cmmon32.exe
  "C:\Windows\SysWOW64\cmmon32.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\Installer\MSI12C9.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4492

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3908
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4288
- C:\Windows\Installer\MSI12C9.tmp
  "C:\Windows\Installer\MSI12C9.tmp"
  2⤵
  - Suspicious use of SetThreadContext
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:664
- - C:\Windows\Installer\MSI12C9.tmp
    "C:\Windows\Installer\MSI12C9.tmp"
    3⤵
    - Suspicious use of SetThreadContext
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:1908

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5811a2.rbs

Filesize
663B

MD5
10f5ad8b55597e6a1805285ce0fb1276

SHA1
4be83f699182d37155258c2cb4ef552eaacccd37

SHA256
14b49032d94039e7bfeb8b75d8988517a0dffa844e71b24c016174975d6fdab2

SHA512
652ec948fa01a1f34e8b65a09326d173a44a226e19a7b4b96d92c4760e273605ffddfa6ddedec18e0217c2c35e547c95716c78daab1f5d10137c06d1a568346f

Download Submit
C:\Windows\Installer\MSI12C9.tmp

Filesize
457KB

MD5
d69de5541de05d308fdd0c50b7497b34

SHA1
01ce85209b6eeaf53b3e63648927bcd3b6bd2d70

SHA256
c7eed03a4b3a89f0a0fbbf3eed98fa639f7187a31a5b0e8c7a97d0278b2d159c

SHA512
f2a9a7590d8f36402cca038ce9235ad6f91f41c63cb0ce4dc9b51b6f831f1a54dc31abe018ac41c941eb96f1e3d20f6dba938767abb6888a478334164cb41fe0

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
97afcc518e7e43caf706e02de735c43b

SHA1
1865440dd13c3129d58d60e3cad981389114985f

SHA256
a10f16559926d850996a448fc5e0b5c4a177f6f912214aeb2a71f02343c994f4

SHA512
ce92acc6ea5639286d6f184f7fedaf096e1843f8dd7ab620aba8391ffc918261313c25b156f50cbe9ff7248f91c513c5aaec731135ca2790b1731d1172c9e81f

Download Submit
\??\Volume{fa35ad82-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{185cb2fd-6c8d-4a70-809b-66d4fae76b3a}_OnDiskSnapshotProp

Filesize
6KB

MD5
19e8ddb5a06e10529e462a9147cf335a

SHA1
a50e741c277a1f316e94016e94104445802892c3

SHA256
a0baa78607fc6043688201480f5f849d9dfe05477bf1a789ee25e1f2b03e2d61

SHA512
d2225333abf0ab207cc0e1b89f0ee910cdd10d80a9a323a2f8bf440ca7df959982ad07089c98cf25025d17da93c2e774758ee305918042aa924ea9889fcb5dce

Download Submit
memory/664-17-0x0000000004EA0000-0x0000000004ED0000-memory.dmp

Filesize
192KB

Download
memory/664-16-0x0000000004EF0000-0x0000000004F82000-memory.dmp

Filesize
584KB

Download
memory/664-15-0x00000000053A0000-0x0000000005944000-memory.dmp

Filesize
5.6MB

Download
memory/664-18-0x0000000005240000-0x000000000525E000-memory.dmp

Filesize
120KB

Download
memory/664-19-0x00000000028D0000-0x00000000028DA000-memory.dmp

Filesize
40KB

Download
memory/664-20-0x0000000008770000-0x000000000880C000-memory.dmp

Filesize
624KB

Download
memory/664-12-0x0000000000480000-0x00000000004FA000-memory.dmp

Filesize
488KB

Download
memory/1900-38-0x0000000000F50000-0x0000000000F5C000-memory.dmp

Filesize
48KB

Download
memory/1908-21-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3428-41-0x00000000093C0000-0x00000000094A6000-memory.dmp

Filesize
920KB

Download