formbook | 318d039e63460267fa92391159395a8d82f58e98c4c88831eb20780e485d81b3

General

Target

ca3bf59d8a50c50129515551c389f6d8_JaffaCakes118.exe
Size

736KB
MD5

ca3bf59d8a50c50129515551c389f6d8
SHA1

a0db5fb809772e7886672568db1329d75c857b23
SHA256

318d039e63460267fa92391159395a8d82f58e98c4c88831eb20780e485d81b3
SHA512

87e26b31b904d7a1ac418ab945fb8311ebbc8f9183b885deb2b253b3db1b49b7db6f4f542c50b9b3ee54dcdc5834a42c7e6623e0d56a43bf5ae37cfa3b605776
SSDEEP

12288:9watuz+EFVnfzjreMmJzkg0nYvJS15NLgw1g+esTCmu:9watipF7mJIg0A01HLJP2m

Score

10^/10

formbook l5 bootkit discovery persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

l5

Decoy

riverchaseapts.net

0430pe.com

nbgift.net

ehkhwn.win

immatthall.com

fkslc.info

breakthroughmediadon.com

eatorganic.life

okcitytowing.com

egaodomain.com

krenbc.com

lavi.ltd

sport-score.com

romskicentar.com

junkyard.design

xn--55q83b758aihq.com

phonerepairlocal.com

5656868.com

1s7onework.men

elizabethreidinteriordesign.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/2936-29-0x0000000000400000-0x000000000042A000-memory.dmp	formbook

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	ca3bf59d8a50c50129515551c389f6d8_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2692 set thread context of 2936	2692	ca3bf59d8a50c50129515551c389f6d8_JaffaCakes118.exe	31

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ca3bf59d8a50c50129515551c389f6d8_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2936	ca3bf59d8a50c50129515551c389f6d8_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 2936	2692	ca3bf59d8a50c50129515551c389f6d8_JaffaCakes118.exe	31
PID 2692 wrote to memory of 2936	2692	ca3bf59d8a50c50129515551c389f6d8_JaffaCakes118.exe	31
PID 2692 wrote to memory of 2936	2692	ca3bf59d8a50c50129515551c389f6d8_JaffaCakes118.exe	31
PID 2692 wrote to memory of 2936	2692	ca3bf59d8a50c50129515551c389f6d8_JaffaCakes118.exe	31
PID 2692 wrote to memory of 2936	2692	ca3bf59d8a50c50129515551c389f6d8_JaffaCakes118.exe	31
PID 2692 wrote to memory of 2936	2692	ca3bf59d8a50c50129515551c389f6d8_JaffaCakes118.exe	31
PID 2692 wrote to memory of 2936	2692	ca3bf59d8a50c50129515551c389f6d8_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\ca3bf59d8a50c50129515551c389f6d8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ca3bf59d8a50c50129515551c389f6d8_JaffaCakes118.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Users\Admin\AppData\Local\Temp\ca3bf59d8a50c50129515551c389f6d8_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\ca3bf59d8a50c50129515551c389f6d8_JaffaCakes118.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2692-6-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2692-23-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download
memory/2692-1-0x0000000000670000-0x00000000006B2000-memory.dmp

Filesize
264KB

Download
memory/2692-18-0x0000000002090000-0x0000000002091000-memory.dmp

Filesize
4KB

Download
memory/2692-17-0x00000000020A0000-0x00000000020A1000-memory.dmp

Filesize
4KB

Download
memory/2692-16-0x00000000020B0000-0x00000000020B1000-memory.dmp

Filesize
4KB

Download
memory/2692-15-0x0000000001F30000-0x0000000001F31000-memory.dmp

Filesize
4KB

Download
memory/2692-14-0x0000000001F20000-0x0000000001F21000-memory.dmp

Filesize
4KB

Download
memory/2692-13-0x0000000001F60000-0x0000000001F61000-memory.dmp

Filesize
4KB

Download
memory/2692-12-0x0000000001F40000-0x0000000001F41000-memory.dmp

Filesize
4KB

Download
memory/2692-10-0x00000000006E0000-0x00000000006E1000-memory.dmp

Filesize
4KB

Download
memory/2692-9-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2692-8-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2692-7-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2692-11-0x0000000001F50000-0x0000000001F52000-memory.dmp

Filesize
8KB

Download
memory/2692-5-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2692-0-0x0000000000400000-0x00000000005FD000-memory.dmp

Filesize
2.0MB

Download
memory/2692-3-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2692-19-0x00000000020C0000-0x00000000020C1000-memory.dmp

Filesize
4KB

Download
memory/2692-2-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/2692-20-0x0000000000400000-0x00000000005FD000-memory.dmp

Filesize
2.0MB

Download
memory/2692-21-0x0000000000670000-0x00000000006B2000-memory.dmp

Filesize
264KB

Download
memory/2692-4-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2692-35-0x0000000000400000-0x00000000005FD000-memory.dmp

Filesize
2.0MB

Download
memory/2692-33-0x00000000041C0000-0x00000000043BD000-memory.dmp

Filesize
2.0MB

Download
memory/2936-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2936-29-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2936-27-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2936-25-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2936-38-0x00000000008D0000-0x0000000000BD3000-memory.dmp

Filesize
3.0MB

Download
memory/2936-39-0x00000000008D0000-0x0000000000BD3000-memory.dmp

Filesize
3.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads