formbook | 318d039e63460267fa92391159395a8d82f58e98c4c88831eb20780e485d81b3

General

Target

ca3bf59d8a50c50129515551c389f6d8_JaffaCakes118.exe
Size

736KB
MD5

ca3bf59d8a50c50129515551c389f6d8
SHA1

a0db5fb809772e7886672568db1329d75c857b23
SHA256

318d039e63460267fa92391159395a8d82f58e98c4c88831eb20780e485d81b3
SHA512

87e26b31b904d7a1ac418ab945fb8311ebbc8f9183b885deb2b253b3db1b49b7db6f4f542c50b9b3ee54dcdc5834a42c7e6623e0d56a43bf5ae37cfa3b605776
SSDEEP

12288:9watuz+EFVnfzjreMmJzkg0nYvJS15NLgw1g+esTCmu:9watipF7mJIg0A01HLJP2m

Score

10^/10

formbook l5 discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

l5

Decoy

riverchaseapts.net

0430pe.com

nbgift.net

ehkhwn.win

immatthall.com

fkslc.info

breakthroughmediadon.com

eatorganic.life

okcitytowing.com

egaodomain.com

krenbc.com

lavi.ltd

sport-score.com

romskicentar.com

junkyard.design

xn--55q83b758aihq.com

phonerepairlocal.com

5656868.com

1s7onework.men

elizabethreidinteriordesign.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/1068-25-0x0000000000400000-0x000000000042A000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2028 set thread context of 1068	2028	ca3bf59d8a50c50129515551c389f6d8_JaffaCakes118.exe	103

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ca3bf59d8a50c50129515551c389f6d8_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1068	ca3bf59d8a50c50129515551c389f6d8_JaffaCakes118.exe
1068	ca3bf59d8a50c50129515551c389f6d8_JaffaCakes118.exe
1068	ca3bf59d8a50c50129515551c389f6d8_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 1068	2028	ca3bf59d8a50c50129515551c389f6d8_JaffaCakes118.exe	103
PID 2028 wrote to memory of 1068	2028	ca3bf59d8a50c50129515551c389f6d8_JaffaCakes118.exe	103
PID 2028 wrote to memory of 1068	2028	ca3bf59d8a50c50129515551c389f6d8_JaffaCakes118.exe	103
PID 2028 wrote to memory of 1068	2028	ca3bf59d8a50c50129515551c389f6d8_JaffaCakes118.exe	103
PID 2028 wrote to memory of 1068	2028	ca3bf59d8a50c50129515551c389f6d8_JaffaCakes118.exe	103
PID 2028 wrote to memory of 1068	2028	ca3bf59d8a50c50129515551c389f6d8_JaffaCakes118.exe	103

C:\Users\Admin\AppData\Local\Temp\ca3bf59d8a50c50129515551c389f6d8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ca3bf59d8a50c50129515551c389f6d8_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Users\Admin\AppData\Local\Temp\ca3bf59d8a50c50129515551c389f6d8_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\ca3bf59d8a50c50129515551c389f6d8_JaffaCakes118.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4028,i,8231329449558834090,4540802069600791165,262144 --variations-seed-version --mojo-platform-channel-handle=4464 /prefetch:8
1⤵
PID:1336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1068-25-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1068-29-0x00000000009B0000-0x0000000000CFA000-memory.dmp

Filesize
3.3MB

Download
memory/2028-18-0x00000000025C0000-0x00000000025C1000-memory.dmp

Filesize
4KB

Download
memory/2028-8-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/2028-10-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/2028-11-0x00000000025D0000-0x00000000025D2000-memory.dmp

Filesize
8KB

Download
memory/2028-9-0x0000000000910000-0x0000000000911000-memory.dmp

Filesize
4KB

Download
memory/2028-6-0x0000000000930000-0x0000000000931000-memory.dmp

Filesize
4KB

Download
memory/2028-5-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/2028-4-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download
memory/2028-3-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/2028-2-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/2028-1-0x0000000000950000-0x0000000000992000-memory.dmp

Filesize
264KB

Download
memory/2028-7-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/2028-14-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/2028-15-0x0000000002610000-0x0000000002611000-memory.dmp

Filesize
4KB

Download
memory/2028-16-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/2028-13-0x00000000025A0000-0x00000000025A1000-memory.dmp

Filesize
4KB

Download
memory/2028-12-0x00000000025E0000-0x00000000025E1000-memory.dmp

Filesize
4KB

Download
memory/2028-19-0x0000000002870000-0x0000000002871000-memory.dmp

Filesize
4KB

Download
memory/2028-20-0x0000000000400000-0x00000000005FD000-memory.dmp

Filesize
2.0MB

Download
memory/2028-21-0x0000000000950000-0x0000000000992000-memory.dmp

Filesize
264KB

Download
memory/2028-23-0x0000000002870000-0x0000000002871000-memory.dmp

Filesize
4KB

Download
memory/2028-17-0x00000000025F0000-0x00000000025F1000-memory.dmp

Filesize
4KB

Download
memory/2028-28-0x0000000000400000-0x00000000005FD000-memory.dmp

Filesize
2.0MB

Download
memory/2028-0-0x0000000000400000-0x00000000005FD000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing