formbook | a329186a1a23e168fb7dbfc731a4c5bdc66c21e679bb904e5090f21f2db6d015

Analysis

max time kernel
146s
max time network
148s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
30-08-2024 09:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca9241a64b855e0480f18c83a49ddc59_JaffaCakes118.exe
Size

576KB
MD5

ca9241a64b855e0480f18c83a49ddc59
SHA1

276ad8501e74e08d5200968aa2022a4a6cd5d900
SHA256

a329186a1a23e168fb7dbfc731a4c5bdc66c21e679bb904e5090f21f2db6d015
SHA512

0a5a154393d656448f14cb9d6bef4a6db426c84f83e4948b0319d8ed0ecb94e62e4e75b95fd4a2c872372114396b3785c75176940541be2448cc5355127a3f77
SSDEEP

12288:QUomEFRu3xEPEGfxiPngu92Q5FwxnlDGIDmP6yW9uOQg8pxp:QmOMSPEGZwgu99qnJGIqyFMOQp

Score

10^/10

formbook du credential_access discovery persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

Decoy

blackburnwork.net

stvip.net

okcpg1checkmate.mobi

bjfyzl.com

sigangbobo.info

nkphotographies.com

premierssoinsgarderie.com

magiamgiaaz.com

arven-matratze.com

sesco-hvac.com

caribbeansoul215.info

orderjuliosgourmetpizza.com

aurora-health-ua.com

fairvoyagers.com

powergraphx.com

www17703.com

grigor-dimitrov.net

ktlibs.men

practicallyblockchain.com

ijxlcp.info

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Formbook payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/1652-32-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral1/memory/1652-45-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral1/memory/1652-47-0x0000000000400000-0x000000000042A000-memory.dmp	formbook

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\LTXTXDZ00XV = "C:\\Program Files (x86)\\Qyx28chtp\\IconCacheulodufw8.exe"	rundll32.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.lnk	file.exe

Executes dropped EXE 2 IoCs

pid	Process
2688	file.exe
1652	file.exe

Loads dropped DLL 6 IoCs

pid	Process
2184	ca9241a64b855e0480f18c83a49ddc59_JaffaCakes118.exe
2184	ca9241a64b855e0480f18c83a49ddc59_JaffaCakes118.exe
2184	ca9241a64b855e0480f18c83a49ddc59_JaffaCakes118.exe
2184	ca9241a64b855e0480f18c83a49ddc59_JaffaCakes118.exe
2688	file.exe
2688	file.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2688 set thread context of 1652	2688	file.exe	32
PID 1652 set thread context of 1372	1652	file.exe	21
PID 1652 set thread context of 1372	1652	file.exe	21
PID 288 set thread context of 1372	288	rundll32.exe	21

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Qyx28chtp\IconCacheulodufw8.exe	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ca9241a64b855e0480f18c83a49ddc59_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-2257386474-3982792636-3902186748-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	rundll32.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
1652	file.exe
1652	file.exe
1652	file.exe
288	rundll32.exe
288	rundll32.exe
288	rundll32.exe
288	rundll32.exe
288	rundll32.exe
288	rundll32.exe
288	rundll32.exe
288	rundll32.exe
288	rundll32.exe
288	rundll32.exe
288	rundll32.exe
288	rundll32.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
1652	file.exe
1652	file.exe
1652	file.exe
1652	file.exe
288	rundll32.exe
288	rundll32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2688	file.exe
Token: SeDebugPrivilege	1652	file.exe
Token: SeDebugPrivilege	288	rundll32.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 2688	2184	ca9241a64b855e0480f18c83a49ddc59_JaffaCakes118.exe	31
PID 2184 wrote to memory of 2688	2184	ca9241a64b855e0480f18c83a49ddc59_JaffaCakes118.exe	31
PID 2184 wrote to memory of 2688	2184	ca9241a64b855e0480f18c83a49ddc59_JaffaCakes118.exe	31
PID 2184 wrote to memory of 2688	2184	ca9241a64b855e0480f18c83a49ddc59_JaffaCakes118.exe	31
PID 2184 wrote to memory of 2688	2184	ca9241a64b855e0480f18c83a49ddc59_JaffaCakes118.exe	31
PID 2184 wrote to memory of 2688	2184	ca9241a64b855e0480f18c83a49ddc59_JaffaCakes118.exe	31
PID 2184 wrote to memory of 2688	2184	ca9241a64b855e0480f18c83a49ddc59_JaffaCakes118.exe	31
PID 2688 wrote to memory of 1652	2688	file.exe	32
PID 2688 wrote to memory of 1652	2688	file.exe	32
PID 2688 wrote to memory of 1652	2688	file.exe	32
PID 2688 wrote to memory of 1652	2688	file.exe	32
PID 2688 wrote to memory of 1652	2688	file.exe	32
PID 2688 wrote to memory of 1652	2688	file.exe	32
PID 2688 wrote to memory of 1652	2688	file.exe	32
PID 2688 wrote to memory of 1652	2688	file.exe	32
PID 2688 wrote to memory of 1652	2688	file.exe	32
PID 2688 wrote to memory of 1652	2688	file.exe	32
PID 2688 wrote to memory of 2436	2688	file.exe	33
PID 2688 wrote to memory of 2436	2688	file.exe	33
PID 2688 wrote to memory of 2436	2688	file.exe	33
PID 2688 wrote to memory of 2436	2688	file.exe	33
PID 2688 wrote to memory of 2436	2688	file.exe	33
PID 2688 wrote to memory of 2436	2688	file.exe	33
PID 2688 wrote to memory of 2436	2688	file.exe	33
PID 1372 wrote to memory of 288	1372	Explorer.EXE	35
PID 1372 wrote to memory of 288	1372	Explorer.EXE	35
PID 1372 wrote to memory of 288	1372	Explorer.EXE	35
PID 1372 wrote to memory of 288	1372	Explorer.EXE	35
PID 1372 wrote to memory of 288	1372	Explorer.EXE	35
PID 1372 wrote to memory of 288	1372	Explorer.EXE	35
PID 1372 wrote to memory of 288	1372	Explorer.EXE	35
PID 288 wrote to memory of 3044	288	rundll32.exe	36
PID 288 wrote to memory of 3044	288	rundll32.exe	36
PID 288 wrote to memory of 3044	288	rundll32.exe	36
PID 288 wrote to memory of 3044	288	rundll32.exe	36

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	rundll32.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1372
- C:\Users\Admin\AppData\Local\Temp\ca9241a64b855e0480f18c83a49ddc59_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\ca9241a64b855e0480f18c83a49ddc59_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:1652
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy "C:\Users\Admin\AppData\Local\Temp\RarSFX0\*.*" "C:\Users\Admin\AppData\Roaming\fan" & exit
      4⤵
      System Location Discovery: System Language Discovery
      PID:2436
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\SysWOW64\rundll32.exe"
  2⤵
  - Adds policy Run key to start application
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:288
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nwhrrxoeoaonmsiyy.png

Filesize
25KB

MD5
3891dd0974efc07cbcdc25bca0d08252

SHA1
5bb32d8dd341c6fdbb856352570ffcb60ca5a65e

SHA256
4cfd900e14e56b8b5570e9b370733d2c37da8edc8058ddf35dcb5044ae1d9e70

SHA512
cdf55d9ebb16418df4c523dded7fb6edd618f8875f9b1e472d9ab0c9b10df3025a7d10c7d82af7081f9d8f1b0f11a6a1cd64c4ab3958bd5d8939e378a3b6f913

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Uvenagxehdo.xml

Filesize
167KB

MD5
4321bdacfc299dede7b38875345d0e47

SHA1
dd6bd849d1eb16a98f0b6076f9bf03001b436e7b

SHA256
00ac6970e7b56bed0b937613dff2213f980d311c4bbd7a1d8fda271de8727d30

SHA512
189bb38c5ee0b213834fc31cf30d179d6fd1521966a4b14df31ab2d479e773f6cb7f17c3406472290eac46db38674efba7225cf234a207be45c3ec88e7614dbd

Download Submit
C:\Users\Admin\AppData\Roaming\87M688PE\87Mlogim.jpeg

Filesize
76KB

MD5
8d7e4b7c76a05a81e223a5a329bc486e

SHA1
707d9308e8082f8733a8cbd011af35435d8306d4

SHA256
49e65123fb08fd2e6e1671382954e87c19b48ea2fc8fb9b54fa3908da8a9d327

SHA512
dc5dabea041bf2f3cf0421c410f56028d5bfad54778fd1cee25c4049ea975701de7f45cff4a2a1c711d8f73e7d84aa6f7389ca5de2025b3f3c505712b6a1eab5

Download Submit
C:\Users\Admin\AppData\Roaming\87M688PE\87Mlogri.ini

Filesize
40B

MD5
d63a82e5d81e02e399090af26db0b9cb

SHA1
91d0014c8f54743bba141fd60c9d963f869d76c9

SHA256
eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae

SHA512
38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad

Download Submit
C:\Users\Admin\AppData\Roaming\87M688PE\87Mlogrv.ini

Filesize
40B

MD5
ba3b6bc807d4f76794c4b81b09bb9ba5

SHA1
24cb89501f0212ff3095ecc0aba97dd563718fb1

SHA256
6eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507

SHA512
ecd07e601fc9e3cfc39addd7bd6f3d7f7ff3253afb40bf536e9eaac5a4c243e5ec40fbfd7b216cb0ea29f2517419601e335e33ba19dea4a46f65e38694d465bf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.lnk

Filesize
827B

MD5
4d119176f4728a1b3228dac26134c486

SHA1
1652a93a1998ac806b69347b9368abc6123a6ebc

SHA256
4369c2c21b3a02ce29a0a889c4e94a4f6a9a7466a961a54c26dba65a8e5d4a28

SHA512
2d83623a7d765245bf38dabdc15186dc163ac67af8a702146b1415291ca49f98925e741ce92c0f450b749a0575da8daed81c809dc4c7b52b63d395931169ba59

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe

Filesize
195KB

MD5
7573bf8132ac06b36d6687bbd37cd8fa

SHA1
a26f0a134671e69e71bff2a0f7808452473d27ea

SHA256
7de138af3c37163beb8be29bd44695e0be5cba34306c94906084a0e9eb24ea7b

SHA512
63ee9d40afe01761a8b08076d2e1a78961e1040e2158f65b2fde81a7411f63e26066337c84f3e7ab8d096052bf757c2226737668ef451e35212138f33be6aa05

Download Submit
memory/288-50-0x00000000009E0000-0x00000000009EE000-memory.dmp

Filesize
56KB

Download
memory/288-48-0x00000000009E0000-0x00000000009EE000-memory.dmp

Filesize
56KB

Download
memory/1372-55-0x0000000007F00000-0x0000000008037000-memory.dmp

Filesize
1.2MB

Download
memory/1372-46-0x0000000006FB0000-0x00000000070DF000-memory.dmp

Filesize
1.2MB

Download
memory/1652-47-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1652-29-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1652-45-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1652-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1652-32-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1652-28-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2688-25-0x00000000741B0000-0x000000007475B000-memory.dmp

Filesize
5.7MB

Download
memory/2688-24-0x00000000741B0000-0x000000007475B000-memory.dmp

Filesize
5.7MB

Download
memory/2688-22-0x00000000741B0000-0x000000007475B000-memory.dmp

Filesize
5.7MB

Download
memory/2688-21-0x00000000741B0000-0x000000007475B000-memory.dmp

Filesize
5.7MB

Download
memory/2688-20-0x00000000741B1000-0x00000000741B2000-memory.dmp

Filesize
4KB

Download