formbook | 939ca5032b5fc17d00bb9be7b7cb4bef70691a76ceebf9777b58e9e9845a05d6

General

Target

d7dd59c45d9c7d647d28b83412e9e1bb_JaffaCakes118.exe
Size

397KB
MD5

d7dd59c45d9c7d647d28b83412e9e1bb
SHA1

1bfd4f114eb6e9cad55206056fecf9da0cba7bdc
SHA256

939ca5032b5fc17d00bb9be7b7cb4bef70691a76ceebf9777b58e9e9845a05d6
SHA512

1c9772f686d149d5e19ace0779681c3f64db051b43db559b74b3e05013e8cc71ef9451df3016f87a54654c8ea3c63498d9f3f3987b0e63f3f71a940521689172
SSDEEP

6144:Di3fBD/vecMMW3b9A53IvHlouxcAG42uZB:ONPkEiHegnT

Score

10^/10

formbook h321 defense_evasion discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

h321

Decoy

getweddinginsurance.com

easterpalette.com

pkitinfo.com

rendaextrabr.com

woodlandmanorapartments.com

tv16091.info

kput.ltd

thutrangshop.com

worldschoolhelper.com

erschaffe-dein-leben-neu.com

svenskamarknaden.com

neterka.com

newagrarianrevival.com

bomeilvye.com

little789.top

datisfile.com

funwithgravity.com

dynatestxplode.com

thepetblarneystone.net

riffstick.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/3688-13-0x0000000000400000-0x000000000042A000-memory.dmp	formbook

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	d7dd59c45d9c7d647d28b83412e9e1bb_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
3688	d7dd59c45d9c7d647d28b83412e9e1bb_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1152 set thread context of 3688	1152	d7dd59c45d9c7d647d28b83412e9e1bb_JaffaCakes118.exe	99

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\d7dd59c45d9c7d647d28b83412e9e1bb_JaffaCakes118.exe:Zone.Identifier	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d7dd59c45d9c7d647d28b83412e9e1bb_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\d7dd59c45d9c7d647d28b83412e9e1bb_JaffaCakes118.exe:Zone.Identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3688	d7dd59c45d9c7d647d28b83412e9e1bb_JaffaCakes118.exe
3688	d7dd59c45d9c7d647d28b83412e9e1bb_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1152	d7dd59c45d9c7d647d28b83412e9e1bb_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 4284	1152	d7dd59c45d9c7d647d28b83412e9e1bb_JaffaCakes118.exe	95
PID 1152 wrote to memory of 4284	1152	d7dd59c45d9c7d647d28b83412e9e1bb_JaffaCakes118.exe	95
PID 1152 wrote to memory of 4284	1152	d7dd59c45d9c7d647d28b83412e9e1bb_JaffaCakes118.exe	95
PID 1152 wrote to memory of 3688	1152	d7dd59c45d9c7d647d28b83412e9e1bb_JaffaCakes118.exe	99
PID 1152 wrote to memory of 3688	1152	d7dd59c45d9c7d647d28b83412e9e1bb_JaffaCakes118.exe	99
PID 1152 wrote to memory of 3688	1152	d7dd59c45d9c7d647d28b83412e9e1bb_JaffaCakes118.exe	99
PID 1152 wrote to memory of 3688	1152	d7dd59c45d9c7d647d28b83412e9e1bb_JaffaCakes118.exe	99
PID 1152 wrote to memory of 3688	1152	d7dd59c45d9c7d647d28b83412e9e1bb_JaffaCakes118.exe	99
PID 1152 wrote to memory of 3688	1152	d7dd59c45d9c7d647d28b83412e9e1bb_JaffaCakes118.exe	99

C:\Users\Admin\AppData\Local\Temp\d7dd59c45d9c7d647d28b83412e9e1bb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d7dd59c45d9c7d647d28b83412e9e1bb_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\Admin\AppData\Local\Temp\d7dd59c45d9c7d647d28b83412e9e1bb_JaffaCakes118.exe:Zone.Identifier"
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  PID:4284
- C:\Users\Admin\AppData\Local\Temp\d7dd59c45d9c7d647d28b83412e9e1bb_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d7dd59c45d9c7d647d28b83412e9e1bb_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

1

T1553

SIP and Trust Provider Hijacking

1

T1553.003

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d7dd59c45d9c7d647d28b83412e9e1bb_JaffaCakes118.exe

Filesize
397KB

MD5
d7dd59c45d9c7d647d28b83412e9e1bb

SHA1
1bfd4f114eb6e9cad55206056fecf9da0cba7bdc

SHA256
939ca5032b5fc17d00bb9be7b7cb4bef70691a76ceebf9777b58e9e9845a05d6

SHA512
1c9772f686d149d5e19ace0779681c3f64db051b43db559b74b3e05013e8cc71ef9451df3016f87a54654c8ea3c63498d9f3f3987b0e63f3f71a940521689172

Download Submit
memory/1152-8-0x0000000074AE0000-0x0000000075290000-memory.dmp

Filesize
7.7MB

Download
memory/1152-7-0x0000000005190000-0x00000000051F6000-memory.dmp

Filesize
408KB

Download
memory/1152-3-0x0000000074AEE000-0x0000000074AEF000-memory.dmp

Filesize
4KB

Download
memory/1152-4-0x0000000002AA0000-0x0000000002AC4000-memory.dmp

Filesize
144KB

Download
memory/1152-9-0x0000000006160000-0x0000000006704000-memory.dmp

Filesize
5.6MB

Download
memory/1152-6-0x0000000005050000-0x0000000005072000-memory.dmp

Filesize
136KB

Download
memory/1152-2-0x0000000002AC0000-0x0000000002AE2000-memory.dmp

Filesize
136KB

Download
memory/1152-0-0x0000000074AEE000-0x0000000074AEF000-memory.dmp

Filesize
4KB

Download
memory/1152-5-0x00000000050F0000-0x0000000005182000-memory.dmp

Filesize
584KB

Download
memory/1152-10-0x0000000006710000-0x00000000068D2000-memory.dmp

Filesize
1.8MB

Download
memory/1152-11-0x0000000074AE0000-0x0000000075290000-memory.dmp

Filesize
7.7MB

Download
memory/1152-12-0x00000000068E0000-0x000000000697C000-memory.dmp

Filesize
624KB

Download
memory/1152-16-0x0000000074AE0000-0x0000000075290000-memory.dmp

Filesize
7.7MB

Download
memory/1152-1-0x0000000000690000-0x00000000006FA000-memory.dmp

Filesize
424KB

Download
memory/3688-13-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3688-17-0x00000000016D0000-0x0000000001A1A000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing