formbook | 5113f7698c80f8183b0fd72ff91adeed308b93937fc9ca9aefb8d7f878569fd3

General

Target

d9af5dd07a77a24d5499164aed22dc0a_JaffaCakes118.exe
Size

345KB
MD5

d9af5dd07a77a24d5499164aed22dc0a
SHA1

36aeb648e254ff72689ef8c95ab5851f95c8a73e
SHA256

5113f7698c80f8183b0fd72ff91adeed308b93937fc9ca9aefb8d7f878569fd3
SHA512

29328a3081a6939d370ae5d039490a3637b24d7c8f7420fa0d7e5f33d31b60fdbea2286d42580ba40b5a8d05c962616b59765b7ad4fe82bde340d9c11a90a1e7
SSDEEP

6144:S58/+dBOIfjkkODm7aNXcdVcUdc+1znmBDFV1ZE3furMpN0tKPo3/3Y:NkOYLODm7aZc1dnzngTZ2u0xPy/o

Score

10^/10

formbook ik credential_access discovery persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

ik

Decoy

aktfh.com

gzxcserver.com

ollgabruell-fengshui.com

peggyhaddadinteriors.com

tamoxifencitrate.store

dongygiatruyendactri.com

dosti-desire-thane.info

hidejunkie.com

client76212.review

chopaankabobhouse.com

sboz1.com

oilbularya.com

peachyfindz.com

chroniclephotograhpy.com

ynherbaltea.com

lirong2019.com

coolcloudhvac.singles

ruimingwuye.com

xinyue-vip-qq-dnf-com.site

binaprimamultiutama.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Formbook payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/89192-100036-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral1/memory/89192-100040-0x0000000000400000-0x000000000042A000-memory.dmp	formbook

Loads dropped DLL 4 IoCs

pid	Process
2632	d9af5dd07a77a24d5499164aed22dc0a_JaffaCakes118.exe
2632	d9af5dd07a77a24d5499164aed22dc0a_JaffaCakes118.exe
2632	d9af5dd07a77a24d5499164aed22dc0a_JaffaCakes118.exe
2632	d9af5dd07a77a24d5499164aed22dc0a_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\T2_TQ080_HW = "C:\\Program Files (x86)\\Ldvalg\\mspbc.exe"	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 89192 set thread context of 1200	89192	nslookup.exe	21
PID 89292 set thread context of 1200	89292	svchost.exe	21

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Ldvalg\mspbc.exe	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\win.ini	d9af5dd07a77a24d5499164aed22dc0a_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
89204	2632	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d9af5dd07a77a24d5499164aed22dc0a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-1506706701-1246725540-2219210854-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	svchost.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
2632	d9af5dd07a77a24d5499164aed22dc0a_JaffaCakes118.exe
2632	d9af5dd07a77a24d5499164aed22dc0a_JaffaCakes118.exe
89192	nslookup.exe
89192	nslookup.exe
89292	svchost.exe
89292	svchost.exe
89292	svchost.exe
89292	svchost.exe
89292	svchost.exe
89292	svchost.exe
89292	svchost.exe
89292	svchost.exe
89292	svchost.exe
89292	svchost.exe
89292	svchost.exe
89292	svchost.exe
89292	svchost.exe
89292	svchost.exe
89292	svchost.exe
89292	svchost.exe
89292	svchost.exe
89292	svchost.exe
89292	svchost.exe
89292	svchost.exe
89292	svchost.exe
89292	svchost.exe
89292	svchost.exe
89292	svchost.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2632	d9af5dd07a77a24d5499164aed22dc0a_JaffaCakes118.exe
89192	nslookup.exe
89192	nslookup.exe
89192	nslookup.exe
89292	svchost.exe
89292	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	89192	nslookup.exe
Token: SeDebugPrivilege	89292	svchost.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2632 wrote to memory of 89192	2632	d9af5dd07a77a24d5499164aed22dc0a_JaffaCakes118.exe	31
PID 2632 wrote to memory of 89192	2632	d9af5dd07a77a24d5499164aed22dc0a_JaffaCakes118.exe	31
PID 2632 wrote to memory of 89192	2632	d9af5dd07a77a24d5499164aed22dc0a_JaffaCakes118.exe	31
PID 2632 wrote to memory of 89192	2632	d9af5dd07a77a24d5499164aed22dc0a_JaffaCakes118.exe	31
PID 2632 wrote to memory of 89192	2632	d9af5dd07a77a24d5499164aed22dc0a_JaffaCakes118.exe	31
PID 2632 wrote to memory of 89192	2632	d9af5dd07a77a24d5499164aed22dc0a_JaffaCakes118.exe	31
PID 2632 wrote to memory of 89192	2632	d9af5dd07a77a24d5499164aed22dc0a_JaffaCakes118.exe	31
PID 2632 wrote to memory of 89192	2632	d9af5dd07a77a24d5499164aed22dc0a_JaffaCakes118.exe	31
PID 2632 wrote to memory of 89192	2632	d9af5dd07a77a24d5499164aed22dc0a_JaffaCakes118.exe	31
PID 2632 wrote to memory of 89204	2632	d9af5dd07a77a24d5499164aed22dc0a_JaffaCakes118.exe	32
PID 2632 wrote to memory of 89204	2632	d9af5dd07a77a24d5499164aed22dc0a_JaffaCakes118.exe	32
PID 2632 wrote to memory of 89204	2632	d9af5dd07a77a24d5499164aed22dc0a_JaffaCakes118.exe	32
PID 2632 wrote to memory of 89204	2632	d9af5dd07a77a24d5499164aed22dc0a_JaffaCakes118.exe	32
PID 1200 wrote to memory of 89292	1200	Explorer.EXE	33
PID 1200 wrote to memory of 89292	1200	Explorer.EXE	33
PID 1200 wrote to memory of 89292	1200	Explorer.EXE	33
PID 1200 wrote to memory of 89292	1200	Explorer.EXE	33
PID 89292 wrote to memory of 89344	89292	svchost.exe	34
PID 89292 wrote to memory of 89344	89292	svchost.exe	34
PID 89292 wrote to memory of 89344	89292	svchost.exe	34
PID 89292 wrote to memory of 89344	89292	svchost.exe	34

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Users\Admin\AppData\Local\Temp\d9af5dd07a77a24d5499164aed22dc0a_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\d9af5dd07a77a24d5499164aed22dc0a_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\SysWOW64\nslookup.exe
    "C:\Windows\system32\nslookup.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:89192
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2632 -s 600
    3⤵
    - Program crash
    PID:89204
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\SysWOW64\svchost.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:89292
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\SysWOW64\nslookup.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:89344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\46O9O6BE\46Ologim.jpeg

Filesize
87KB

MD5
68c01bc47d1045c9e8dda48a10ec7b51

SHA1
3a207ceabee302c6ad8c7420afceb375acb7a52d

SHA256
c02302d396b58a3fd040d7a9ca77707bc294c2565a09e544853e64506c6a4eed

SHA512
75d2fbdb18c69d293609bc175eb4fd883f05530705bfac9f15101edc1d5458e0d134d473530d2db263ee2da524570c695d70e7961cec9dd751b02562c18ed539

Download Submit
C:\Users\Admin\AppData\Roaming\46O9O6BE\46Ologri.ini

Filesize
40B

MD5
d63a82e5d81e02e399090af26db0b9cb

SHA1
91d0014c8f54743bba141fd60c9d963f869d76c9

SHA256
eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae

SHA512
38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad

Download Submit
C:\Users\Admin\AppData\Roaming\46O9O6BE\46Ologrv.ini

Filesize
40B

MD5
ba3b6bc807d4f76794c4b81b09bb9ba5

SHA1
24cb89501f0212ff3095ecc0aba97dd563718fb1

SHA256
6eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507

SHA512
ecd07e601fc9e3cfc39addd7bd6f3d7f7ff3253afb40bf536e9eaac5a4c243e5ec40fbfd7b216cb0ea29f2517419601e335e33ba19dea4a46f65e38694d465bf

Download Submit
C:\Windows\win.ini

Filesize
517B

MD5
893cae59ab5945a94a7da007d47a1255

SHA1
d4cfd81c6647ca64022bd307c08a7fb4bbbd4c06

SHA256
edfa0f2d3bea9f737e0315971c6f81d3d8e7d460b60a19351ada0316a093c938

SHA512
d66e454781f54f45df814ad32d687b0f100578c2a4ffca62de81add04281fb881a550702bd2d058933d3736d14e88624af268a86ce24b0c3935242b206ffdcc9

Download Submit
\Users\Admin\AppData\Local\Temp\coffer.dll

Filesize
34KB

MD5
9efcdaec062823e9749250da225dfe4d

SHA1
1d6209a71c061729683ce81890f2d8c0c02c6e05

SHA256
04904de1d15bb931cf85eadb7714bd53f7236de0fbc1f62c22aafb3470ff847c

SHA512
b7faee0a4c769ee39fc11fe20c6ec362b6802e9fd7f81d8a495f1423263af8074cf995c1ff8d964680c10c3026e69ddb66e749b9b29784309502d805673a720a

Download Submit
\Users\Admin\AppData\Local\Temp\nsjDBC1.tmp\Splash.dll

Filesize
4KB

MD5
3f35f73787f0c3bb5e59445fb18ade0d

SHA1
f1566faff96c3988cfc28dc7d433094b6348cdbf

SHA256
5570969d22a33c23b60c5f5536f781219e458a869b77b8dde4a94cc124ee4de6

SHA512
45c42ea95f53a3b8a3fd74bd55ad6f0b3f2b91dd969104de845fd819fe307dec2b4d472bee45554500b0c51052ee82ac98196e894af806edf67a947328474e57

Download Submit
\Users\Admin\AppData\Local\Temp\nsjDBC1.tmp\System.dll

Filesize
11KB

MD5
fbe295e5a1acfbd0a6271898f885fe6a

SHA1
d6d205922e61635472efb13c2bb92c9ac6cb96da

SHA256
a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1

SHA512
2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

Download Submit
memory/1200-100042-0x0000000004CA0000-0x0000000004D7B000-memory.dmp

Filesize
876KB

Download
memory/1200-100039-0x00000000000A0000-0x00000000001A0000-memory.dmp

Filesize
1024KB

Download
memory/1200-100054-0x0000000004E10000-0x0000000004EBE000-memory.dmp

Filesize
696KB

Download
memory/1200-100052-0x0000000004E10000-0x0000000004EBE000-memory.dmp

Filesize
696KB

Download
memory/1200-100051-0x0000000004E10000-0x0000000004EBE000-memory.dmp

Filesize
696KB

Download
memory/1200-100046-0x0000000004CA0000-0x0000000004D7B000-memory.dmp

Filesize
876KB

Download
memory/2632-100034-0x0000000000480000-0x0000000000489000-memory.dmp

Filesize
36KB

Download
memory/2632-100033-0x0000000077C60000-0x0000000077E09000-memory.dmp

Filesize
1.7MB

Download
memory/2632-26-0x00000000003F0000-0x00000000003F7000-memory.dmp

Filesize
28KB

Download
memory/2632-25-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2632-23-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/89192-100040-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/89192-100041-0x00000000001A0000-0x00000000001B4000-memory.dmp

Filesize
80KB

Download
memory/89192-100043-0x0000000000090000-0x0000000000095000-memory.dmp

Filesize
20KB

Download
memory/89192-100037-0x00000000008C0000-0x0000000000BC3000-memory.dmp

Filesize
3.0MB

Download
memory/89192-100036-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/89192-100035-0x0000000000090000-0x0000000000095000-memory.dmp

Filesize
20KB

Download
memory/89292-100045-0x0000000000DA0000-0x0000000000DA8000-memory.dmp

Filesize
32KB

Download
memory/89292-100044-0x0000000000DA0000-0x0000000000DA8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads