formbook | 262d8dd389aad1ef11023ded97da5703e88f1a96c2b0b8a1dbdde5fa7ee04022

General

Target

dd3f06103f2ac425cf4e5a6dc65d31d6_JaffaCakes118.exe
Size

1.5MB
MD5

dd3f06103f2ac425cf4e5a6dc65d31d6
SHA1

972a1b325cc3abc48a94c90a7b51faea619cfcc9
SHA256

262d8dd389aad1ef11023ded97da5703e88f1a96c2b0b8a1dbdde5fa7ee04022
SHA512

8863a2c6f690d215ddf54476832f0e1a7f539bf0b07013aad2e6b86054f0cd5f6cbc11efd2ef5c9b799a7dce2138d6daa5093f2eae6e15fde563951800836751
SSDEEP

24576:Du1NZfx3LwkwC2uEYY1pSIEiPNMDXiPCxN4ar3DV8bxOpwK:qVfx3LMzYY1EIEiPqzkGz/

Score

10^/10

formbook cmg discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

cmg

Decoy

8936199.com

caneryis.com

kkambo.net

lifecoachwoman.com

kardus6.xyz

larvashop.net

stapelskerstbomen.com

dropofluxe.com

1089konstanzter.com

simplelovedlife.com

manderley-condos.com

xexpressx.com

cheshuntcomp.com

chinazhenzhu.com

autoaccessoriesusainc.com

luccagamesawards.com

edwardguimont.com

aljawaheer.com

rootforequality.com

premiumtechiessupport.xyz

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/4032-14-0x0000000000400000-0x000000000042E000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4972 set thread context of 4032	4972	dd3f06103f2ac425cf4e5a6dc65d31d6_JaffaCakes118.exe	97

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dd3f06103f2ac425cf4e5a6dc65d31d6_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4972	dd3f06103f2ac425cf4e5a6dc65d31d6_JaffaCakes118.exe
4972	dd3f06103f2ac425cf4e5a6dc65d31d6_JaffaCakes118.exe
4972	dd3f06103f2ac425cf4e5a6dc65d31d6_JaffaCakes118.exe
4972	dd3f06103f2ac425cf4e5a6dc65d31d6_JaffaCakes118.exe
4032	dd3f06103f2ac425cf4e5a6dc65d31d6_JaffaCakes118.exe
4032	dd3f06103f2ac425cf4e5a6dc65d31d6_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4972	dd3f06103f2ac425cf4e5a6dc65d31d6_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4972 wrote to memory of 2164	4972	dd3f06103f2ac425cf4e5a6dc65d31d6_JaffaCakes118.exe	95
PID 4972 wrote to memory of 2164	4972	dd3f06103f2ac425cf4e5a6dc65d31d6_JaffaCakes118.exe	95
PID 4972 wrote to memory of 2164	4972	dd3f06103f2ac425cf4e5a6dc65d31d6_JaffaCakes118.exe	95
PID 4972 wrote to memory of 1528	4972	dd3f06103f2ac425cf4e5a6dc65d31d6_JaffaCakes118.exe	96
PID 4972 wrote to memory of 1528	4972	dd3f06103f2ac425cf4e5a6dc65d31d6_JaffaCakes118.exe	96
PID 4972 wrote to memory of 1528	4972	dd3f06103f2ac425cf4e5a6dc65d31d6_JaffaCakes118.exe	96
PID 4972 wrote to memory of 4032	4972	dd3f06103f2ac425cf4e5a6dc65d31d6_JaffaCakes118.exe	97
PID 4972 wrote to memory of 4032	4972	dd3f06103f2ac425cf4e5a6dc65d31d6_JaffaCakes118.exe	97
PID 4972 wrote to memory of 4032	4972	dd3f06103f2ac425cf4e5a6dc65d31d6_JaffaCakes118.exe	97
PID 4972 wrote to memory of 4032	4972	dd3f06103f2ac425cf4e5a6dc65d31d6_JaffaCakes118.exe	97
PID 4972 wrote to memory of 4032	4972	dd3f06103f2ac425cf4e5a6dc65d31d6_JaffaCakes118.exe	97
PID 4972 wrote to memory of 4032	4972	dd3f06103f2ac425cf4e5a6dc65d31d6_JaffaCakes118.exe	97

C:\Users\Admin\AppData\Local\Temp\dd3f06103f2ac425cf4e5a6dc65d31d6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dd3f06103f2ac425cf4e5a6dc65d31d6_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4972
- C:\Users\Admin\AppData\Local\Temp\dd3f06103f2ac425cf4e5a6dc65d31d6_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\dd3f06103f2ac425cf4e5a6dc65d31d6_JaffaCakes118.exe"
  2⤵
  PID:2164
- C:\Users\Admin\AppData\Local\Temp\dd3f06103f2ac425cf4e5a6dc65d31d6_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\dd3f06103f2ac425cf4e5a6dc65d31d6_JaffaCakes118.exe"
  2⤵
  PID:1528
- C:\Users\Admin\AppData\Local\Temp\dd3f06103f2ac425cf4e5a6dc65d31d6_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\dd3f06103f2ac425cf4e5a6dc65d31d6_JaffaCakes118.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4032-14-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4032-17-0x00000000014F0000-0x000000000183A000-memory.dmp

Filesize
3.3MB

Download
memory/4972-8-0x0000000005010000-0x0000000005028000-memory.dmp

Filesize
96KB

Download
memory/4972-9-0x00000000747EE000-0x00000000747EF000-memory.dmp

Filesize
4KB

Download
memory/4972-4-0x0000000004D60000-0x0000000004DF2000-memory.dmp

Filesize
584KB

Download
memory/4972-6-0x00000000747E0000-0x0000000074F90000-memory.dmp

Filesize
7.7MB

Download
memory/4972-5-0x0000000004C50000-0x0000000004C5A000-memory.dmp

Filesize
40KB

Download
memory/4972-7-0x0000000004F50000-0x0000000004FA6000-memory.dmp

Filesize
344KB

Download
memory/4972-0-0x00000000747EE000-0x00000000747EF000-memory.dmp

Filesize
4KB

Download
memory/4972-3-0x0000000005310000-0x00000000058B4000-memory.dmp

Filesize
5.6MB

Download
memory/4972-10-0x00000000747E0000-0x0000000074F90000-memory.dmp

Filesize
7.7MB

Download
memory/4972-11-0x0000000006290000-0x00000000062E6000-memory.dmp

Filesize
344KB

Download
memory/4972-12-0x00000000051C0000-0x00000000051C6000-memory.dmp

Filesize
24KB

Download
memory/4972-13-0x00000000062F0000-0x0000000006326000-memory.dmp

Filesize
216KB

Download
memory/4972-2-0x0000000004CC0000-0x0000000004D5C000-memory.dmp

Filesize
624KB

Download
memory/4972-16-0x00000000747E0000-0x0000000074F90000-memory.dmp

Filesize
7.7MB

Download
memory/4972-1-0x0000000000120000-0x000000000029A000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing