formbook | e2ab98687c215cc7f4e84d11bdcc6a83d797944132901cbbd6b1c23a47efba08

General

Target

19e4c0e192b1966e105f7cdc815d4861_JaffaCakes118.exe
Size

877KB
MD5

19e4c0e192b1966e105f7cdc815d4861
SHA1

201261501086a6ca7511206ebf17232af50706b8
SHA256

e2ab98687c215cc7f4e84d11bdcc6a83d797944132901cbbd6b1c23a47efba08
SHA512

9bd0a604aa0df102503e7bf9b5b70c8b7740a365009e3755ed3eca4f8da85568ed6c1fe9810f734096c667705fc1c5d3c1fe4369d47912fd90c50aeb81b1a641
SSDEEP

12288:YVqGUslKAn3qGaNHEyC9/oR9gy5FHK7zcRLL+UVdgYjksp/4e6xrZ9dh6tLxgvvl:YnKAPp9AR95yOLL1jkwg3xVl6tu1

Score

10^/10

formbook chad discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

chad

Decoy

osiribodhisattva.com

e-ticaretdostu.com

integrocapitalllc.com

pasarbb.com

curavy.com

efcomportamento.com

twittertornado.com

siyhy.com

roamnext.com

hongduen.com

urbaanmarket.com

davidcavanaghreplays.com

comperhouse.com

ne-nerede.net

m365fordevs.com

structuredadvocates.com

withalldads.love

assanamusic.info

oshaberi-machiko.com

mollyellen.net

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/2752-13-0x0000000000400000-0x000000000042E000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4180 set thread context of 2752	4180	19e4c0e192b1966e105f7cdc815d4861_JaffaCakes118.exe	92

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	19e4c0e192b1966e105f7cdc815d4861_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4180	19e4c0e192b1966e105f7cdc815d4861_JaffaCakes118.exe
4180	19e4c0e192b1966e105f7cdc815d4861_JaffaCakes118.exe
2752	19e4c0e192b1966e105f7cdc815d4861_JaffaCakes118.exe
2752	19e4c0e192b1966e105f7cdc815d4861_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4180	19e4c0e192b1966e105f7cdc815d4861_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4180 wrote to memory of 4908	4180	19e4c0e192b1966e105f7cdc815d4861_JaffaCakes118.exe	91
PID 4180 wrote to memory of 4908	4180	19e4c0e192b1966e105f7cdc815d4861_JaffaCakes118.exe	91
PID 4180 wrote to memory of 4908	4180	19e4c0e192b1966e105f7cdc815d4861_JaffaCakes118.exe	91
PID 4180 wrote to memory of 2752	4180	19e4c0e192b1966e105f7cdc815d4861_JaffaCakes118.exe	92
PID 4180 wrote to memory of 2752	4180	19e4c0e192b1966e105f7cdc815d4861_JaffaCakes118.exe	92
PID 4180 wrote to memory of 2752	4180	19e4c0e192b1966e105f7cdc815d4861_JaffaCakes118.exe	92
PID 4180 wrote to memory of 2752	4180	19e4c0e192b1966e105f7cdc815d4861_JaffaCakes118.exe	92
PID 4180 wrote to memory of 2752	4180	19e4c0e192b1966e105f7cdc815d4861_JaffaCakes118.exe	92
PID 4180 wrote to memory of 2752	4180	19e4c0e192b1966e105f7cdc815d4861_JaffaCakes118.exe	92

C:\Users\Admin\AppData\Local\Temp\19e4c0e192b1966e105f7cdc815d4861_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\19e4c0e192b1966e105f7cdc815d4861_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4180
- C:\Users\Admin\AppData\Local\Temp\19e4c0e192b1966e105f7cdc815d4861_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\19e4c0e192b1966e105f7cdc815d4861_JaffaCakes118.exe"
  2⤵
  PID:4908
- C:\Users\Admin\AppData\Local\Temp\19e4c0e192b1966e105f7cdc815d4861_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\19e4c0e192b1966e105f7cdc815d4861_JaffaCakes118.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2752-13-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2752-16-0x0000000001350000-0x000000000169A000-memory.dmp

Filesize
3.3MB

Download
memory/4180-8-0x00000000078E0000-0x00000000078F6000-memory.dmp

Filesize
88KB

Download
memory/4180-9-0x000000007516E000-0x000000007516F000-memory.dmp

Filesize
4KB

Download
memory/4180-4-0x0000000004D40000-0x0000000004DD2000-memory.dmp

Filesize
584KB

Download
memory/4180-6-0x0000000075160000-0x0000000075910000-memory.dmp

Filesize
7.7MB

Download
memory/4180-5-0x0000000004C50000-0x0000000004C5A000-memory.dmp

Filesize
40KB

Download
memory/4180-7-0x0000000004ED0000-0x0000000004F26000-memory.dmp

Filesize
344KB

Download
memory/4180-0-0x000000007516E000-0x000000007516F000-memory.dmp

Filesize
4KB

Download
memory/4180-3-0x0000000005250000-0x00000000057F4000-memory.dmp

Filesize
5.6MB

Download
memory/4180-10-0x0000000075160000-0x0000000075910000-memory.dmp

Filesize
7.7MB

Download
memory/4180-11-0x0000000007E70000-0x0000000007F0E000-memory.dmp

Filesize
632KB

Download
memory/4180-12-0x000000000A620000-0x000000000A654000-memory.dmp

Filesize
208KB

Download
memory/4180-2-0x0000000004B60000-0x0000000004BFC000-memory.dmp

Filesize
624KB

Download
memory/4180-15-0x0000000075160000-0x0000000075910000-memory.dmp

Filesize
7.7MB

Download
memory/4180-1-0x0000000000120000-0x0000000000200000-memory.dmp

Filesize
896KB

Download

Analysis

Sharing