formbook | b70102d1cdd3822f097da98e2068b162590de84338edc577ba7c54953b55dfe2

Analysis

max time kernel
93s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2024 21:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

975f67ccf96e69099d84b63c56ab1f2d_JaffaCakes118.exe
Size

796KB
MD5

975f67ccf96e69099d84b63c56ab1f2d
SHA1

04428d3873170421b0a1efd821ec3b7366a28119
SHA256

b70102d1cdd3822f097da98e2068b162590de84338edc577ba7c54953b55dfe2
SHA512

b43857851aeab0901b521892b691d414e366ef127f71dff39c53dabffe7a294a1058cd8027b02651897bb400bc4071cbfe09cf7a9025c301c6bd54ac896b4ef6
SSDEEP

12288:1y5i2yxqFCYt8/vLRDDP8rZit6qeZaGRIDuTA:1yYqFCYtozRDD6ZM7f+o

Score

10^/10

formbook ap discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

Decoy

runway27band.com

nogofarm.com

phfrontpage.info

apolloidt.com

superiorselfstoragecny.com

sharebelieves.com

schwabejapan.com

myicro.digital

quesodeflor.com

ar2make.com

lestudio12.com

thefilix.com

milfdating365.com

urnbet.com

fina.ltd

victoriaprrime.com

supporttechnique.directory

island-car-wash.net

devteamsix.com

zhenyusafety.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4808-5-0x0000000000400000-0x000000000042A000-memory.dmp	formbook

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
2712	4808	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

975f67ccf96e69099d84b63c56ab1f2d_JaffaCakes118.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	975f67ccf96e69099d84b63c56ab1f2d_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

975f67ccf96e69099d84b63c56ab1f2d_JaffaCakes118.exe

pid	Process
4808	975f67ccf96e69099d84b63c56ab1f2d_JaffaCakes118.exe
4808	975f67ccf96e69099d84b63c56ab1f2d_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

975f67ccf96e69099d84b63c56ab1f2d_JaffaCakes118.exe

pid	Process
4808	975f67ccf96e69099d84b63c56ab1f2d_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\975f67ccf96e69099d84b63c56ab1f2d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\975f67ccf96e69099d84b63c56ab1f2d_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4808
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 764
  2⤵
  - Program crash
  PID:2712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4808 -ip 4808
1⤵
PID:1092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4808-5-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4808-3-0x0000000077941000-0x0000000077A61000-memory.dmp

Filesize
1.1MB

Download
memory/4808-6-0x000000000BB20000-0x000000000BE6A000-memory.dmp

Filesize
3.3MB

Download