formbook | 5729e17f6dd0c37811c10ffdf485d673ab67dcdc730d0e33ba9701a2e5801b11

Analysis

max time kernel
147s
max time network
137s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-11-2024 12:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b8ae24db4bf6a9b1201e78b70788ac9_JaffaCakes118.exe
Size

461KB
MD5

9b8ae24db4bf6a9b1201e78b70788ac9
SHA1

443a86c866e28a90413560f2f76947ee9abff4ff
SHA256

5729e17f6dd0c37811c10ffdf485d673ab67dcdc730d0e33ba9701a2e5801b11
SHA512

3d49fda058664ee07ef34e3d227de589cc844680b26106d46b63c86837b24ed0e44379bbf68b86adbb54ad5fa9291110732affb8ad1048858f069db78543b8aa
SSDEEP

12288:lUomEFRu3xEPEy8y6WX9aSqPIvaVJnwHZcQB0:jmOMSPEi6aKVJnqZcQu

Score

10^/10

formbook et discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

Decoy

askvest.com

lsrp-gaming.com

uugan15.com

smokinpenguin.com

sarandipiagaldar.com

utattemimasita.online

hhay.ltd

reje.ltd

jianzao360.com

myzenithcity.com

intentionallydope.today

javacacaepesca.com

publicservicebot.com

brucesilk.win

akbankdirekttmobile.com

topminidiggers.net

mycarpooltunnel.com

etfs247.com

edsouthey.com

objektschreiner.info

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/2128-35-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral1/memory/2128-48-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral1/memory/2128-50-0x0000000000400000-0x000000000042A000-memory.dmp	formbook

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundll.lnk	rundll.exe

Executes dropped EXE 2 IoCs

pid	Process
2804	rundll.exe
2128	rundll.exe

Loads dropped DLL 5 IoCs

pid	Process
2196	9b8ae24db4bf6a9b1201e78b70788ac9_JaffaCakes118.exe
2196	9b8ae24db4bf6a9b1201e78b70788ac9_JaffaCakes118.exe
2196	9b8ae24db4bf6a9b1201e78b70788ac9_JaffaCakes118.exe
2196	9b8ae24db4bf6a9b1201e78b70788ac9_JaffaCakes118.exe
2804	rundll.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2804 set thread context of 2128	2804	rundll.exe	32
PID 2128 set thread context of 1204	2128	rundll.exe	21
PID 2128 set thread context of 1204	2128	rundll.exe	21
PID 2144 set thread context of 1204	2144	netsh.exe	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9b8ae24db4bf6a9b1201e78b70788ac9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2128	rundll.exe
2128	rundll.exe
2128	rundll.exe
2144	netsh.exe
2144	netsh.exe
2144	netsh.exe
2144	netsh.exe
2144	netsh.exe
2144	netsh.exe
2144	netsh.exe
2144	netsh.exe
2144	netsh.exe
2144	netsh.exe
2144	netsh.exe
2144	netsh.exe
2144	netsh.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2128	rundll.exe
2128	rundll.exe
2128	rundll.exe
2128	rundll.exe
2144	netsh.exe
2144	netsh.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2804	rundll.exe
Token: SeDebugPrivilege	2128	rundll.exe
Token: SeDebugPrivilege	2144	netsh.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2804	2196	9b8ae24db4bf6a9b1201e78b70788ac9_JaffaCakes118.exe	31
PID 2196 wrote to memory of 2804	2196	9b8ae24db4bf6a9b1201e78b70788ac9_JaffaCakes118.exe	31
PID 2196 wrote to memory of 2804	2196	9b8ae24db4bf6a9b1201e78b70788ac9_JaffaCakes118.exe	31
PID 2196 wrote to memory of 2804	2196	9b8ae24db4bf6a9b1201e78b70788ac9_JaffaCakes118.exe	31
PID 2196 wrote to memory of 2804	2196	9b8ae24db4bf6a9b1201e78b70788ac9_JaffaCakes118.exe	31
PID 2196 wrote to memory of 2804	2196	9b8ae24db4bf6a9b1201e78b70788ac9_JaffaCakes118.exe	31
PID 2196 wrote to memory of 2804	2196	9b8ae24db4bf6a9b1201e78b70788ac9_JaffaCakes118.exe	31
PID 2804 wrote to memory of 2128	2804	rundll.exe	32
PID 2804 wrote to memory of 2128	2804	rundll.exe	32
PID 2804 wrote to memory of 2128	2804	rundll.exe	32
PID 2804 wrote to memory of 2128	2804	rundll.exe	32
PID 2804 wrote to memory of 2128	2804	rundll.exe	32
PID 2804 wrote to memory of 2128	2804	rundll.exe	32
PID 2804 wrote to memory of 2128	2804	rundll.exe	32
PID 2804 wrote to memory of 2128	2804	rundll.exe	32
PID 2804 wrote to memory of 2128	2804	rundll.exe	32
PID 2804 wrote to memory of 2128	2804	rundll.exe	32
PID 2804 wrote to memory of 1536	2804	rundll.exe	33
PID 2804 wrote to memory of 1536	2804	rundll.exe	33
PID 2804 wrote to memory of 1536	2804	rundll.exe	33
PID 2804 wrote to memory of 1536	2804	rundll.exe	33
PID 2804 wrote to memory of 1536	2804	rundll.exe	33
PID 2804 wrote to memory of 1536	2804	rundll.exe	33
PID 2804 wrote to memory of 1536	2804	rundll.exe	33
PID 1204 wrote to memory of 2144	1204	Explorer.EXE	56
PID 1204 wrote to memory of 2144	1204	Explorer.EXE	56
PID 1204 wrote to memory of 2144	1204	Explorer.EXE	56
PID 1204 wrote to memory of 2144	1204	Explorer.EXE	56
PID 2144 wrote to memory of 2208	2144	netsh.exe	57
PID 2144 wrote to memory of 2208	2144	netsh.exe	57
PID 2144 wrote to memory of 2208	2144	netsh.exe	57
PID 2144 wrote to memory of 2208	2144	netsh.exe	57

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Users\Admin\AppData\Local\Temp\9b8ae24db4bf6a9b1201e78b70788ac9_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\9b8ae24db4bf6a9b1201e78b70788ac9_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\rundll.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\rundll.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\rundll.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\rundll.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2128
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy "C:\Users\Admin\AppData\Local\Temp\RarSFX0\*.*" "C:\Users\Admin\AppData\Roaming\Windowa" & exit
      4⤵
      System Location Discovery: System Language Discovery
      PID:1536
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:1572
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:592
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:1736
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:1652
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:536
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:580
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:596
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:1936
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:1956
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:1776
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:2916
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:2908
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:2404
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:2364
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:1488
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:1068
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:2040
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:852
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:1808
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:2104
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\SysWOW64\netsh.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\rundll.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\M2

Filesize
35B

MD5
8e04af7dced40d54c21766c75f3aeea4

SHA1
b41faf34a5d667eaa6baae10c39f7b49aab78413

SHA256
271c7e4cddfd794486361fc61901edd97ecd78c103a274442751bb11bbd3c6f6

SHA512
4b636162c8ce370de01f65ed0f6b13e1ffb28534e60fe938747d150a85d0d86407327da0b1e7be64d7da9338405d6f525415184698b63a49e6d258c2d0133525

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Ogrmkwhrrxoeoao.png

Filesize
25KB

MD5
ebc1779cff16441f2dd2ac3675ac8dff

SHA1
d3f81662f296b54d54ceb9c430176acdaae66e32

SHA256
b369e48db7166844d1d9ec3b70737cee72d4dfe367fea7c28332caeddfd57de5

SHA512
70e5db64e1f78288ec07aff856803c9eb4415eb7d37638b2bb61f0711ed86f1d23f27c20872838cc0e0fb0b89305926294bc0e2c9be30b574a18a574242c3575

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Zxamvenagxehdojki.xml

Filesize
167KB

MD5
70c75367f0d65325e490a364132d4923

SHA1
3529af9ff9506fe8b3da1a2d0e4e68b4d7765c99

SHA256
c0533250cd0852095cd3275e005bafe6b4073ad7b535be91144abd1b38bd294b

SHA512
ae5a976dcbb52922ce01992dc0fe170a5a83dc9949103166faa990138b2d5c4ed91d6cfb96b2f0736f6c28aeb046e87cfee78a068ca74c201d28312ae809dd01

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundll.lnk

Filesize
962B

MD5
613396465f3c424871be8cb6ede5c20c

SHA1
0fa33bd81ed4fccd4e33a107d178a251af63046b

SHA256
136f461e2fb3f80fdf579a7a24c50106f9c99d4737456b343e4f991d22e1ae52

SHA512
a6143d84f4b3aa13c74fec10f52f79dfbff055b72b435bdc92d1eb5def73756abd45ac440a46f2b35b88d5f9738aa37968c3466df1836864c219443a692a4d6d

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\rundll.exe

Filesize
89KB

MD5
76f16606d8135a4176cc3d5d16e12242

SHA1
4584181023a902758365de32afe71ecd5e4b79c7

SHA256
878380daa4ae570c7a2c77f2967cd10af23f9f8aed537854f2772c816f3ada55

SHA512
26bd3b92b6d4017b3f7e3c4e7a4a2bcea06d8137ee818ca84c79dcff4339a1ba82e231f9c05237ab311a7abbc25e131236d370654d10b1b0343b3a530733dc16

Download Submit
memory/1204-56-0x0000000006BE0000-0x0000000006CCB000-memory.dmp

Filesize
940KB

Download
memory/1204-49-0x0000000004EC0000-0x0000000004F8D000-memory.dmp

Filesize
820KB

Download
memory/2128-31-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2128-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2128-32-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2128-35-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2128-48-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2128-50-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2144-51-0x00000000012A0000-0x00000000012BB000-memory.dmp

Filesize
108KB

Download
memory/2804-28-0x0000000074980000-0x0000000074F2B000-memory.dmp

Filesize
5.7MB

Download
memory/2804-24-0x0000000074980000-0x0000000074F2B000-memory.dmp

Filesize
5.7MB

Download
memory/2804-27-0x0000000074980000-0x0000000074F2B000-memory.dmp

Filesize
5.7MB

Download
memory/2804-22-0x0000000074981000-0x0000000074982000-memory.dmp

Filesize
4KB

Download
memory/2804-23-0x0000000074980000-0x0000000074F2B000-memory.dmp

Filesize
5.7MB

Download