formbook | 5729e17f6dd0c37811c10ffdf485d673ab67dcdc730d0e33ba9701a2e5801b11

General

Target

9b8ae24db4bf6a9b1201e78b70788ac9_JaffaCakes118.exe
Size

461KB
MD5

9b8ae24db4bf6a9b1201e78b70788ac9
SHA1

443a86c866e28a90413560f2f76947ee9abff4ff
SHA256

5729e17f6dd0c37811c10ffdf485d673ab67dcdc730d0e33ba9701a2e5801b11
SHA512

3d49fda058664ee07ef34e3d227de589cc844680b26106d46b63c86837b24ed0e44379bbf68b86adbb54ad5fa9291110732affb8ad1048858f069db78543b8aa
SSDEEP

12288:lUomEFRu3xEPEy8y6WX9aSqPIvaVJnwHZcQB0:jmOMSPEi6aKVJnqZcQu

Score

10^/10

formbook et discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

et

Decoy

askvest.com

lsrp-gaming.com

uugan15.com

smokinpenguin.com

sarandipiagaldar.com

utattemimasita.online

hhay.ltd

reje.ltd

jianzao360.com

myzenithcity.com

intentionallydope.today

javacacaepesca.com

publicservicebot.com

brucesilk.win

akbankdirekttmobile.com

topminidiggers.net

mycarpooltunnel.com

etfs247.com

edsouthey.com

objektschreiner.info

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/2372-29-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral2/memory/2372-42-0x0000000000400000-0x000000000042A000-memory.dmp	formbook

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	9b8ae24db4bf6a9b1201e78b70788ac9_JaffaCakes118.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundll.lnk	rundll.exe

Executes dropped EXE 4 IoCs

pid	Process
4008	rundll.exe
4892	rundll.exe
1020	rundll.exe
2372	rundll.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4008 set thread context of 2372	4008	rundll.exe	104
PID 2372 set thread context of 3504	2372	rundll.exe	56
PID 1940 set thread context of 3504	1940	help.exe	56

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9b8ae24db4bf6a9b1201e78b70788ac9_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	help.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
4008	rundll.exe
4008	rundll.exe
4008	rundll.exe
4008	rundll.exe
2372	rundll.exe
2372	rundll.exe
2372	rundll.exe
2372	rundll.exe
1940	help.exe
1940	help.exe
1940	help.exe
1940	help.exe
1940	help.exe
1940	help.exe
1940	help.exe
1940	help.exe
1940	help.exe
1940	help.exe
1940	help.exe
1940	help.exe
1940	help.exe
1940	help.exe
1940	help.exe
1940	help.exe
1940	help.exe
1940	help.exe
1940	help.exe
1940	help.exe
1940	help.exe
1940	help.exe
1940	help.exe
1940	help.exe
1940	help.exe
1940	help.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2372	rundll.exe
2372	rundll.exe
2372	rundll.exe
1940	help.exe
1940	help.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4008	rundll.exe
Token: SeDebugPrivilege	2372	rundll.exe
Token: SeDebugPrivilege	1940	help.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3184 wrote to memory of 4008	3184	9b8ae24db4bf6a9b1201e78b70788ac9_JaffaCakes118.exe	83
PID 3184 wrote to memory of 4008	3184	9b8ae24db4bf6a9b1201e78b70788ac9_JaffaCakes118.exe	83
PID 3184 wrote to memory of 4008	3184	9b8ae24db4bf6a9b1201e78b70788ac9_JaffaCakes118.exe	83
PID 4008 wrote to memory of 4892	4008	rundll.exe	102
PID 4008 wrote to memory of 4892	4008	rundll.exe	102
PID 4008 wrote to memory of 4892	4008	rundll.exe	102
PID 4008 wrote to memory of 1020	4008	rundll.exe	103
PID 4008 wrote to memory of 1020	4008	rundll.exe	103
PID 4008 wrote to memory of 1020	4008	rundll.exe	103
PID 4008 wrote to memory of 2372	4008	rundll.exe	104
PID 4008 wrote to memory of 2372	4008	rundll.exe	104
PID 4008 wrote to memory of 2372	4008	rundll.exe	104
PID 4008 wrote to memory of 2372	4008	rundll.exe	104
PID 4008 wrote to memory of 2372	4008	rundll.exe	104
PID 4008 wrote to memory of 2372	4008	rundll.exe	104
PID 4008 wrote to memory of 3332	4008	rundll.exe	105
PID 4008 wrote to memory of 3332	4008	rundll.exe	105
PID 4008 wrote to memory of 3332	4008	rundll.exe	105
PID 3504 wrote to memory of 1940	3504	Explorer.EXE	107
PID 3504 wrote to memory of 1940	3504	Explorer.EXE	107
PID 3504 wrote to memory of 1940	3504	Explorer.EXE	107
PID 1940 wrote to memory of 3292	1940	help.exe	108
PID 1940 wrote to memory of 3292	1940	help.exe	108
PID 1940 wrote to memory of 3292	1940	help.exe	108

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:3504
- C:\Users\Admin\AppData\Local\Temp\9b8ae24db4bf6a9b1201e78b70788ac9_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\9b8ae24db4bf6a9b1201e78b70788ac9_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3184
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\rundll.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\rundll.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4008
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\rundll.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\rundll.exe"
      4⤵
      Executes dropped EXE
      PID:4892
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\rundll.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\rundll.exe"
      4⤵
      Executes dropped EXE
      PID:1020
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\rundll.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\rundll.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2372
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy "C:\Users\Admin\AppData\Local\Temp\RarSFX0\*.*" "C:\Users\Admin\AppData\Roaming\Windowa" & exit
      4⤵
      System Location Discovery: System Language Discovery
      PID:3332
- C:\Windows\SysWOW64\help.exe
  "C:\Windows\SysWOW64\help.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1940
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\rundll.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\M2

Filesize
35B

MD5
8e04af7dced40d54c21766c75f3aeea4

SHA1
b41faf34a5d667eaa6baae10c39f7b49aab78413

SHA256
271c7e4cddfd794486361fc61901edd97ecd78c103a274442751bb11bbd3c6f6

SHA512
4b636162c8ce370de01f65ed0f6b13e1ffb28534e60fe938747d150a85d0d86407327da0b1e7be64d7da9338405d6f525415184698b63a49e6d258c2d0133525

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Ogrmkwhrrxoeoao.png

Filesize
25KB

MD5
ebc1779cff16441f2dd2ac3675ac8dff

SHA1
d3f81662f296b54d54ceb9c430176acdaae66e32

SHA256
b369e48db7166844d1d9ec3b70737cee72d4dfe367fea7c28332caeddfd57de5

SHA512
70e5db64e1f78288ec07aff856803c9eb4415eb7d37638b2bb61f0711ed86f1d23f27c20872838cc0e0fb0b89305926294bc0e2c9be30b574a18a574242c3575

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Zxamvenagxehdojki.xml

Filesize
167KB

MD5
70c75367f0d65325e490a364132d4923

SHA1
3529af9ff9506fe8b3da1a2d0e4e68b4d7765c99

SHA256
c0533250cd0852095cd3275e005bafe6b4073ad7b535be91144abd1b38bd294b

SHA512
ae5a976dcbb52922ce01992dc0fe170a5a83dc9949103166faa990138b2d5c4ed91d6cfb96b2f0736f6c28aeb046e87cfee78a068ca74c201d28312ae809dd01

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rundll.exe

Filesize
89KB

MD5
76f16606d8135a4176cc3d5d16e12242

SHA1
4584181023a902758365de32afe71ecd5e4b79c7

SHA256
878380daa4ae570c7a2c77f2967cd10af23f9f8aed537854f2772c816f3ada55

SHA512
26bd3b92b6d4017b3f7e3c4e7a4a2bcea06d8137ee818ca84c79dcff4339a1ba82e231f9c05237ab311a7abbc25e131236d370654d10b1b0343b3a530733dc16

Download Submit
memory/1940-41-0x00000000002A0000-0x00000000002A7000-memory.dmp

Filesize
28KB

Download
memory/2372-42-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2372-29-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3504-46-0x0000000008730000-0x000000000883E000-memory.dmp

Filesize
1.1MB

Download
memory/4008-20-0x00000000730E0000-0x0000000073691000-memory.dmp

Filesize
5.7MB

Download
memory/4008-25-0x00000000730E0000-0x0000000073691000-memory.dmp

Filesize
5.7MB

Download
memory/4008-24-0x00000000730E2000-0x00000000730E3000-memory.dmp

Filesize
4KB

Download
memory/4008-23-0x00000000730E0000-0x0000000073691000-memory.dmp

Filesize
5.7MB

Download
memory/4008-19-0x00000000730E0000-0x0000000073691000-memory.dmp

Filesize
5.7MB

Download
memory/4008-18-0x00000000730E2000-0x00000000730E3000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing