formbook | a03ebb1ad2450b07206923043ad865cb83e1d4798a9273704a9626854fd17399

General

Target

a1c4645815d0ab06831f62042cfa0da0_JaffaCakes118.exe
Size

1.5MB
MD5

a1c4645815d0ab06831f62042cfa0da0
SHA1

e3ce2d0fc9bd18ab30d589f052edce9ca410f2ee
SHA256

a03ebb1ad2450b07206923043ad865cb83e1d4798a9273704a9626854fd17399
SHA512

a34d0c18b833f36e0698e2396270a43ed93d5d2839fa94753ad5fa4e4bf9ec8ecfb3d38f17c0384f30dde1d838c1cf462a40f14da8f430788e5e51cd0162e020
SSDEEP

24576:4SZIpRCJh5KhAEoaPMRfyT43jJ3cYp9KnZZS5R0:ApR0cjoaPM5yCJ3ck923B

Score

10^/10

formbook nff discovery evasion rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

nff

Decoy

shinseikai.site

creditmystartup.com

howtovvbucks.com

betterfromthebeginning.com

oubacm.com

stonalogov.com

gentrypartyof8.com

cuesticksandsupplies.com

joelsavestheday.com

llanobnb.com

ecclogic.com

miempaque.com

cai23668.com

miscdr.net

twzhhq.com

bloomandbrewcafe.com

angcomleisure.com

mafeeboutique.com

300coin.club

brooksranchhomes.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3612-13-0x0000000000400000-0x000000000042E000-memory.dmp	formbook

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

a1c4645815d0ab06831f62042cfa0da0_JaffaCakes118.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions	a1c4645815d0ab06831f62042cfa0da0_JaffaCakes118.exe

Looks for VMWare Tools registry key 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

a1c4645815d0ab06831f62042cfa0da0_JaffaCakes118.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	a1c4645815d0ab06831f62042cfa0da0_JaffaCakes118.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a1c4645815d0ab06831f62042cfa0da0_JaffaCakes118.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	a1c4645815d0ab06831f62042cfa0da0_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	a1c4645815d0ab06831f62042cfa0da0_JaffaCakes118.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

a1c4645815d0ab06831f62042cfa0da0_JaffaCakes118.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	a1c4645815d0ab06831f62042cfa0da0_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	a1c4645815d0ab06831f62042cfa0da0_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

a1c4645815d0ab06831f62042cfa0da0_JaffaCakes118.exe

description	pid	Process	procid_target
PID 3644 set thread context of 3612	3644	a1c4645815d0ab06831f62042cfa0da0_JaffaCakes118.exe	91

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

a1c4645815d0ab06831f62042cfa0da0_JaffaCakes118.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a1c4645815d0ab06831f62042cfa0da0_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

a1c4645815d0ab06831f62042cfa0da0_JaffaCakes118.exe

pid	Process
3612	a1c4645815d0ab06831f62042cfa0da0_JaffaCakes118.exe
3612	a1c4645815d0ab06831f62042cfa0da0_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

a1c4645815d0ab06831f62042cfa0da0_JaffaCakes118.exe

description	pid	Process	procid_target
PID 3644 wrote to memory of 3612	3644	a1c4645815d0ab06831f62042cfa0da0_JaffaCakes118.exe	91
PID 3644 wrote to memory of 3612	3644	a1c4645815d0ab06831f62042cfa0da0_JaffaCakes118.exe	91
PID 3644 wrote to memory of 3612	3644	a1c4645815d0ab06831f62042cfa0da0_JaffaCakes118.exe	91
PID 3644 wrote to memory of 3612	3644	a1c4645815d0ab06831f62042cfa0da0_JaffaCakes118.exe	91
PID 3644 wrote to memory of 3612	3644	a1c4645815d0ab06831f62042cfa0da0_JaffaCakes118.exe	91
PID 3644 wrote to memory of 3612	3644	a1c4645815d0ab06831f62042cfa0da0_JaffaCakes118.exe	91

C:\Users\Admin\AppData\Local\Temp\a1c4645815d0ab06831f62042cfa0da0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a1c4645815d0ab06831f62042cfa0da0_JaffaCakes118.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3644
- C:\Users\Admin\AppData\Local\Temp\a1c4645815d0ab06831f62042cfa0da0_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a1c4645815d0ab06831f62042cfa0da0_JaffaCakes118.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3612-13-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3612-17-0x0000000001530000-0x000000000187A000-memory.dmp

Filesize
3.3MB

Download
memory/3612-15-0x0000000001530000-0x000000000187A000-memory.dmp

Filesize
3.3MB

Download
memory/3644-8-0x000000007518E000-0x000000007518F000-memory.dmp

Filesize
4KB

Download
memory/3644-10-0x00000000067A0000-0x0000000006842000-memory.dmp

Filesize
648KB

Download
memory/3644-5-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download
memory/3644-6-0x0000000006250000-0x00000000062EC000-memory.dmp

Filesize
624KB

Download
memory/3644-7-0x0000000004DC0000-0x0000000004DDE000-memory.dmp

Filesize
120KB

Download
memory/3644-0-0x000000007518E000-0x000000007518F000-memory.dmp

Filesize
4KB

Download
memory/3644-9-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download
memory/3644-4-0x0000000004B60000-0x0000000004B6A000-memory.dmp

Filesize
40KB

Download
memory/3644-11-0x00000000065A0000-0x00000000065D4000-memory.dmp

Filesize
208KB

Download
memory/3644-12-0x000000000BDB0000-0x000000000BE16000-memory.dmp

Filesize
408KB

Download
memory/3644-3-0x0000000004B80000-0x0000000004C12000-memory.dmp

Filesize
584KB

Download
memory/3644-2-0x0000000005090000-0x0000000005634000-memory.dmp

Filesize
5.6MB

Download
memory/3644-16-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download
memory/3644-1-0x0000000000020000-0x00000000001AA000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads