formbook | 1605e5cefed723f378f8bd1709dfe744029116bfe93c09c5db8bd1600fcbafd8

General

Target

bba69ef899bbaf731a772822effe289d_JaffaCakes118.exe
Size

757KB
MD5

bba69ef899bbaf731a772822effe289d
SHA1

d01d741576cf27ecc50127ca4cfe8fe239d57172
SHA256

1605e5cefed723f378f8bd1709dfe744029116bfe93c09c5db8bd1600fcbafd8
SHA512

4fe13607e07133f387768e566a7746b593007687448aa88b4246512ff6e9b789d243ef31d75b423087ad0368fd83e84f1a5cbe206d0bf56f00699c8548f095a6
SSDEEP

12288:uIpPtYaerJWUF826kr+iq7oDhEz6vefBavJzrDip6MAXbgYDOaYaer:uEMrJAkrCOhE/kvJzHip6MAXkYDmr

Score

10^/10

formbook jf9f discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

jf9f

Decoy

attorneyscottrynecki.com

vzedhicvg.com

bacca888.com

brevillesales.life

elysiumvrtours.com

dcmbrokersfund.com

fstrly.com

lhsrnw.com

elstin.net

streamnoya.com

ethersadvertising.com

wang0911.com

manh.business

benefits.homes

anthemcommunications.net

silkenhills.com

niallmorgaphotog.com

colegio-hispano.com

newarkphotobooth.com

cuahangtuchonbaoan.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2088-12-0x0000000000400000-0x000000000042E000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

bba69ef899bbaf731a772822effe289d_JaffaCakes118.exe

description	pid	Process	procid_target
PID 1548 set thread context of 2088	1548	bba69ef899bbaf731a772822effe289d_JaffaCakes118.exe	32

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

bba69ef899bbaf731a772822effe289d_JaffaCakes118.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bba69ef899bbaf731a772822effe289d_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

bba69ef899bbaf731a772822effe289d_JaffaCakes118.exebba69ef899bbaf731a772822effe289d_JaffaCakes118.exe

pid	Process
1548	bba69ef899bbaf731a772822effe289d_JaffaCakes118.exe
1548	bba69ef899bbaf731a772822effe289d_JaffaCakes118.exe
1548	bba69ef899bbaf731a772822effe289d_JaffaCakes118.exe
1548	bba69ef899bbaf731a772822effe289d_JaffaCakes118.exe
2088	bba69ef899bbaf731a772822effe289d_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

bba69ef899bbaf731a772822effe289d_JaffaCakes118.exe

description	pid	Process
Token: SeDebugPrivilege	1548	bba69ef899bbaf731a772822effe289d_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

bba69ef899bbaf731a772822effe289d_JaffaCakes118.exe

description	pid	Process	procid_target
PID 1548 wrote to memory of 2560	1548	bba69ef899bbaf731a772822effe289d_JaffaCakes118.exe	30
PID 1548 wrote to memory of 2560	1548	bba69ef899bbaf731a772822effe289d_JaffaCakes118.exe	30
PID 1548 wrote to memory of 2560	1548	bba69ef899bbaf731a772822effe289d_JaffaCakes118.exe	30
PID 1548 wrote to memory of 2560	1548	bba69ef899bbaf731a772822effe289d_JaffaCakes118.exe	30
PID 1548 wrote to memory of 2720	1548	bba69ef899bbaf731a772822effe289d_JaffaCakes118.exe	31
PID 1548 wrote to memory of 2720	1548	bba69ef899bbaf731a772822effe289d_JaffaCakes118.exe	31
PID 1548 wrote to memory of 2720	1548	bba69ef899bbaf731a772822effe289d_JaffaCakes118.exe	31
PID 1548 wrote to memory of 2720	1548	bba69ef899bbaf731a772822effe289d_JaffaCakes118.exe	31
PID 1548 wrote to memory of 2088	1548	bba69ef899bbaf731a772822effe289d_JaffaCakes118.exe	32
PID 1548 wrote to memory of 2088	1548	bba69ef899bbaf731a772822effe289d_JaffaCakes118.exe	32
PID 1548 wrote to memory of 2088	1548	bba69ef899bbaf731a772822effe289d_JaffaCakes118.exe	32
PID 1548 wrote to memory of 2088	1548	bba69ef899bbaf731a772822effe289d_JaffaCakes118.exe	32
PID 1548 wrote to memory of 2088	1548	bba69ef899bbaf731a772822effe289d_JaffaCakes118.exe	32
PID 1548 wrote to memory of 2088	1548	bba69ef899bbaf731a772822effe289d_JaffaCakes118.exe	32
PID 1548 wrote to memory of 2088	1548	bba69ef899bbaf731a772822effe289d_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\bba69ef899bbaf731a772822effe289d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bba69ef899bbaf731a772822effe289d_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1548
- C:\Users\Admin\AppData\Local\Temp\bba69ef899bbaf731a772822effe289d_JaffaCakes118.exe
  "{path}"
  2⤵
  PID:2560
- C:\Users\Admin\AppData\Local\Temp\bba69ef899bbaf731a772822effe289d_JaffaCakes118.exe
  "{path}"
  2⤵
  PID:2720
- C:\Users\Admin\AppData\Local\Temp\bba69ef899bbaf731a772822effe289d_JaffaCakes118.exe
  "{path}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1548-6-0x00000000057A0000-0x0000000005828000-memory.dmp

Filesize
544KB

Download
memory/1548-0-0x0000000074C5E000-0x0000000074C5F000-memory.dmp

Filesize
4KB

Download
memory/1548-2-0x0000000074C50000-0x000000007533E000-memory.dmp

Filesize
6.9MB

Download
memory/1548-3-0x0000000000510000-0x0000000000518000-memory.dmp

Filesize
32KB

Download
memory/1548-4-0x0000000074C5E000-0x0000000074C5F000-memory.dmp

Filesize
4KB

Download
memory/1548-5-0x0000000074C50000-0x000000007533E000-memory.dmp

Filesize
6.9MB

Download
memory/1548-1-0x0000000000100000-0x00000000001C2000-memory.dmp

Filesize
776KB

Download
memory/1548-7-0x0000000002060000-0x0000000002098000-memory.dmp

Filesize
224KB

Download
memory/1548-13-0x0000000074C50000-0x000000007533E000-memory.dmp

Filesize
6.9MB

Download
memory/2088-9-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2088-8-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2088-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2088-12-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2088-14-0x0000000000860000-0x0000000000B63000-memory.dmp

Filesize
3.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads