formbook | 187fda2b830429934ff2d59c014f05098bfb323d639be258f075efa4309f5c0f

General

Target

JaffaCakes118_187fda2b830429934ff2d59c014f05098bfb323d639be258f075efa4309f5c0f.exe
Size

265KB
MD5

a0a1f5ff78c714b094a5fb386e02a7a3
SHA1

10fd01e713a5b96d19fd636e646f231bdb059bf1
SHA256

187fda2b830429934ff2d59c014f05098bfb323d639be258f075efa4309f5c0f
SHA512

6db4734f3b1f13f4ad87dd3b604a8c6b37698e7b788604d53fd42a3cf0af9155c96f54ce5d2651ba2f905a385eddf0c57284bda0078bba4ad5f71adde9e05fe2
SSDEEP

6144:xNeZBEmUT5ohIP1DT1SDLiXoina7ZnkOnIhB:xN+BI5yWHOiXlKkHB

Score

10^/10

formbook fkku discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

fkku

Decoy

ItLUfbYmkw6ODl8lnvwkR/8=

oUKMUSjydqzVWxG/CqjK3ngAhQ==

HB9lfRtFwT/XlJ9Lxw==

hBYXuorq7a3WwPq1NSezCMStlQ==

ciRqfQbLgwx/+e2rLqTZ8oMLc2LYY4o=

9vb76Nc8JzKlj4YEQyPAx2dx86U=

fB9041xJgwl1

ND8juoNyH6x5XqlZ2Q==

QEaot04y8XLjFOBp1Cg=

SG6vmdmmpmFmDosczg==

WWCorUT756r1F+aD3cd7Cij6nSFQ

Yl63zVL2NnFph44XcKkiP/k=

s2RfFNOd3fuBEJNZ2ig=

u1p6Ucr2uCketwGD

0vD8lFkSfRCHEJdebbrb

qzlqgxrsrDRmDosczg==

H5aTYXc2rHXjzQ==

S/pFbexYx0S+Ex7SN5rC

9kOIkRTWkA136nA2Ua/R

ojOElJ50E1N40ZNanCbEZw==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\Geo\Nation	xscfbjx.exe

Executes dropped EXE 1 IoCs

pid	Process
2380	xscfbjx.exe

Loads dropped DLL 3 IoCs

pid	Process
2176	JaffaCakes118_187fda2b830429934ff2d59c014f05098bfb323d639be258f075efa4309f5c0f.exe
2380	xscfbjx.exe
2972	xscfbjx.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2380 set thread context of 2972	2380	xscfbjx.exe	31
PID 2972 set thread context of 1220	2972	xscfbjx.exe	21
PID 2972 set thread context of 1220	2972	xscfbjx.exe	21
PID 2600 set thread context of 1220	2600	help.exe	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_187fda2b830429934ff2d59c014f05098bfb323d639be258f075efa4309f5c0f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xscfbjx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	help.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
2972	xscfbjx.exe
2972	xscfbjx.exe
2972	xscfbjx.exe
2972	xscfbjx.exe
2972	xscfbjx.exe
2600	help.exe
2600	help.exe
2600	help.exe
2600	help.exe
2600	help.exe
2600	help.exe
2600	help.exe
2600	help.exe
2600	help.exe
2600	help.exe
2600	help.exe
2600	help.exe
2600	help.exe
2600	help.exe
2600	help.exe
2600	help.exe
2600	help.exe
2600	help.exe
2600	help.exe
2600	help.exe
2600	help.exe
2600	help.exe
2600	help.exe
2600	help.exe
2600	help.exe
2600	help.exe
2600	help.exe
2600	help.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2972	xscfbjx.exe
2972	xscfbjx.exe
2972	xscfbjx.exe
2972	xscfbjx.exe
2600	help.exe
2600	help.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2972	xscfbjx.exe
Token: SeDebugPrivilege	2600	help.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 2380	2176	JaffaCakes118_187fda2b830429934ff2d59c014f05098bfb323d639be258f075efa4309f5c0f.exe	30
PID 2176 wrote to memory of 2380	2176	JaffaCakes118_187fda2b830429934ff2d59c014f05098bfb323d639be258f075efa4309f5c0f.exe	30
PID 2176 wrote to memory of 2380	2176	JaffaCakes118_187fda2b830429934ff2d59c014f05098bfb323d639be258f075efa4309f5c0f.exe	30
PID 2176 wrote to memory of 2380	2176	JaffaCakes118_187fda2b830429934ff2d59c014f05098bfb323d639be258f075efa4309f5c0f.exe	30
PID 2380 wrote to memory of 2972	2380	xscfbjx.exe	31
PID 2380 wrote to memory of 2972	2380	xscfbjx.exe	31
PID 2380 wrote to memory of 2972	2380	xscfbjx.exe	31
PID 2380 wrote to memory of 2972	2380	xscfbjx.exe	31
PID 2380 wrote to memory of 2972	2380	xscfbjx.exe	31
PID 1220 wrote to memory of 2600	1220	Explorer.EXE	32
PID 1220 wrote to memory of 2600	1220	Explorer.EXE	32
PID 1220 wrote to memory of 2600	1220	Explorer.EXE	32
PID 1220 wrote to memory of 2600	1220	Explorer.EXE	32

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_187fda2b830429934ff2d59c014f05098bfb323d639be258f075efa4309f5c0f.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_187fda2b830429934ff2d59c014f05098bfb323d639be258f075efa4309f5c0f.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Users\Admin\AppData\Local\Temp\xscfbjx.exe
    "C:\Users\Admin\AppData\Local\Temp\xscfbjx.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2380
  - - C:\Users\Admin\AppData\Local\Temp\xscfbjx.exe
      "C:\Users\Admin\AppData\Local\Temp\xscfbjx.exe"
      4⤵
      Checks computer location settings
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2972
- C:\Windows\SysWOW64\help.exe
  "C:\Windows\SysWOW64\help.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ryaxdj.tz

Filesize
4KB

MD5
58661627bbc5a0309c8c80c5886b2c78

SHA1
74a8ce5fa8a70b5493ede45a71df09bfe05d50b4

SHA256
5332de813671b1190f3d39ab8e2a0342823563c9626137015e970e832fa7bc98

SHA512
f515c00e50366c39a80b3097b1d197bf3f8cd426c5c6699e70ce3e77471f91ffc93540188afd9d25e088f13a0e4bd07cedf9ead39d79a34942ec785d9a1a4c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\vkyytyjpxe.df

Filesize
185KB

MD5
2045e2fba3e4e549f31ada7008b2af16

SHA1
f97571e97a60f39be18af949c0971ccaaa88ef2e

SHA256
c6b1b5674d75f753f483c25c44eb2c90e0a348372cf4ebcf5fb2cb57304bc239

SHA512
b93ac0f34b23b809ff146cf42cb2b04a761ffaf3b48f3dcd45e1fc93ea5cf2bd46dd69d180e61a2c59742637b6079b32c5790ddfd100c0cb33854542a88251ac

Download Submit
\Users\Admin\AppData\Local\Temp\xscfbjx.exe

Filesize
74KB

MD5
08b101029a510d1467056305f8bda101

SHA1
938d534e3584b132ece92f01e0089304b9587803

SHA256
3d897c1632a6234082cafef209af7ddb9f91a0af33b03e6d004e153a54d622c0

SHA512
631cc7c7a08b9492661983200ecc9b96c2d958d756808ed8b5b431a1a29ec92d360866c41c5d8307a3d185bcdedb4e66d661ec812d47d1ae057013a8cbc0ccbd

Download Submit
memory/1220-22-0x0000000004CB0000-0x0000000004D83000-memory.dmp

Filesize
844KB

Download
memory/1220-28-0x0000000004CB0000-0x0000000004D83000-memory.dmp

Filesize
844KB

Download
memory/1220-17-0x0000000006760000-0x00000000068D9000-memory.dmp

Filesize
1.5MB

Download
memory/2380-9-0x0000000000080000-0x0000000000082000-memory.dmp

Filesize
8KB

Download
memory/2600-27-0x00000000000C0000-0x00000000000ED000-memory.dmp

Filesize
180KB

Download
memory/2600-25-0x0000000000F80000-0x0000000000F86000-memory.dmp

Filesize
24KB

Download
memory/2600-26-0x0000000000F80000-0x0000000000F86000-memory.dmp

Filesize
24KB

Download
memory/2972-14-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/2972-19-0x0000000000423000-0x0000000000424000-memory.dmp

Filesize
4KB

Download
memory/2972-20-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2972-18-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/2972-24-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/2972-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2972-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing