formbook | 027eae741aaf031d2edcdc08920457e4c2e641c33847d67705d791f124b7781e

General

Target

JaffaCakes118_b23c8de2a3a56e2fb8bacb085dbd9d19.exe
Size

821KB
MD5

b23c8de2a3a56e2fb8bacb085dbd9d19
SHA1

5957dbee0b2b200110787aac267be09bcecbeda2
SHA256

027eae741aaf031d2edcdc08920457e4c2e641c33847d67705d791f124b7781e
SHA512

a696b8e4cdbca841f2ecae342d8aa61c9ac9adc0849e69c715f3f3ce7b5195711bf4a22ad8c2add5bf1962d6a6cb18b751abbe73711699bce59199bd09ad2a63
SSDEEP

12288:kx/qRSt2dKOvWmr8VI7FitZ+TaioANCif4hdMkuvMNptn0UxqJFTP5ijOE0FPgOe:kxyvKOvLr8K7FiCTaiS1vaqqFM

Score

10^/10

formbook mo9n discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

mo9n

Decoy

circuit-town.com

stock-high.xyz

barlindelivery.com

littletoucans.com

bright-tailor.com

firsthandcares.com

ecompropeller.com

circuitoalberghiero.net

creative-egyptps.com

bitracks56.com

douhonghong.com

fingertipcollection.com

happy-bihada.space

blockchainairdropreward.com

xn--reljame-jwa.com

polloycarnesdelivery.com

d22.group

eslamshahrservice.com

vanzing.com

juzide.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/2732-13-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4420 set thread context of 2732	4420	JaffaCakes118_b23c8de2a3a56e2fb8bacb085dbd9d19.exe	90

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b23c8de2a3a56e2fb8bacb085dbd9d19.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4420	JaffaCakes118_b23c8de2a3a56e2fb8bacb085dbd9d19.exe
4420	JaffaCakes118_b23c8de2a3a56e2fb8bacb085dbd9d19.exe
4420	JaffaCakes118_b23c8de2a3a56e2fb8bacb085dbd9d19.exe
4420	JaffaCakes118_b23c8de2a3a56e2fb8bacb085dbd9d19.exe
4420	JaffaCakes118_b23c8de2a3a56e2fb8bacb085dbd9d19.exe
2732	JaffaCakes118_b23c8de2a3a56e2fb8bacb085dbd9d19.exe
2732	JaffaCakes118_b23c8de2a3a56e2fb8bacb085dbd9d19.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4420	JaffaCakes118_b23c8de2a3a56e2fb8bacb085dbd9d19.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4420 wrote to memory of 2708	4420	JaffaCakes118_b23c8de2a3a56e2fb8bacb085dbd9d19.exe	89
PID 4420 wrote to memory of 2708	4420	JaffaCakes118_b23c8de2a3a56e2fb8bacb085dbd9d19.exe	89
PID 4420 wrote to memory of 2708	4420	JaffaCakes118_b23c8de2a3a56e2fb8bacb085dbd9d19.exe	89
PID 4420 wrote to memory of 2732	4420	JaffaCakes118_b23c8de2a3a56e2fb8bacb085dbd9d19.exe	90
PID 4420 wrote to memory of 2732	4420	JaffaCakes118_b23c8de2a3a56e2fb8bacb085dbd9d19.exe	90
PID 4420 wrote to memory of 2732	4420	JaffaCakes118_b23c8de2a3a56e2fb8bacb085dbd9d19.exe	90
PID 4420 wrote to memory of 2732	4420	JaffaCakes118_b23c8de2a3a56e2fb8bacb085dbd9d19.exe	90
PID 4420 wrote to memory of 2732	4420	JaffaCakes118_b23c8de2a3a56e2fb8bacb085dbd9d19.exe	90
PID 4420 wrote to memory of 2732	4420	JaffaCakes118_b23c8de2a3a56e2fb8bacb085dbd9d19.exe	90

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b23c8de2a3a56e2fb8bacb085dbd9d19.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b23c8de2a3a56e2fb8bacb085dbd9d19.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4420
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b23c8de2a3a56e2fb8bacb085dbd9d19.exe
  "{path}"
  2⤵
  PID:2708
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b23c8de2a3a56e2fb8bacb085dbd9d19.exe
  "{path}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2732-13-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2732-16-0x0000000001080000-0x00000000013CA000-memory.dmp

Filesize
3.3MB

Download
memory/4420-8-0x0000000005970000-0x0000000005984000-memory.dmp

Filesize
80KB

Download
memory/4420-9-0x000000007534E000-0x000000007534F000-memory.dmp

Filesize
4KB

Download
memory/4420-5-0x0000000075340000-0x0000000075AF0000-memory.dmp

Filesize
7.7MB

Download
memory/4420-4-0x00000000056B0000-0x0000000005742000-memory.dmp

Filesize
584KB

Download
memory/4420-7-0x00000000058A0000-0x00000000058F6000-memory.dmp

Filesize
344KB

Download
memory/4420-6-0x00000000055B0000-0x00000000055BA000-memory.dmp

Filesize
40KB

Download
memory/4420-0-0x000000007534E000-0x000000007534F000-memory.dmp

Filesize
4KB

Download
memory/4420-3-0x0000000005C60000-0x0000000006204000-memory.dmp

Filesize
5.6MB

Download
memory/4420-10-0x0000000075340000-0x0000000075AF0000-memory.dmp

Filesize
7.7MB

Download
memory/4420-11-0x00000000085A0000-0x0000000008628000-memory.dmp

Filesize
544KB

Download
memory/4420-12-0x000000000AD30000-0x000000000AD64000-memory.dmp

Filesize
208KB

Download
memory/4420-2-0x0000000005610000-0x00000000056AC000-memory.dmp

Filesize
624KB

Download
memory/4420-15-0x0000000075340000-0x0000000075AF0000-memory.dmp

Filesize
7.7MB

Download
memory/4420-1-0x0000000000790000-0x0000000000864000-memory.dmp

Filesize
848KB

Download

Analysis

Sharing