formbook | 930ef88b7c7cfeaaa14f83875ae550193ed4067b6d118833f94cd2e14c5e47e2

General

Target

abd70ec006fec754f2776d7b847c8a6e_JaffaCakes118.exe
Size

388KB
MD5

abd70ec006fec754f2776d7b847c8a6e
SHA1

ec54aab238e3caddede09c41bad1d0a6aa29477c
SHA256

930ef88b7c7cfeaaa14f83875ae550193ed4067b6d118833f94cd2e14c5e47e2
SHA512

18d2629b921ca2be364a5ed8aecb16281431bdbde21d6c762a85709afb8471267eb66b41aca75480fc76636aa7b1933c092f7eb4ce5f7c49045b6ed9ef8b58f2
SSDEEP

6144:uMTP1YPuOZt036C5+GcMxWxSQvkYmlJ5KdsMH3soCzaauK2O0z/Pks:uUmWOZt0fcM8xT0l/+KzdH2OSk

Score

10^/10

formbook ma persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

ma

Decoy

sbo8et.online

cignapathtowellness.com

vanysiaestetica.com

medusmart.com

cttexpresso33347896.site

appleid-verify-signin.com

azumama.com

avarts.studio

jmartinchico.info

8827vvvv.com

affiliates.group

cepsubekur.com

quanyinmami.com

xn----f66bs48bj6k.com

bettyscountrycabin.com

adrianamilne.com

lesfleursdeleonore.com

wwwwz520520.com

yourhomegardensource.com

honaleighceramics.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook payload 1 IoCs
rat

Processes:

resource yara_rule

behavioral1/memory/1668-19-0x0000000000400000-0x000000000042A000-memory.dmp formbook
Executes dropped EXE 2 IoCs

Processes:

winlog.exewinlog.exe

pid process

2636 winlog.exe
1668 winlog.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

2528 cmd.exe

resource	yara_rule
behavioral1/memory/1668-19-0x0000000000400000-0x000000000042A000-memory.dmp	formbook

pid	process
2636	winlog.exe
1668	winlog.exe

pid	process
2528	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

winlog.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogs = "C:\\Users\\Admin\\AppData\\Local\\winlog.exe -boot"	winlog.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

winlog.exewinlog.exeNETSTAT.EXE

description	pid	process	target process
PID 2636 set thread context of 1668	2636	winlog.exe	winlog.exe
PID 1668 set thread context of 1188	1668	winlog.exe	Explorer.EXE
PID 2004 set thread context of 1188	2004	NETSTAT.EXE	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

NETSTAT.EXE

pid process

2004 NETSTAT.EXE

pid	process
2004	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

winlog.exeNETSTAT.EXE

pid	process
1668	winlog.exe
1668	winlog.exe
2004	NETSTAT.EXE
2004	NETSTAT.EXE
2004	NETSTAT.EXE
2004	NETSTAT.EXE
2004	NETSTAT.EXE
2004	NETSTAT.EXE
2004	NETSTAT.EXE
2004	NETSTAT.EXE
2004	NETSTAT.EXE
2004	NETSTAT.EXE
2004	NETSTAT.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

winlog.exeNETSTAT.EXE

pid process

1668 winlog.exe
1668 winlog.exe
1668 winlog.exe
2004 NETSTAT.EXE
2004 NETSTAT.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

abd70ec006fec754f2776d7b847c8a6e_JaffaCakes118.exewinlog.exewinlog.exeNETSTAT.EXE

description	pid	process
Token: SeDebugPrivilege	2416	abd70ec006fec754f2776d7b847c8a6e_JaffaCakes118.exe
Token: SeDebugPrivilege	2636	winlog.exe
Token: SeDebugPrivilege	1668	winlog.exe
Token: SeDebugPrivilege	2004	NETSTAT.EXE

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

abd70ec006fec754f2776d7b847c8a6e_JaffaCakes118.execmd.exewinlog.exeExplorer.EXENETSTAT.EXE

description	pid	process	target process
PID 2416 wrote to memory of 2656	2416	abd70ec006fec754f2776d7b847c8a6e_JaffaCakes118.exe	cmd.exe
PID 2416 wrote to memory of 2656	2416	abd70ec006fec754f2776d7b847c8a6e_JaffaCakes118.exe	cmd.exe
PID 2416 wrote to memory of 2656	2416	abd70ec006fec754f2776d7b847c8a6e_JaffaCakes118.exe	cmd.exe
PID 2416 wrote to memory of 2656	2416	abd70ec006fec754f2776d7b847c8a6e_JaffaCakes118.exe	cmd.exe
PID 2416 wrote to memory of 2528	2416	abd70ec006fec754f2776d7b847c8a6e_JaffaCakes118.exe	cmd.exe
PID 2416 wrote to memory of 2528	2416	abd70ec006fec754f2776d7b847c8a6e_JaffaCakes118.exe	cmd.exe
PID 2416 wrote to memory of 2528	2416	abd70ec006fec754f2776d7b847c8a6e_JaffaCakes118.exe	cmd.exe
PID 2416 wrote to memory of 2528	2416	abd70ec006fec754f2776d7b847c8a6e_JaffaCakes118.exe	cmd.exe
PID 2528 wrote to memory of 2636	2528	cmd.exe	winlog.exe
PID 2528 wrote to memory of 2636	2528	cmd.exe	winlog.exe
PID 2528 wrote to memory of 2636	2528	cmd.exe	winlog.exe
PID 2528 wrote to memory of 2636	2528	cmd.exe	winlog.exe
PID 2636 wrote to memory of 1668	2636	winlog.exe	winlog.exe
PID 2636 wrote to memory of 1668	2636	winlog.exe	winlog.exe
PID 2636 wrote to memory of 1668	2636	winlog.exe	winlog.exe
PID 2636 wrote to memory of 1668	2636	winlog.exe	winlog.exe
PID 2636 wrote to memory of 1668	2636	winlog.exe	winlog.exe
PID 2636 wrote to memory of 1668	2636	winlog.exe	winlog.exe
PID 2636 wrote to memory of 1668	2636	winlog.exe	winlog.exe
PID 1188 wrote to memory of 2004	1188	Explorer.EXE	NETSTAT.EXE
PID 1188 wrote to memory of 2004	1188	Explorer.EXE	NETSTAT.EXE
PID 1188 wrote to memory of 2004	1188	Explorer.EXE	NETSTAT.EXE
PID 1188 wrote to memory of 2004	1188	Explorer.EXE	NETSTAT.EXE
PID 2004 wrote to memory of 1036	2004	NETSTAT.EXE	cmd.exe
PID 2004 wrote to memory of 1036	2004	NETSTAT.EXE	cmd.exe
PID 2004 wrote to memory of 1036	2004	NETSTAT.EXE	cmd.exe
PID 2004 wrote to memory of 1036	2004	NETSTAT.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1188

C:\Users\Admin\AppData\Local\Temp\abd70ec006fec754f2776d7b847c8a6e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\abd70ec006fec754f2776d7b847c8a6e_JaffaCakes118.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2416

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\abd70ec006fec754f2776d7b847c8a6e_JaffaCakes118.exe" "C:\Users\Admin\AppData\Local\winlog.exe"
3⤵
PID:2656

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Local\winlog.exe"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2528

C:\Users\Admin\AppData\Local\winlog.exe
"C:\Users\Admin\AppData\Local\winlog.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2636

C:\Users\Admin\AppData\Local\winlog.exe
"C:\Users\Admin\AppData\Local\winlog.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1668

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\winlog.exe"
3⤵
PID:1036

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\winlog.exe
Filesize
388KB

MD5
abd70ec006fec754f2776d7b847c8a6e

SHA1
ec54aab238e3caddede09c41bad1d0a6aa29477c

SHA256
930ef88b7c7cfeaaa14f83875ae550193ed4067b6d118833f94cd2e14c5e47e2

SHA512
18d2629b921ca2be364a5ed8aecb16281431bdbde21d6c762a85709afb8471267eb66b41aca75480fc76636aa7b1933c092f7eb4ce5f7c49045b6ed9ef8b58f2

Download Submit
memory/1188-22-0x0000000005100000-0x0000000005200000-memory.dmp

Filesize
1024KB

Download
memory/1668-18-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1668-19-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1668-16-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1668-14-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2004-23-0x0000000000940000-0x0000000000949000-memory.dmp

Filesize
36KB

Download
memory/2416-4-0x0000000000290000-0x000000000029C000-memory.dmp

Filesize
48KB

Download
memory/2416-13-0x00000000742E0000-0x00000000749CE000-memory.dmp

Filesize
6.9MB

Download
memory/2416-8-0x00000000742E0000-0x00000000749CE000-memory.dmp

Filesize
6.9MB

Download
memory/2416-7-0x00000000742EE000-0x00000000742EF000-memory.dmp

Filesize
4KB

Download
memory/2416-0-0x00000000742EE000-0x00000000742EF000-memory.dmp

Filesize
4KB

Download
memory/2416-3-0x00000000742E0000-0x00000000749CE000-memory.dmp

Filesize
6.9MB

Download
memory/2416-2-0x0000000000260000-0x0000000000280000-memory.dmp

Filesize
128KB

Download
memory/2416-1-0x00000000008C0000-0x0000000000928000-memory.dmp

Filesize
416KB

Download
memory/2636-12-0x0000000001030000-0x0000000001098000-memory.dmp

Filesize
416KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads