formbook | a47718c57ed25e5c30f0ea7c68952d6aae4ec1f4f0e889d7edae01228334cd14

General

Target

b7189c8229baecede904e58eff8438c7_JaffaCakes118.exe
Size

420KB
MD5

b7189c8229baecede904e58eff8438c7
SHA1

e3637bd5028b35dddd27fc1f836076cd4ba3eb61
SHA256

a47718c57ed25e5c30f0ea7c68952d6aae4ec1f4f0e889d7edae01228334cd14
SHA512

15587ae65ac51b87ada349b2a4acd8333ac61687cfda1de9846630a3123154a7621398b1d8bbeff511e19b4c0d9b3180010059383c61bf0109388585cdc824f5
SSDEEP

12288:q6/vbcscYE/kaI6mdVHq+dTQT/cHcFZcmD:qGArYEMaI6mdVHRycHgcm

Score

10^/10

formbook be agilenet rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

be

Decoy

funtimejacksonms.com

vivrepourlamode.com

leonisviridis.com

this-hiking-cycling.com

quintavenidagym.com

bigfishsurfboards.net

visitbeiliu.com

mobileappsdirectnow.com

globusholdings.com

panopolisclub.com

qrw.info

presize.net

flsjapan2012.com

englishpremiershipcamps.com

studiolgm.com

fernandomellovianna.net

villa-le-boqueteau.com

souqmore.com

trapcessful.com

jumpshoppu.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook payload 1 IoCs
rat

Processes:

resource yara_rule

behavioral2/memory/4744-13-0x0000000000400000-0x000000000042A000-memory.dmp formbook
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
agilenet

Processes:

resource yara_rule

behavioral2/memory/3148-10-0x00000000034A0000-0x00000000034AA000-memory.dmp agile_net
Suspicious use of SetThreadContext 1 IoCs

Processes:

b7189c8229baecede904e58eff8438c7_JaffaCakes118.exe

description pid process target process

PID 3148 set thread context of 4744 3148 b7189c8229baecede904e58eff8438c7_JaffaCakes118.exe b7189c8229baecede904e58eff8438c7_JaffaCakes118.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

b7189c8229baecede904e58eff8438c7_JaffaCakes118.exe

pid process

4744 b7189c8229baecede904e58eff8438c7_JaffaCakes118.exe
4744 b7189c8229baecede904e58eff8438c7_JaffaCakes118.exe
4744 b7189c8229baecede904e58eff8438c7_JaffaCakes118.exe

resource	yara_rule
behavioral2/memory/4744-13-0x0000000000400000-0x000000000042A000-memory.dmp	formbook

resource	yara_rule
behavioral2/memory/3148-10-0x00000000034A0000-0x00000000034AA000-memory.dmp	agile_net

description	pid	process	target process
PID 3148 set thread context of 4744	3148	b7189c8229baecede904e58eff8438c7_JaffaCakes118.exe	b7189c8229baecede904e58eff8438c7_JaffaCakes118.exe

pid	process
4744	b7189c8229baecede904e58eff8438c7_JaffaCakes118.exe
4744	b7189c8229baecede904e58eff8438c7_JaffaCakes118.exe
4744	b7189c8229baecede904e58eff8438c7_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

b7189c8229baecede904e58eff8438c7_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	3148	b7189c8229baecede904e58eff8438c7_JaffaCakes118.exe
Token: 33	3148	b7189c8229baecede904e58eff8438c7_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	3148	b7189c8229baecede904e58eff8438c7_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

b7189c8229baecede904e58eff8438c7_JaffaCakes118.exe

description	pid	process	target process
PID 3148 wrote to memory of 4744	3148	b7189c8229baecede904e58eff8438c7_JaffaCakes118.exe	b7189c8229baecede904e58eff8438c7_JaffaCakes118.exe
PID 3148 wrote to memory of 4744	3148	b7189c8229baecede904e58eff8438c7_JaffaCakes118.exe	b7189c8229baecede904e58eff8438c7_JaffaCakes118.exe
PID 3148 wrote to memory of 4744	3148	b7189c8229baecede904e58eff8438c7_JaffaCakes118.exe	b7189c8229baecede904e58eff8438c7_JaffaCakes118.exe
PID 3148 wrote to memory of 4744	3148	b7189c8229baecede904e58eff8438c7_JaffaCakes118.exe	b7189c8229baecede904e58eff8438c7_JaffaCakes118.exe
PID 3148 wrote to memory of 4744	3148	b7189c8229baecede904e58eff8438c7_JaffaCakes118.exe	b7189c8229baecede904e58eff8438c7_JaffaCakes118.exe
PID 3148 wrote to memory of 4744	3148	b7189c8229baecede904e58eff8438c7_JaffaCakes118.exe	b7189c8229baecede904e58eff8438c7_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\b7189c8229baecede904e58eff8438c7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b7189c8229baecede904e58eff8438c7_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3148

C:\Users\Admin\AppData\Local\Temp\b7189c8229baecede904e58eff8438c7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b7189c8229baecede904e58eff8438c7_JaffaCakes118.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4328 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
1⤵
PID:540

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3148-8-0x0000000007F70000-0x0000000007F78000-memory.dmp

Filesize
32KB

Download
memory/3148-6-0x0000000007FB0000-0x0000000008042000-memory.dmp

Filesize
584KB

Download
memory/3148-2-0x0000000005930000-0x0000000005968000-memory.dmp

Filesize
224KB

Download
memory/3148-3-0x0000000074DD0000-0x0000000075580000-memory.dmp

Filesize
7.7MB

Download
memory/3148-0-0x0000000074DDE000-0x0000000074DDF000-memory.dmp

Filesize
4KB

Download
memory/3148-5-0x0000000008450000-0x00000000089F4000-memory.dmp

Filesize
5.6MB

Download
memory/3148-1-0x0000000000FB0000-0x0000000001022000-memory.dmp

Filesize
456KB

Download
memory/3148-7-0x0000000007F20000-0x0000000007F2E000-memory.dmp

Filesize
56KB

Download
memory/3148-4-0x0000000007E70000-0x0000000007EA0000-memory.dmp

Filesize
192KB

Download
memory/3148-9-0x0000000074DDE000-0x0000000074DDF000-memory.dmp

Filesize
4KB

Download
memory/3148-10-0x00000000034A0000-0x00000000034AA000-memory.dmp

Filesize
40KB

Download
memory/3148-11-0x0000000008B00000-0x0000000008B9C000-memory.dmp

Filesize
624KB

Download
memory/3148-12-0x0000000074DD0000-0x0000000075580000-memory.dmp

Filesize
7.7MB

Download
memory/3148-15-0x0000000074DD0000-0x0000000075580000-memory.dmp

Filesize
7.7MB

Download
memory/4744-13-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4744-16-0x0000000001270000-0x00000000015BA000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing