formbook | 0497ec7bb66f401d56abc2f7d3aec12a4ca977d9ef122513a0781119a949b248

General

Target

bb53429c934474eb4ae15362b0b0fed9_JaffaCakes118.exe
Size

745KB
MD5

bb53429c934474eb4ae15362b0b0fed9
SHA1

88339aea119d80c639e1e98483936a8ca92e7fce
SHA256

0497ec7bb66f401d56abc2f7d3aec12a4ca977d9ef122513a0781119a949b248
SHA512

5b24c177f0e252547475258d5caa5dfbf58d16d3de48224d00bca0b3edee9b5d505d33c24c58a0a86dc5832425b26431f9145967ca9ddf53a116cf7a9915cffa
SSDEEP

12288:uPq7y8gnl7DlLgY+/HY0nwNtA8utQyoHGaoe6Xk0eXhMMWTIMjdW3rYgbFT/c:cqO7LgYsVw3DlyGiQOVIM5W3kg5T/

Score

10^/10

formbook hx251 persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

hx251

Decoy

cttexpresso707870.site

get-motivation.com

0473.ink

tooniker.com

mediacionelite.com

barterdeck.com

revergereview.com

dafaok66.com

nukonu51.win

hotelesnemocon.com

edijsbogomolovs.com

businesoint.com

bsxdq.com

emanuelhospice.com

marlyprojects.com

jsmw297.com

alexandra-wehner.com

detroitpropertymanagment.com

xhtd293.com

uuluav19.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook payload 2 IoCs
rat

Processes:

resource yara_rule

behavioral2/memory/3952-14-0x0000000000400000-0x000000000042A000-memory.dmp formbook
behavioral2/memory/3952-20-0x0000000000400000-0x000000000042A000-memory.dmp formbook
Executes dropped EXE 3 IoCs

Processes:

bbbbbt.exebbbbbt.exebbbbbt.exe

pid process

4340 bbbbbt.exe
1176 bbbbbt.exe
3952 bbbbbt.exe

resource	yara_rule
behavioral2/memory/3952-14-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral2/memory/3952-20-0x0000000000400000-0x000000000042A000-memory.dmp	formbook

pid	process
4340	bbbbbt.exe
1176	bbbbbt.exe
3952	bbbbbt.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bbbbbt = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\bbbbbt.txt \| cmd"	reg.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

bbbbbt.exebbbbbt.exehelp.exe

description	pid	process	target process
PID 4340 set thread context of 3952	4340	bbbbbt.exe	bbbbbt.exe
PID 3952 set thread context of 3404	3952	bbbbbt.exe	Explorer.EXE
PID 1468 set thread context of 3404	1468	help.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

bbbbbt.exehelp.exe

pid	process
3952	bbbbbt.exe
3952	bbbbbt.exe
3952	bbbbbt.exe
3952	bbbbbt.exe
1468	help.exe
1468	help.exe
1468	help.exe
1468	help.exe
1468	help.exe
1468	help.exe
1468	help.exe
1468	help.exe
1468	help.exe
1468	help.exe
1468	help.exe
1468	help.exe
1468	help.exe
1468	help.exe
1468	help.exe
1468	help.exe
1468	help.exe
1468	help.exe
1468	help.exe
1468	help.exe
1468	help.exe
1468	help.exe
1468	help.exe
1468	help.exe
1468	help.exe
1468	help.exe
1468	help.exe
1468	help.exe
1468	help.exe
1468	help.exe
1468	help.exe
1468	help.exe
1468	help.exe
1468	help.exe
1468	help.exe
1468	help.exe
1468	help.exe
1468	help.exe
1468	help.exe
1468	help.exe
1468	help.exe
1468	help.exe
1468	help.exe
1468	help.exe
1468	help.exe
1468	help.exe
1468	help.exe
1468	help.exe
1468	help.exe
1468	help.exe
1468	help.exe
1468	help.exe
1468	help.exe
1468	help.exe
1468	help.exe
1468	help.exe
1468	help.exe
1468	help.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

bbbbbt.exehelp.exe

pid process

3952 bbbbbt.exe
3952 bbbbbt.exe
3952 bbbbbt.exe
1468 help.exe
1468 help.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

bb53429c934474eb4ae15362b0b0fed9_JaffaCakes118.exebbbbbt.exebbbbbt.exehelp.exe

description	pid	process
Token: SeDebugPrivilege	4492	bb53429c934474eb4ae15362b0b0fed9_JaffaCakes118.exe
Token: SeDebugPrivilege	4340	bbbbbt.exe
Token: SeDebugPrivilege	3952	bbbbbt.exe
Token: SeDebugPrivilege	1468	help.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Explorer.EXE

pid process

3404 Explorer.EXE
3404 Explorer.EXE
3404 Explorer.EXE
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Explorer.EXE

pid process

3404 Explorer.EXE
3404 Explorer.EXE
3404 Explorer.EXE

pid	process
3404	Explorer.EXE
3404	Explorer.EXE
3404	Explorer.EXE

pid	process
3404	Explorer.EXE
3404	Explorer.EXE
3404	Explorer.EXE

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

bb53429c934474eb4ae15362b0b0fed9_JaffaCakes118.execmd.exebbbbbt.execmd.exeExplorer.EXEhelp.exe

description	pid	process	target process
PID 4492 wrote to memory of 3708	4492	bb53429c934474eb4ae15362b0b0fed9_JaffaCakes118.exe	cmd.exe
PID 4492 wrote to memory of 3708	4492	bb53429c934474eb4ae15362b0b0fed9_JaffaCakes118.exe	cmd.exe
PID 4492 wrote to memory of 3708	4492	bb53429c934474eb4ae15362b0b0fed9_JaffaCakes118.exe	cmd.exe
PID 3708 wrote to memory of 4340	3708	cmd.exe	bbbbbt.exe
PID 3708 wrote to memory of 4340	3708	cmd.exe	bbbbbt.exe
PID 3708 wrote to memory of 4340	3708	cmd.exe	bbbbbt.exe
PID 4340 wrote to memory of 2976	4340	bbbbbt.exe	cmd.exe
PID 4340 wrote to memory of 2976	4340	bbbbbt.exe	cmd.exe
PID 4340 wrote to memory of 2976	4340	bbbbbt.exe	cmd.exe
PID 2976 wrote to memory of 660	2976	cmd.exe	reg.exe
PID 2976 wrote to memory of 660	2976	cmd.exe	reg.exe
PID 2976 wrote to memory of 660	2976	cmd.exe	reg.exe
PID 4340 wrote to memory of 1176	4340	bbbbbt.exe	bbbbbt.exe
PID 4340 wrote to memory of 1176	4340	bbbbbt.exe	bbbbbt.exe
PID 4340 wrote to memory of 1176	4340	bbbbbt.exe	bbbbbt.exe
PID 4340 wrote to memory of 3952	4340	bbbbbt.exe	bbbbbt.exe
PID 4340 wrote to memory of 3952	4340	bbbbbt.exe	bbbbbt.exe
PID 4340 wrote to memory of 3952	4340	bbbbbt.exe	bbbbbt.exe
PID 4340 wrote to memory of 3952	4340	bbbbbt.exe	bbbbbt.exe
PID 4340 wrote to memory of 3952	4340	bbbbbt.exe	bbbbbt.exe
PID 4340 wrote to memory of 3952	4340	bbbbbt.exe	bbbbbt.exe
PID 3404 wrote to memory of 1468	3404	Explorer.EXE	help.exe
PID 3404 wrote to memory of 1468	3404	Explorer.EXE	help.exe
PID 3404 wrote to memory of 1468	3404	Explorer.EXE	help.exe
PID 1468 wrote to memory of 5044	1468	help.exe	cmd.exe
PID 1468 wrote to memory of 5044	1468	help.exe	cmd.exe
PID 1468 wrote to memory of 5044	1468	help.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3404

C:\Users\Admin\AppData\Local\Temp\bb53429c934474eb4ae15362b0b0fed9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bb53429c934474eb4ae15362b0b0fed9_JaffaCakes118.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4492

C:\Windows\SysWOW64\cmd.exe
"cmd"
3⤵
- Suspicious use of WriteProcessMemory
PID:3708

C:\Users\Admin\Desktop\bbbbbt.exe
"C:\Users\Admin\Desktop\bbbbbt.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4340

C:\Windows\SysWOW64\cmd.exe
"cmd"
5⤵
- Suspicious use of WriteProcessMemory
PID:2976

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "bbbbbt" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\bbbbbt.txt" | cmd"
6⤵
- Adds Run key to start application
PID:660

C:\Users\Admin\Desktop\bbbbbt.exe
"C:\Users\Admin\Desktop\bbbbbt.exe"
5⤵
- Executes dropped EXE
PID:1176

C:\Users\Admin\Desktop\bbbbbt.exe
"C:\Users\Admin\Desktop\bbbbbt.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3952

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1468

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\Desktop\bbbbbt.exe"
3⤵
PID:5044

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\bbbbbt.exe
Filesize
745KB

MD5
bb53429c934474eb4ae15362b0b0fed9

SHA1
88339aea119d80c639e1e98483936a8ca92e7fce

SHA256
0497ec7bb66f401d56abc2f7d3aec12a4ca977d9ef122513a0781119a949b248

SHA512
5b24c177f0e252547475258d5caa5dfbf58d16d3de48224d00bca0b3edee9b5d505d33c24c58a0a86dc5832425b26431f9145967ca9ddf53a116cf7a9915cffa

Download Submit
memory/1468-23-0x0000000000E30000-0x0000000000E37000-memory.dmp

Filesize
28KB

Download
memory/1468-24-0x0000000000E30000-0x0000000000E37000-memory.dmp

Filesize
28KB

Download
memory/3404-22-0x00000000028F0000-0x00000000029DC000-memory.dmp

Filesize
944KB

Download
memory/3404-29-0x0000000008B00000-0x0000000008C57000-memory.dmp

Filesize
1.3MB

Download
memory/3404-27-0x00000000028F0000-0x00000000029DC000-memory.dmp

Filesize
944KB

Download
memory/3952-21-0x0000000000D90000-0x0000000000DA4000-memory.dmp

Filesize
80KB

Download
memory/3952-14-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3952-18-0x0000000001090000-0x00000000013DA000-memory.dmp

Filesize
3.3MB

Download
memory/3952-20-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4340-10-0x00000000749F0000-0x0000000074FA1000-memory.dmp

Filesize
5.7MB

Download
memory/4340-17-0x00000000749F0000-0x0000000074FA1000-memory.dmp

Filesize
5.7MB

Download
memory/4340-11-0x00000000749F0000-0x0000000074FA1000-memory.dmp

Filesize
5.7MB

Download
memory/4340-8-0x00000000749F0000-0x0000000074FA1000-memory.dmp

Filesize
5.7MB

Download
memory/4492-0-0x00000000749F2000-0x00000000749F3000-memory.dmp

Filesize
4KB

Download
memory/4492-9-0x00000000749F0000-0x0000000074FA1000-memory.dmp

Filesize
5.7MB

Download
memory/4492-2-0x00000000749F0000-0x0000000074FA1000-memory.dmp

Filesize
5.7MB

Download
memory/4492-1-0x00000000749F0000-0x0000000074FA1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads