formbook | bf84393caee9b769b516681ec8998afe26c22255c405ea9a027608ccf38ea36b

General

Target

13b21115bd414b3cff0365351398e92a_JaffaCakes118.exe
Size

823KB
MD5

13b21115bd414b3cff0365351398e92a
SHA1

8a017b7cfc0128c584b64cf8b531e9387a211858
SHA256

bf84393caee9b769b516681ec8998afe26c22255c405ea9a027608ccf38ea36b
SHA512

30681b65911dffd7091ef72e08f0e54197b4f153f89f77590e0d7f714b59066fb95e8861616f44cbcf01b15b148a69bf6dcb02207f73daf2a1ed0067fac0d309
SSDEEP

12288:oLXHsXw4voVatmZZgVm2WCDSZcWl76imBp4EmJi:QXHGTvcA4ZSm2ZymT4EmJi

Score

10^/10

formbook pep agilenet rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

pep

Decoy

whitelabelgraphics.pro

futureguidefilms.com

mission-duplex.com

rutherealty.com

acehardwaremall.com

potenb.com

tbhawt.com

momentum-ip.group

m8sr8s.com

cfwagner.com

umiyama-eri.com

klantenvinden.com

simplycasd.com

visionhomerecruiting.com

inkjet-material.com

banking-aib.com

fast1performance.com

eventsbyja.com

breuer.network

smartecelectronics.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook payload 1 IoCs
rat

Processes:

resource yara_rule

behavioral2/memory/860-21-0x0000000000530000-0x000000000055E000-memory.dmp formbook
Executes dropped EXE 1 IoCs

Processes:

AddInProcess32.exe

pid process

860 AddInProcess32.exe
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
agilenet

Processes:

resource yara_rule

behavioral2/memory/2632-7-0x00000000072A0000-0x00000000072C8000-memory.dmp agile_net
Suspicious use of SetThreadContext 1 IoCs

Processes:

13b21115bd414b3cff0365351398e92a_JaffaCakes118.exe

description pid process target process

PID 2632 set thread context of 860 2632 13b21115bd414b3cff0365351398e92a_JaffaCakes118.exe AddInProcess32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2896 860 WerFault.exe AddInProcess32.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

13b21115bd414b3cff0365351398e92a_JaffaCakes118.exe

pid process

2632 13b21115bd414b3cff0365351398e92a_JaffaCakes118.exe
2632 13b21115bd414b3cff0365351398e92a_JaffaCakes118.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

13b21115bd414b3cff0365351398e92a_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 2632 13b21115bd414b3cff0365351398e92a_JaffaCakes118.exe

resource	yara_rule
behavioral2/memory/860-21-0x0000000000530000-0x000000000055E000-memory.dmp	formbook

pid	process
860	AddInProcess32.exe

resource	yara_rule
behavioral2/memory/2632-7-0x00000000072A0000-0x00000000072C8000-memory.dmp	agile_net

description	pid	process	target process
PID 2632 set thread context of 860	2632	13b21115bd414b3cff0365351398e92a_JaffaCakes118.exe	AddInProcess32.exe

pid	pid_target	process	target process
2896	860	WerFault.exe	AddInProcess32.exe

pid	process
2632	13b21115bd414b3cff0365351398e92a_JaffaCakes118.exe
2632	13b21115bd414b3cff0365351398e92a_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	2632	13b21115bd414b3cff0365351398e92a_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

13b21115bd414b3cff0365351398e92a_JaffaCakes118.exe

description	pid	process	target process
PID 2632 wrote to memory of 860	2632	13b21115bd414b3cff0365351398e92a_JaffaCakes118.exe	AddInProcess32.exe
PID 2632 wrote to memory of 860	2632	13b21115bd414b3cff0365351398e92a_JaffaCakes118.exe	AddInProcess32.exe
PID 2632 wrote to memory of 860	2632	13b21115bd414b3cff0365351398e92a_JaffaCakes118.exe	AddInProcess32.exe
PID 2632 wrote to memory of 860	2632	13b21115bd414b3cff0365351398e92a_JaffaCakes118.exe	AddInProcess32.exe
PID 2632 wrote to memory of 860	2632	13b21115bd414b3cff0365351398e92a_JaffaCakes118.exe	AddInProcess32.exe
PID 2632 wrote to memory of 860	2632	13b21115bd414b3cff0365351398e92a_JaffaCakes118.exe	AddInProcess32.exe

C:\Users\Admin\AppData\Local\Temp\13b21115bd414b3cff0365351398e92a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\13b21115bd414b3cff0365351398e92a_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2632

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
"C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
2⤵
- Executes dropped EXE
PID:860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 184
3⤵
- Program crash
PID:2896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 860 -ip 860
1⤵
PID:4328

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
Filesize
42KB

MD5
9827ff3cdf4b83f9c86354606736ca9c

SHA1
e73d73f42bb2a310f03eb1bcbb22be2b8eb7c723

SHA256
c1cf3dc8fa1c7fc00f88e07ad539979b3706ca8d69223cffd1d58bc8f521f63a

SHA512
8261828d55f3b5134c0aeb98311c04e20c5395d4347251746f3be0fb854f36cc7e118713cd00c9867537e6e47d5e71f2b2384fc00c67f0ae1b285b8310321579

Download Submit
memory/860-21-0x0000000000530000-0x000000000055E000-memory.dmp

Filesize
184KB

Download
memory/2632-8-0x00000000075F0000-0x0000000007656000-memory.dmp

Filesize
408KB

Download
memory/2632-11-0x00000000749DE000-0x00000000749DF000-memory.dmp

Filesize
4KB

Download
memory/2632-4-0x0000000005A40000-0x0000000005D94000-memory.dmp

Filesize
3.3MB

Download
memory/2632-5-0x0000000005EB0000-0x0000000005F4C000-memory.dmp

Filesize
624KB

Download
memory/2632-6-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download
memory/2632-7-0x00000000072A0000-0x00000000072C8000-memory.dmp

Filesize
160KB

Download
memory/2632-0-0x00000000749DE000-0x00000000749DF000-memory.dmp

Filesize
4KB

Download
memory/2632-9-0x00000000075B0000-0x00000000075D2000-memory.dmp

Filesize
136KB

Download
memory/2632-10-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download
memory/2632-3-0x0000000005960000-0x00000000059F2000-memory.dmp

Filesize
584KB

Download
memory/2632-12-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download
memory/2632-13-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download
memory/2632-15-0x00000000079B0000-0x00000000079C4000-memory.dmp

Filesize
80KB

Download
memory/2632-16-0x0000000007150000-0x0000000007156000-memory.dmp

Filesize
24KB

Download
memory/2632-2-0x0000000005FF0000-0x0000000006594000-memory.dmp

Filesize
5.6MB

Download
memory/2632-1-0x0000000000EE0000-0x0000000000FB4000-memory.dmp

Filesize
848KB

Download
memory/2632-23-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing