formbook | 10e6fe685ba524be5fc4bd0b868e72fd113b9529f8e3428d6c7736aeffe1ee02

General

Target

14073747c219f890f793300d883dc11e_JaffaCakes118.exe
Size

1.9MB
MD5

14073747c219f890f793300d883dc11e
SHA1

3f856d534481a0e21fd5ad78b6e704f43bb95429
SHA256

10e6fe685ba524be5fc4bd0b868e72fd113b9529f8e3428d6c7736aeffe1ee02
SHA512

f713b319b94c45182131ea5b27f7d1423468b95ee5f5616ee27f1ff253a9a2aef6e9ed47fec1416018dfaa6f74cd03f34022d09c4c4f985e839eded6f4ff4c90
SSDEEP

24576:qy7Dbx6R8hJ4XF9zK9j+AM4SaDAVxXEEZ4UJKW1mYLFeCXDMDYOg7:lDxyF9Ca9Z4UJKW1mYLFeCXDMDYOg

Score

10^/10

formbook gbr rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gbr

Decoy

serabet.com

galanggroup.com

zweitmeinung-urologie.com

damsalon.com

binliwine.com

lifeladderindia.com

flyingwranchmanagement.com

tripsandturns.com

3headdesign.com

aluminumfacade.com

toprestau.com

facetreatspa.com

periodrescuekit.com

dbaojian.com

altinotokurtarma.com

gkpelle.com

loguslife.com

treatse.com

lghglzcnkx.net

jawharabh.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook payload 1 IoCs
rat

Processes:

resource yara_rule

behavioral1/memory/1464-13-0x0000000000400000-0x000000000042E000-memory.dmp formbook
Suspicious use of SetThreadContext 1 IoCs

Processes:

14073747c219f890f793300d883dc11e_JaffaCakes118.exe

description pid process target process

PID 2968 set thread context of 1464 2968 14073747c219f890f793300d883dc11e_JaffaCakes118.exe 14073747c219f890f793300d883dc11e_JaffaCakes118.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

14073747c219f890f793300d883dc11e_JaffaCakes118.exe14073747c219f890f793300d883dc11e_JaffaCakes118.exe

pid process

2968 14073747c219f890f793300d883dc11e_JaffaCakes118.exe
2968 14073747c219f890f793300d883dc11e_JaffaCakes118.exe
1464 14073747c219f890f793300d883dc11e_JaffaCakes118.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

14073747c219f890f793300d883dc11e_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 2968 14073747c219f890f793300d883dc11e_JaffaCakes118.exe

resource	yara_rule
behavioral1/memory/1464-13-0x0000000000400000-0x000000000042E000-memory.dmp	formbook

description	pid	process	target process
PID 2968 set thread context of 1464	2968	14073747c219f890f793300d883dc11e_JaffaCakes118.exe	14073747c219f890f793300d883dc11e_JaffaCakes118.exe

pid	process
2968	14073747c219f890f793300d883dc11e_JaffaCakes118.exe
2968	14073747c219f890f793300d883dc11e_JaffaCakes118.exe
1464	14073747c219f890f793300d883dc11e_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	2968	14073747c219f890f793300d883dc11e_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

14073747c219f890f793300d883dc11e_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\14073747c219f890f793300d883dc11e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\14073747c219f890f793300d883dc11e_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2968

C:\Users\Admin\AppData\Local\Temp\14073747c219f890f793300d883dc11e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\14073747c219f890f793300d883dc11e_JaffaCakes118.exe"
2⤵
PID:2236

C:\Users\Admin\AppData\Local\Temp\14073747c219f890f793300d883dc11e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\14073747c219f890f793300d883dc11e_JaffaCakes118.exe"
2⤵
PID:1484

C:\Users\Admin\AppData\Local\Temp\14073747c219f890f793300d883dc11e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\14073747c219f890f793300d883dc11e_JaffaCakes118.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1464

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1464-7-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1464-15-0x0000000000950000-0x0000000000C53000-memory.dmp

Filesize
3.0MB

Download
memory/1464-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1464-13-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1464-9-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2968-3-0x00000000006E0000-0x00000000006EA000-memory.dmp

Filesize
40KB

Download
memory/2968-6-0x0000000004CA0000-0x0000000004CFC000-memory.dmp

Filesize
368KB

Download
memory/2968-5-0x0000000074230000-0x000000007491E000-memory.dmp

Filesize
6.9MB

Download
memory/2968-4-0x000000007423E000-0x000000007423F000-memory.dmp

Filesize
4KB

Download
memory/2968-0-0x000000007423E000-0x000000007423F000-memory.dmp

Filesize
4KB

Download
memory/2968-2-0x0000000074230000-0x000000007491E000-memory.dmp

Filesize
6.9MB

Download
memory/2968-14-0x0000000074230000-0x000000007491E000-memory.dmp

Filesize
6.9MB

Download
memory/2968-1-0x00000000001C0000-0x00000000003A6000-memory.dmp

Filesize
1.9MB

Download

description	pid	process	target process
PID 2968 wrote to memory of 2236	2968	14073747c219f890f793300d883dc11e_JaffaCakes118.exe	14073747c219f890f793300d883dc11e_JaffaCakes118.exe
PID 2968 wrote to memory of 2236	2968	14073747c219f890f793300d883dc11e_JaffaCakes118.exe	14073747c219f890f793300d883dc11e_JaffaCakes118.exe
PID 2968 wrote to memory of 2236	2968	14073747c219f890f793300d883dc11e_JaffaCakes118.exe	14073747c219f890f793300d883dc11e_JaffaCakes118.exe
PID 2968 wrote to memory of 2236	2968	14073747c219f890f793300d883dc11e_JaffaCakes118.exe	14073747c219f890f793300d883dc11e_JaffaCakes118.exe
PID 2968 wrote to memory of 1484	2968	14073747c219f890f793300d883dc11e_JaffaCakes118.exe	14073747c219f890f793300d883dc11e_JaffaCakes118.exe
PID 2968 wrote to memory of 1484	2968	14073747c219f890f793300d883dc11e_JaffaCakes118.exe	14073747c219f890f793300d883dc11e_JaffaCakes118.exe
PID 2968 wrote to memory of 1484	2968	14073747c219f890f793300d883dc11e_JaffaCakes118.exe	14073747c219f890f793300d883dc11e_JaffaCakes118.exe
PID 2968 wrote to memory of 1484	2968	14073747c219f890f793300d883dc11e_JaffaCakes118.exe	14073747c219f890f793300d883dc11e_JaffaCakes118.exe
PID 2968 wrote to memory of 1464	2968	14073747c219f890f793300d883dc11e_JaffaCakes118.exe	14073747c219f890f793300d883dc11e_JaffaCakes118.exe
PID 2968 wrote to memory of 1464	2968	14073747c219f890f793300d883dc11e_JaffaCakes118.exe	14073747c219f890f793300d883dc11e_JaffaCakes118.exe
PID 2968 wrote to memory of 1464	2968	14073747c219f890f793300d883dc11e_JaffaCakes118.exe	14073747c219f890f793300d883dc11e_JaffaCakes118.exe
PID 2968 wrote to memory of 1464	2968	14073747c219f890f793300d883dc11e_JaffaCakes118.exe	14073747c219f890f793300d883dc11e_JaffaCakes118.exe
PID 2968 wrote to memory of 1464	2968	14073747c219f890f793300d883dc11e_JaffaCakes118.exe	14073747c219f890f793300d883dc11e_JaffaCakes118.exe
PID 2968 wrote to memory of 1464	2968	14073747c219f890f793300d883dc11e_JaffaCakes118.exe	14073747c219f890f793300d883dc11e_JaffaCakes118.exe
PID 2968 wrote to memory of 1464	2968	14073747c219f890f793300d883dc11e_JaffaCakes118.exe	14073747c219f890f793300d883dc11e_JaffaCakes118.exe

Analysis

Sharing