General

  • Target

    7d5de0b0b7023f599a2f85449b7ae61d_JaffaCakes118

  • Size

    513KB

  • Sample

    240401-3j8hnaab8t

  • MD5

    7d5de0b0b7023f599a2f85449b7ae61d

  • SHA1

    e5a3d7da738385f8574665624ff49e280dd99cee

  • SHA256

    59689db6df4c60d3c69edc9d19d5af95827dbabc49d9d339ddffb22bbb03ef69

  • SHA512

    5eafb424473da42b46963367d58eda072011a6ad094c640de962629874a90e328ae2cde3670ab808c376e3cf40e4329cec4a9dd8d7fbc1494150a247b31f7eec

  • SSDEEP

    12288:x0Tj3ljGdg32U7bBZHZ1c9KBwCw8UNjRHj9VbpX:x0Hlag32+dJZ1cCwCw8q1l

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

rigx

Decoy

cisworkfromhome.com

pizzanpickle.com

southusen.com

pinarekinci.com

themilocat.com

goio.digital

smoothed-way.com

lifeinformpodcast.com

transforming-leadership.com

winebreak.net

diversityleadershipprogram.com

orrisinvest.com

mylearningplaylist.net

chiromsrealestate.com

todaychat.info

solevux.com

giacomodifino.com

escortagents.com

handstandsandhairties.com

getsettn.com

Targets

    • Target

      7d5de0b0b7023f599a2f85449b7ae61d_JaffaCakes118

    • Size

      513KB

    • MD5

      7d5de0b0b7023f599a2f85449b7ae61d

    • SHA1

      e5a3d7da738385f8574665624ff49e280dd99cee

    • SHA256

      59689db6df4c60d3c69edc9d19d5af95827dbabc49d9d339ddffb22bbb03ef69

    • SHA512

      5eafb424473da42b46963367d58eda072011a6ad094c640de962629874a90e328ae2cde3670ab808c376e3cf40e4329cec4a9dd8d7fbc1494150a247b31f7eec

    • SSDEEP

      12288:x0Tj3ljGdg32U7bBZHZ1c9KBwCw8UNjRHj9VbpX:x0Hlag32+dJZ1cCwCw8q1l

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Formbook payload

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks