General

  • Target

    7f44706f1c5ed5d723262bfa03b5500e_JaffaCakes118

  • Size

    724KB

  • Sample

    240402-begqlace97

  • MD5

    7f44706f1c5ed5d723262bfa03b5500e

  • SHA1

    2c8b87e78b625e5436a559e92ffffaf4d7d5f3f9

  • SHA256

    7903434967ec18733812c4bdd4acdff871bfff5ce40528442272cf230822dd10

  • SHA512

    ec067ee7a95adbb872fe5f38ada816db747e910401a3fba609c30f394a01262fb34e70e9f8af4be5fb7e6e728bcef327d968f24d2653baca6a067c5101e4d5d8

  • SSDEEP

    6144:Jo3K9Dnnyx65H+MfjJN5M/lqLuyRkXBymUQOuRH6vDdpQ2T7BxzaJK+Go6Uq2:JocqGJaJ7BzUQOuR0RpQKExGZU

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

hs3h

Decoy

slairt.com

teresasellsflorida.com

resouthcarolina.com

npccfbf.com

hutshed.com

westatesmarking.com

rustmonkeys.com

kagawa-rentacar.com

easyvoip-system.com

admorinsulation.com

ericaleighjensen.com

zhonghaojiaju.net

apple-iphone.xyz

b0t.info

torgetmc.xyz

lawrencemargarse.com

6123655.com

macdonalds-delivery.com

cvpfl.com

ayudaparaturent.com

Targets

    • Target

      7f44706f1c5ed5d723262bfa03b5500e_JaffaCakes118

    • Size

      724KB

    • MD5

      7f44706f1c5ed5d723262bfa03b5500e

    • SHA1

      2c8b87e78b625e5436a559e92ffffaf4d7d5f3f9

    • SHA256

      7903434967ec18733812c4bdd4acdff871bfff5ce40528442272cf230822dd10

    • SHA512

      ec067ee7a95adbb872fe5f38ada816db747e910401a3fba609c30f394a01262fb34e70e9f8af4be5fb7e6e728bcef327d968f24d2653baca6a067c5101e4d5d8

    • SSDEEP

      6144:Jo3K9Dnnyx65H+MfjJN5M/lqLuyRkXBymUQOuRH6vDdpQ2T7BxzaJK+Go6Uq2:JocqGJaJ7BzUQOuR0RpQKExGZU

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Formbook payload

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks