General

  • Target

    8468dbf51cc7e194f0b09e53445e866e_JaffaCakes118

  • Size

    628KB

  • Sample

    240402-fq11tshh73

  • MD5

    8468dbf51cc7e194f0b09e53445e866e

  • SHA1

    c170e0b8ff48a69cd4d3b9b7e139321ab9727c22

  • SHA256

    e3e10b5aa08565bae384a6e5471e2932ded7e82a2588d287eb23ea80d86d06fe

  • SHA512

    1e45a4ede70de2b7fdfa9382670e3225d4bb957d578fd63b347f9d584972911205fcfa9265bbd486f02fa5bfa9080991ae27770e0efee72adcfa76bbcecfa3bc

  • SSDEEP

    12288:D1Mdxg2ZVGd6SBbrVQMblWlkSUgMla4u9yXntHvRSBhA:D1Mda27o6q+IYlV6kBh

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

nhk9

Decoy

livinginroanokeva.com

entpiregaming.com

solutionsolvegh.com

glasgowcmr.com

gutesbenehmen.com

gracecitychurchmadison.com

linkalto.com

waahingtontimes.com

hxcked.com

buyung.xyz

asesormarketing.digital

bolodl.com

blushnbella.com

overhalldiesel.com

loveyorkshirecoast.com

puffpornandpizza.com

virgilisticlifestyleinc.com

clingnseal.com

artisantop.com

webinarsusa.com

Targets

    • Target

      8468dbf51cc7e194f0b09e53445e866e_JaffaCakes118

    • Size

      628KB

    • MD5

      8468dbf51cc7e194f0b09e53445e866e

    • SHA1

      c170e0b8ff48a69cd4d3b9b7e139321ab9727c22

    • SHA256

      e3e10b5aa08565bae384a6e5471e2932ded7e82a2588d287eb23ea80d86d06fe

    • SHA512

      1e45a4ede70de2b7fdfa9382670e3225d4bb957d578fd63b347f9d584972911205fcfa9265bbd486f02fa5bfa9080991ae27770e0efee72adcfa76bbcecfa3bc

    • SSDEEP

      12288:D1Mdxg2ZVGd6SBbrVQMblWlkSUgMla4u9yXntHvRSBhA:D1Mda27o6q+IYlV6kBh

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Formbook payload

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks