General

  • Target

    c8199355d0ca0fe289ea4d1ee018ff47_JaffaCakes118

  • Size

    1.0MB

  • Sample

    240405-cqx3dsac65

  • MD5

    c8199355d0ca0fe289ea4d1ee018ff47

  • SHA1

    ac0428f426c0bda431bd80f6abab183ccd484d07

  • SHA256

    127262efb50609596b0597f1f357d75ff1dca0a0519fd8805d4fac1b288abae7

  • SHA512

    0f1f70ef0bbfa75b53a57549ef170d493b2706bbb8c41c2288fb831ace0dce902e6b9fa97834baf4b0adaa995df3767318055ad43b5bd366bbe257678f1da395

  • SSDEEP

    12288:jSMa7/gxmfOwwi0O2iNNHeIwbZhqQGo7w7xamI3XdqKbE0xsoI76JswNaSctMX:bA/08EO17eIKZh7UdvI3tBbG76J4M

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

k9d0

Decoy

flourishpodcast.xyz

xn--nga.group

music-tomato.com

motory.store

arrivehike.info

xn--diseowebseo-4db.com

centpourcentsons.com

qnnjja005.xyz

annielynnrose.com

darlaevans.com

door-maximum.com

chinataibaifen.com

stickerhicks.com

ta2gamesstudio.com

jendelanews.com

milestoneneuro.com

premierconciergehomes.com

exitcounter.com

jrsway.com

famurainmobiliaria.com

Targets

    • Target

      c8199355d0ca0fe289ea4d1ee018ff47_JaffaCakes118

    • Size

      1.0MB

    • MD5

      c8199355d0ca0fe289ea4d1ee018ff47

    • SHA1

      ac0428f426c0bda431bd80f6abab183ccd484d07

    • SHA256

      127262efb50609596b0597f1f357d75ff1dca0a0519fd8805d4fac1b288abae7

    • SHA512

      0f1f70ef0bbfa75b53a57549ef170d493b2706bbb8c41c2288fb831ace0dce902e6b9fa97834baf4b0adaa995df3767318055ad43b5bd366bbe257678f1da395

    • SSDEEP

      12288:jSMa7/gxmfOwwi0O2iNNHeIwbZhqQGo7w7xamI3XdqKbE0xsoI76JswNaSctMX:bA/08EO17eIKZh7UdvI3tBbG76J4M

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Modifies WinLogon for persistence

    • Formbook payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks