General

  • Target

    0d6de95f5aa6aa1e55a702aa5345936d_JaffaCakes118

  • Size

    764KB

  • Sample

    240502-eklhhsad46

  • MD5

    0d6de95f5aa6aa1e55a702aa5345936d

  • SHA1

    29c307adedb54efce48415599d2be03ead371c96

  • SHA256

    0ddee6b5c155d6df5b4b1cc165c9ed467084d74a6312a0c724ab3ac2d56d45f7

  • SHA512

    813141146898ffe5ee13bb7f456c6ad45e841531447b255f84b826ddbbe044d5e78f4c095bb51aa7c53b90f0bc5b10e3fbf64dfad96d8aa867960b5df909b588

  • SSDEEP

    12288:cEPEvEHEqENE1EqEfE0EyEQT3F7R6WY0AAxAC+88juBxE:cEPEvEHEqENE1EqEfE0EyEA317hr+KE

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

h9s

Decoy

domidu.com

twelvei.com

palchecker.com

onariart.com

thescarfhut.com

alimotorsandbikes.com

brianneamira.com

tabwindow.com

babybabymom.com

howtostartanllcbusiness.com

cjaiou.com

californiamentoring.com

21millionbits.com

metgranite.com

ujphy.com

8eves.com

backstorysongs.com

www835234.com

szshijia.com

alquimarket.com

Targets

    • Target

      Pop_slip_3251.exe

    • Size

      704KB

    • MD5

      55fe3086f122a24a99c6e04cbe4f4682

    • SHA1

      a8258960189d95615976a84f31120485bca5079d

    • SHA256

      19182153562a0d7e20eb77e0392a38910d6d3541c43802aa2f747d352d0d6d06

    • SHA512

      1bb2e5bfc13f4976f2799f99195ccb0f0a085f33c7144e915ec50e109ccb2964ab115af9f9ad7eeb9a40d0599e1136b76db785643d3eb12debd879db5fa6650d

    • SSDEEP

      12288:JEPEvEHEqENE1EqEfE0EyEQT3F7R6WY0AAxAC+88juBxE:JEPEvEHEqENE1EqEfE0EyEA317hr+KE

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Formbook payload

    • Adds policy Run key to start application

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks