General

  • Target

    18882465f8b6e72a46669d4aa2e78cb1_JaffaCakes118

  • Size

    424KB

  • Sample

    240505-vbypgsad87

  • MD5

    18882465f8b6e72a46669d4aa2e78cb1

  • SHA1

    b05a070b6c3fec5330d1413594a4b17b19099a02

  • SHA256

    6e521645df736e76b57cdf6996cee4a5148e649cee75be8f36ccfb008f047fa6

  • SHA512

    388e34cfc7a43a062e0c389611036b7953a99d4def7699852d875c2fcdc7c6a79205d85fa128aae9d48d9c37888d60611390640086a7e7a3e4b0e38173964e44

  • SSDEEP

    6144:6N9JYSDAzaiTCXkJNlMgpV5Nj3QmlsPt5GM/x1lPWojLWYM+6LpfeR14Kn3r/u/t:67RAzTukj/Nj5OlzW3ppWbhn3TcWId

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

h308

Decoy

sewrelax.com

southbaycurling.rocks

hongju101.com

nikkismithonline.com

bluprl.net

slursthisshark.com

smootord.com

buyoregonhemp.com

stepstolight.com

mchausverwalter.com

cofidis.cloud

queenartjewellery.com

samoedrasalvageengineers.com

skull.ltd

leapmotors.net

gayo.ltd

philborremans.com

yeezywaverunner700.com

febriananas.com

railor-music.com

Targets

    • Target

      18882465f8b6e72a46669d4aa2e78cb1_JaffaCakes118

    • Size

      424KB

    • MD5

      18882465f8b6e72a46669d4aa2e78cb1

    • SHA1

      b05a070b6c3fec5330d1413594a4b17b19099a02

    • SHA256

      6e521645df736e76b57cdf6996cee4a5148e649cee75be8f36ccfb008f047fa6

    • SHA512

      388e34cfc7a43a062e0c389611036b7953a99d4def7699852d875c2fcdc7c6a79205d85fa128aae9d48d9c37888d60611390640086a7e7a3e4b0e38173964e44

    • SSDEEP

      6144:6N9JYSDAzaiTCXkJNlMgpV5Nj3QmlsPt5GM/x1lPWojLWYM+6LpfeR14Kn3r/u/t:67RAzTukj/Nj5OlzW3ppWbhn3TcWId

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Formbook payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks