General

  • Target

    268afc68ac43d35ebd367d49433f0e37_JaffaCakes118

  • Size

    616KB

  • Sample

    240508-y1p1esdd8z

  • MD5

    268afc68ac43d35ebd367d49433f0e37

  • SHA1

    fdb5f6dd1e6194e439ab2380ed2cb49c0184a34a

  • SHA256

    5eec2983e5ade0317c7380df23c6e70e4cdae38bfd39c27668b982b787b1c40c

  • SHA512

    6b732ed56e428500deb390b0f6317c70f925a24ec572b9b076f78080dfdb19789cc987356b569aae2d472780e604fd55d0efca071e26f0d3dfea0a5e2383b65f

  • SSDEEP

    6144:7mGJqJqBQv2LZA52ewOm/UroZnsEZ5wqvWcQCnB5aMkY+LqEemje3Gs73KeJK:7mOaGLtec/KoJL7xBBOimje2sDKeJK

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

to

Decoy

13s9.com

stayingcentred.com

cravastudios.com

yukilegal.com

895manbet.com

bf1tdesign.com

jakeandjackie.com

squisita.online

nuoya68888.com

bizkaibus.live

pupnpints.com

bigflew.online

researchinabox.com

tenerifediscounts.com

spookyshoppe.com

huipai-trade.com

beroar.com

readysetshot.com

veggie.fyi

findworkjobsonline.com

Extracted

Family

pony

C2

http://tolain.ru/tola/gate.php

Attributes
  • payload_url

    http://myp0nysite.ru/shit.exe

Targets

    • Target

      268afc68ac43d35ebd367d49433f0e37_JaffaCakes118

    • Size

      616KB

    • MD5

      268afc68ac43d35ebd367d49433f0e37

    • SHA1

      fdb5f6dd1e6194e439ab2380ed2cb49c0184a34a

    • SHA256

      5eec2983e5ade0317c7380df23c6e70e4cdae38bfd39c27668b982b787b1c40c

    • SHA512

      6b732ed56e428500deb390b0f6317c70f925a24ec572b9b076f78080dfdb19789cc987356b569aae2d472780e604fd55d0efca071e26f0d3dfea0a5e2383b65f

    • SSDEEP

      6144:7mGJqJqBQv2LZA52ewOm/UroZnsEZ5wqvWcQCnB5aMkY+LqEemje3Gs73KeJK:7mOaGLtec/KoJL7xBBOimje2sDKeJK

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Formbook payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook accounts

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks