General

  • Target

    2b6f1f94d3ffe7aa888dde66bb9de6d6_JaffaCakes118

  • Size

    425KB

  • Sample

    240509-xpzvtada78

  • MD5

    2b6f1f94d3ffe7aa888dde66bb9de6d6

  • SHA1

    619ca87f3fcc9c72f43e22e0a9ff6b4859ae13b5

  • SHA256

    08dbeeafc24caff893a3e60e59401e04cbb5408dc86177caf8be9d4c94a93965

  • SHA512

    a6c7edb6bc90278c461ff31cc26cbeb775f0b5549edb89339e2baa94ab9ef6eba456c28f2d272d4e0b5b4b51372883180b85f52ef5c16ea57061835846573436

  • SSDEEP

    12288:rgnS1IweViPLQjDUEnGHTi+QwXmJ/XRL7dJcjg:Ly+LaATcgU/3Jp

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

h332

Decoy

mericashoppe.com

campbneiakiva.com

retronix.info

capellisnyc.com

lapcameratot.com

otheroffice.win

biofrez.com

servo-electric.com

hfhkjd.com

chemungccecornell.com

leanneetsaparure.com

collaboraveit.com

thecarewear.info

truymanhaaseinsurance.com

krishnagruhudhyog.com

maxwellbeing.store

cgevent35.com

easyclick.directory

andseniorhomesok.live

dagashiya-bitcoin.com

Targets

    • Target

      PO181219.exe

    • Size

      466KB

    • MD5

      9f1c4ea29a9490e84c85ee622ebbee83

    • SHA1

      03eb6bec9ca71f61726134e031ef1c96609c6fbf

    • SHA256

      4cf3f2e4957d449f51f1a5dd6b20765aa7a1fe89231f1ea3748cd0c0e90d74c4

    • SHA512

      2eccd244877aae74692294905fa6d11e7b1d67d03c44147f59dddf1b6d6ffe849529bf1e0ccd1b142d5767c281e229053d6d5d513bcc3c0ec9b428a735ed5f97

    • SSDEEP

      12288:jGNJ561IweViPtQjDMEnSHTigQWX+T/XRfoxwo4P:jGGy+t8kTEOY/4wo4

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Formbook payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks