General

  • Target

    3452a6d55f5221137efc039bff911086_JaffaCakes118

  • Size

    353KB

  • Sample

    240511-nec4magg54

  • MD5

    3452a6d55f5221137efc039bff911086

  • SHA1

    7b44672a8cf24fe216be0e19919109150f6ea830

  • SHA256

    0c5268e859ea956ae8fdf1219bd6b4bdf1f3f9cdb7c43e4b10932105d8261861

  • SHA512

    0802ad809803636a105932d0ff14e666386752e3b01234b132d6729dfa29802934aea7bf17358a6e3d16a719a8770bb81e565aa5752a45a845ee7ca49e5ac8e6

  • SSDEEP

    6144:HXcPkrvcpKCvAcd2fo0dNvhy4ziMOF3ahfVLGWHcuhSBHO+kg1vo82WykBspGa3q:HXcMbcrioCVhTzhOwXLGjuUBHO+kgvoK

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

cx0

Decoy

avtnywveba.club

championmanifesto.com

fuehren.net

smallbusinesshelps.com

langshun168.com

maxonone.com

2commasummit.com

feat.gallery

rgsbc.com

gamefa88vn.pro

dandeliondesignart.com

mksso-real.com

shroomsconnect.com

boscoandthebees.com

payday-loans.space

maryaab-lpc.com

vaaccidentdoctorsnearme.info

ensley1961.com

viilaa.com

paraboliclight.com

Targets

    • Target

      purchase list 02.exe

    • Size

      446KB

    • MD5

      e04c803a304194fe916ca43591eb5fca

    • SHA1

      e2d0096b5c6118ce2b66a794276e01603b7e7771

    • SHA256

      0a7875bdd0200e759a7fc1ce09a8f31fdf5950868804629cc2c18fae9c501fe9

    • SHA512

      619997a3fe588231281e1b8d574cb1c12f090aae728cc11315b73a7a47b44e283bc704f1d6d0877410b3c3e19951edad61b0c402c807c8dc66211c2d319ca426

    • SSDEEP

      12288:mBcHkocFh3zhOKdLWnuYBH2+koto0BnCXmuUb:LdUVhOKdSrBW+kon3

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Modifies Windows Defender Real-time Protection settings

    • Formbook payload

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Windows security modification

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks