General

  • Target

    3e99730c608288d9f8bd5b449f7b569d_JaffaCakes118

  • Size

    842KB

  • Sample

    240513-kh38faee8v

  • MD5

    3e99730c608288d9f8bd5b449f7b569d

  • SHA1

    e4f9448e0736ecef7d3d32e46b273a6e06298031

  • SHA256

    8ff83f63f6948a0c8cbdd22b968013bd24f4ef16a88077cf24753ddb0e3d71e7

  • SHA512

    18fa7afbdae95b683ae65df719eb7382441aec9f9c3eab52ab3419d86eb39b56bdc88861f4767a5fb5fe30720682c7fd604681daf02a92f18eb34af00be80184

  • SSDEEP

    12288:wn+WhWEyIu3Olcw4fqUGRCpWC9dGNdmTa+WtYthYxwNTqU2AZffUplcw4GZ:wnIRIllchfqUGRC39sNdmXDNeU2rlchK

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

ch56

Decoy

valle-estetica.com

buscanime.com

tiankailab.com

acuityrecovery.com

wwwyl8877.com

therapeute-animalier.com

zamfab.com

boolee.net

zadora.info

alsnh.com

morriganewalker.com

uniqlowin.com

sunvalleypv.com

photobrainz.net

ekvos.com

hannahghairdesign.com

wboet.info

sunshadeswindowblinds.com

sparepartsbook.com

dominicle.com

Targets

    • Target

      3e99730c608288d9f8bd5b449f7b569d_JaffaCakes118

    • Size

      842KB

    • MD5

      3e99730c608288d9f8bd5b449f7b569d

    • SHA1

      e4f9448e0736ecef7d3d32e46b273a6e06298031

    • SHA256

      8ff83f63f6948a0c8cbdd22b968013bd24f4ef16a88077cf24753ddb0e3d71e7

    • SHA512

      18fa7afbdae95b683ae65df719eb7382441aec9f9c3eab52ab3419d86eb39b56bdc88861f4767a5fb5fe30720682c7fd604681daf02a92f18eb34af00be80184

    • SSDEEP

      12288:wn+WhWEyIu3Olcw4fqUGRCpWC9dGNdmTa+WtYthYxwNTqU2AZffUplcw4GZ:wnIRIllchfqUGRC39sNdmXDNeU2rlchK

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Formbook payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks