General

  • Target

    3fc97d557484f9162c419cb60d3d6521_JaffaCakes118

  • Size

    588KB

  • Sample

    240513-q6pb3sac25

  • MD5

    3fc97d557484f9162c419cb60d3d6521

  • SHA1

    21081bc2b1c16f79fc7bf4195de6c6e7d44f3bfa

  • SHA256

    a07596c46040eea65335b4661db4d78f0051ece4943e09ef88987f76385c02ae

  • SHA512

    58a2760d7c73e133df2d35028fb4e09981b62a5deeafe0a5e1143ba31fb58d77dd7386dd5b52d44f2c8b7fa7151086f234d404ed06b9a61aefe04834bd8c67ac

  • SSDEEP

    12288:suHi2Ef+SYLqky0NFYbMxDpk16N+tYi9CRscY:nHi2Ef3YLqEFAWc6NkX

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

ch43

Decoy

ronankervadec.com

solstracapitallp.com

779pap.info

myintecture.com

thenethubb.com

sassysquatchdog.com

rebatum.com

livingniceguide.win

vfsinc.net

ozchelaconsulting.com

feurlic.info

pmntit.com

yaruihuanbao.com

underguardservicesinc.com

xingjiangchuanbo.com

govob.com

candimall.com

urumap.com

wannavilla.com

rotary-bom-west.net

Targets

    • Target

      3fc97d557484f9162c419cb60d3d6521_JaffaCakes118

    • Size

      588KB

    • MD5

      3fc97d557484f9162c419cb60d3d6521

    • SHA1

      21081bc2b1c16f79fc7bf4195de6c6e7d44f3bfa

    • SHA256

      a07596c46040eea65335b4661db4d78f0051ece4943e09ef88987f76385c02ae

    • SHA512

      58a2760d7c73e133df2d35028fb4e09981b62a5deeafe0a5e1143ba31fb58d77dd7386dd5b52d44f2c8b7fa7151086f234d404ed06b9a61aefe04834bd8c67ac

    • SSDEEP

      12288:suHi2Ef+SYLqky0NFYbMxDpk16N+tYi9CRscY:nHi2Ef3YLqEFAWc6NkX

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Formbook payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks