General

  • Target

    5b725efbc8903ac1ec1266cebe2b2c73_JaffaCakes118

  • Size

    1.4MB

  • Sample

    240519-zva5rahh2y

  • MD5

    5b725efbc8903ac1ec1266cebe2b2c73

  • SHA1

    d3c89752dc7d05493139350ff9dcd161ffc114c6

  • SHA256

    3a309abed3acf74bddc68f77af49dba71677d064b136bbd4d53d3e56dfc7b08c

  • SHA512

    491c25615050b345bb2335d9bd682574480a513437b134fb4dad6d4066ea5597d532440badfa66f375e325155d6f7975376b4df50db98aac63d616fa9251dad0

  • SSDEEP

    24576:c8AOeN2wWyBFAPspnRw2wZ+0OUkgeHi7YmJXFsoPvWZ:c8uN2wWqiww2DgeHE5Fso3W

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

gx

Decoy

arno-mulder.com

mmdlb.com

soiyu.com

congdongcoin.info

cutes.site

tstyleshop.com

fishaways.com

alteryourstate.com

footballchange.info

chieftory.com

minumbers.com

colocius.com

raveltalent.com

lapuphealth.com

engineflooded.com

artesatellitare.com

localpostcardadvertising.com

aebfgk.info

4arip.com

nostalgianerdz.com

Targets

    • Target

      5b725efbc8903ac1ec1266cebe2b2c73_JaffaCakes118

    • Size

      1.4MB

    • MD5

      5b725efbc8903ac1ec1266cebe2b2c73

    • SHA1

      d3c89752dc7d05493139350ff9dcd161ffc114c6

    • SHA256

      3a309abed3acf74bddc68f77af49dba71677d064b136bbd4d53d3e56dfc7b08c

    • SHA512

      491c25615050b345bb2335d9bd682574480a513437b134fb4dad6d4066ea5597d532440badfa66f375e325155d6f7975376b4df50db98aac63d616fa9251dad0

    • SSDEEP

      24576:c8AOeN2wWyBFAPspnRw2wZ+0OUkgeHi7YmJXFsoPvWZ:c8uN2wWqiww2DgeHE5Fso3W

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Formbook payload

    • Adds policy Run key to start application

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Collection

Data from Local System

1
T1005

Tasks