General

  • Target

    d53e454c17cc05a904a02b2a7eb5bbf7_JaffaCakes118

  • Size

    1.1MB

  • Sample

    241208-e4tm8sspfy

  • MD5

    d53e454c17cc05a904a02b2a7eb5bbf7

  • SHA1

    31f87dcf550cfcb5eb5c73ad41b8283814601f3d

  • SHA256

    1f8c4b0bdfb68f353324fff65e4c97104d65d1f7f1bdf2202781c0a6a9dd3137

  • SHA512

    8027da02c697fba0982ada7974820a15a6f799c3a7c7ba1e9043ede6245d0fdff5ff05485d07aafa3fd5328bc8f42b3af5cf0291144dc3587a6f64d2bd34f3c8

  • SSDEEP

    12288:uA+DvEEZK/ISbmudUQxVseqBaHoQHyB1n0j9NOsKYNuzL0JWMA6mOKItpKsi5R:gYEZ+IS1t7s1QSn0jfPNuyjA6mV

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

iesm

Decoy

terracounselling.com

gmartindiastores.com

themekinhdoanh.com

chemluan.com

volvordposts.com

poyef.com

flyraven.com

tulord.com

landoflostarchitects.com

jdemong.com

tiendadecabello.online

adjimmobiliere.com

ssga-sia.com

senegalo-britanique.com

simplyhealthcareplsns.com

danishbay.com

melanieandisrael.com

idgrafo.com

forex160.com

ekohectaresandvilla.com

Targets

    • Target

      d53e454c17cc05a904a02b2a7eb5bbf7_JaffaCakes118

    • Size

      1.1MB

    • MD5

      d53e454c17cc05a904a02b2a7eb5bbf7

    • SHA1

      31f87dcf550cfcb5eb5c73ad41b8283814601f3d

    • SHA256

      1f8c4b0bdfb68f353324fff65e4c97104d65d1f7f1bdf2202781c0a6a9dd3137

    • SHA512

      8027da02c697fba0982ada7974820a15a6f799c3a7c7ba1e9043ede6245d0fdff5ff05485d07aafa3fd5328bc8f42b3af5cf0291144dc3587a6f64d2bd34f3c8

    • SSDEEP

      12288:uA+DvEEZK/ISbmudUQxVseqBaHoQHyB1n0j9NOsKYNuzL0JWMA6mOKItpKsi5R:gYEZ+IS1t7s1QSn0jfPNuyjA6mV

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Formbook family

    • Formbook payload

    • Looks for VirtualBox Guest Additions in registry

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks