General
-
Target
f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118
-
Size
734KB
-
Sample
241217-2w85aaspeq
-
MD5
f92d115c8a7e6a38aade6aad038c49dd
-
SHA1
81aed899b36ca58821b3c7b06ea56a0e8942a433
-
SHA256
003516e2f71004adc351d3d03f41c642c5f56f9ea1ac4d3369ec51550e69e0f1
-
SHA512
f2d643ca42490584364dda4610aedb21a7f872f09cdddb9aef43117a61c296f67128314df532ca9360fcb88435ee4e985634c72e29a6767c33b378eefcc1755e
-
SSDEEP
12288:5N+NSn2iNeHK7zatLJ8FebazVp5VKhsA1dsGlnVIaVr3ySCp1W9+RP:5NMk1b2l4ebaHnKv3sqIaVr4I+
Static task
static1
Behavioral task
behavioral1
Sample
f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118.exe
Resource
win7-20240903-en
Malware Config
Extracted
formbook
4.1
xgmi
ivouty.icu
bgilroy.com
dgden.com
grosse-schware.com
mandos.tech
deedv.com
the724lab.com
dulcepicor.com
cupsandkids.com
albertafutsal.com
ponthierandson.com
tiendaewin.com
200garden.com
f9753.com
cognitivehearingspecialist.com
pikypets.com
dimestorecowgirlscompany.com
reefervannetwork.com
umf2.com
yoniwater.com
everypottery.com
fedcoinconverter.com
bahisevarmisin.com
psm-gen.com
poweredbymoffitt.com
inbalitz.com
xjrfl.net
newski.info
advertisewithkhia.com
mygloryicon.com
virtual-hub.site
ibrahimkhalifullah.info
tommyohagan.com
sqlnasnuvens.com
saltmarsh.farm
blunetbilisim.xyz
zubat5.xyz
imxiaoanag.club
jahnanshajahan.com
bigdippergift.com
taviegroup.com
xn--h1asdr2a.xn--p1acf
reyexotics.com
themuslimlifecoach.com
performaedu.com
kystores.com
exileakira-ralphscoffee-a.com
enviegal.com
hediyeetbeni.com
weilbaron.com
littlebagsofsunshine.com
reves-rever.info
matchpointents.com
financialfreedom4families.com
stoplamont.com
mrtacobell.com
neatandrocks.com
tridentpeople.com
myblucare.com
easzybreath.info
discountwheelauto.com
poolsnation.com
fletex.express
goodteattirerebates.com
hotbootcampboca.com
Targets
-
-
Target
f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118
-
Size
734KB
-
MD5
f92d115c8a7e6a38aade6aad038c49dd
-
SHA1
81aed899b36ca58821b3c7b06ea56a0e8942a433
-
SHA256
003516e2f71004adc351d3d03f41c642c5f56f9ea1ac4d3369ec51550e69e0f1
-
SHA512
f2d643ca42490584364dda4610aedb21a7f872f09cdddb9aef43117a61c296f67128314df532ca9360fcb88435ee4e985634c72e29a6767c33b378eefcc1755e
-
SSDEEP
12288:5N+NSn2iNeHK7zatLJ8FebazVp5VKhsA1dsGlnVIaVr3ySCp1W9+RP:5NMk1b2l4ebaHnKv3sqIaVr4I+
-
Formbook family
-
Formbook payload
-
Looks for VirtualBox Guest Additions in registry
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
1Scheduled Task/Job
1Scheduled Task
1