General

  • Target

    f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118

  • Size

    734KB

  • Sample

    241217-2w85aaspeq

  • MD5

    f92d115c8a7e6a38aade6aad038c49dd

  • SHA1

    81aed899b36ca58821b3c7b06ea56a0e8942a433

  • SHA256

    003516e2f71004adc351d3d03f41c642c5f56f9ea1ac4d3369ec51550e69e0f1

  • SHA512

    f2d643ca42490584364dda4610aedb21a7f872f09cdddb9aef43117a61c296f67128314df532ca9360fcb88435ee4e985634c72e29a6767c33b378eefcc1755e

  • SSDEEP

    12288:5N+NSn2iNeHK7zatLJ8FebazVp5VKhsA1dsGlnVIaVr3ySCp1W9+RP:5NMk1b2l4ebaHnKv3sqIaVr4I+

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

xgmi

Decoy

ivouty.icu

bgilroy.com

dgden.com

grosse-schware.com

mandos.tech

deedv.com

the724lab.com

dulcepicor.com

cupsandkids.com

albertafutsal.com

ponthierandson.com

tiendaewin.com

200garden.com

f9753.com

cognitivehearingspecialist.com

pikypets.com

dimestorecowgirlscompany.com

reefervannetwork.com

umf2.com

yoniwater.com

Targets

    • Target

      f92d115c8a7e6a38aade6aad038c49dd_JaffaCakes118

    • Size

      734KB

    • MD5

      f92d115c8a7e6a38aade6aad038c49dd

    • SHA1

      81aed899b36ca58821b3c7b06ea56a0e8942a433

    • SHA256

      003516e2f71004adc351d3d03f41c642c5f56f9ea1ac4d3369ec51550e69e0f1

    • SHA512

      f2d643ca42490584364dda4610aedb21a7f872f09cdddb9aef43117a61c296f67128314df532ca9360fcb88435ee4e985634c72e29a6767c33b378eefcc1755e

    • SSDEEP

      12288:5N+NSn2iNeHK7zatLJ8FebazVp5VKhsA1dsGlnVIaVr3ySCp1W9+RP:5NMk1b2l4ebaHnKv3sqIaVr4I+

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Formbook family

    • Formbook payload

    • Looks for VirtualBox Guest Additions in registry

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks