General

  • Target

    fe740e7999ea046c611b6af048228301_JaffaCakes118

  • Size

    846KB

  • Sample

    241219-e6nvrsykbw

  • MD5

    fe740e7999ea046c611b6af048228301

  • SHA1

    b11b855d1328255503fd2e3d86260293af0fef8a

  • SHA256

    e53afd0b5fd432a725fce3ee514f9bf7e58b54b06c096640c0672faf7eb209b5

  • SHA512

    c6eef694077d945c92dab79d1f99b349d71fa65f0a9dbece5a86f9e400e85c9c6b0ffd8d2236e4cde1ab97728762262bc6e2272a33e9f561418d3c56ce16f617

  • SSDEEP

    24576:AAsnEguXVgHgteHLHyLWf6A1Ti2KIzoGsrq34MeWjc:3tFWfV4MeWj

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

qg0x

Decoy

guruguyd.com

martiallawtcg.com

minervamerch.com

websiteseotools.net

productionsrassembleurs.com

tarcanlaroto.com

zoloftmusic.com

waseet.club

mtelphinstonemasonicsociety.com

indertechstore.com

iostdefi.net

juxrams.info

magwearhouse.com

ellerey.com

jointhekkk.com

wednesdaytravel.com

nineban.icu

westcoastk95.com

parkcityruthschris.com

monicarodri.design

Targets

    • Target

      fe740e7999ea046c611b6af048228301_JaffaCakes118

    • Size

      846KB

    • MD5

      fe740e7999ea046c611b6af048228301

    • SHA1

      b11b855d1328255503fd2e3d86260293af0fef8a

    • SHA256

      e53afd0b5fd432a725fce3ee514f9bf7e58b54b06c096640c0672faf7eb209b5

    • SHA512

      c6eef694077d945c92dab79d1f99b349d71fa65f0a9dbece5a86f9e400e85c9c6b0ffd8d2236e4cde1ab97728762262bc6e2272a33e9f561418d3c56ce16f617

    • SSDEEP

      24576:AAsnEguXVgHgteHLHyLWf6A1Ti2KIzoGsrq34MeWjc:3tFWfV4MeWj

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Formbook family

    • Formbook payload

    • Looks for VirtualBox Guest Additions in registry

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks