General

  • Target

    JaffaCakes118_530510ea2c39f0e2984eb108dd91b31fa861718d9d875aaf353f6574aa433647

  • Size

    374KB

  • Sample

    241223-rc7f8s1qel

  • MD5

    17d0c744f89393ac5911f70e9144a63c

  • SHA1

    297a571a32bedd89ef3071457697b29b434fde9c

  • SHA256

    530510ea2c39f0e2984eb108dd91b31fa861718d9d875aaf353f6574aa433647

  • SHA512

    bc5fc43b51f554d26acc40043ea10d21f57b03f4d76435be93b43b8b5b084fe1cf018c5b2f9c5e5ef5e90936413d833b696108fd69324aabf897c3b49f931771

  • SSDEEP

    6144:TZoyY9VwHhoJachMTKyOg4lrUupHy7456Kh6+/LPf81CD5tzKyer6IBMX:909OBoEcMKyOxIupgg6QDkg7LyXY

Malware Config

Extracted

Family

formbook

Campaign

ah5g

Decoy

wReSyw0+RXB9dOy3kw==

Mje7ZN4AqSDHqWC1

5l8DIF3lJCgYq1grAXaPXqfyVHnB

2yzJ2v0xCurT2fvWrRcjCzblO9c=

GA0puQ1MMi53/hai

HcK10MEkj/my0vq6

/eYRSqPBgN5mIFYdwhhNPx4qKcA=

QrJjn3pVSWJS6475YqG+m+dcqQpGhro=

/PIhV6hz2lTnpEqs

IfnU8x2W9a3nm8s=

oyfXKKI/e2Z1pbd5V/qLNnOhqQ==

CAUhKPVikYla3ZNZPMVP3EUxEzuktfKD8A==

7CHCZd4BqyDHqWC1

3zzpmQsz8GTjBrKZIldeuv0=

gv+8bdOi/XLc9Jgmzak1

DHUSvjFMIJpgmNCkn4lab6dr

YLszW53Yz3/NTUVOuww=

PNN6m5J7Uoodo1bFQrPcNnOhqQ==

E5pVg8MGG+NEbQNOH+WLNnOhqQ==

GO/g98tDkI6CdOy3kw==

Targets

    • Target

      8df5da115c8287798fe9d01446bcad9e56020c15328257b305503f77ce1b8dd9

    • Size

      458KB

    • MD5

      b9d18f0b735dea8d38a0b7cc9db54546

    • SHA1

      46b618a3134e02b343536c3c35fb44c64d1150c4

    • SHA256

      8df5da115c8287798fe9d01446bcad9e56020c15328257b305503f77ce1b8dd9

    • SHA512

      ac92fbe7548d7eb60bc2232497ce08fbea5eed4d5a6ac488ff8a89d7d80b51392dec8012d935b81536bf31d36a521302405a85a34c3c908111f67ce4839a832e

    • SSDEEP

      6144:ZxlZd712A3TemiYjAKD+DrL/f01XcnNRHolwNADBuHzo1N8L:Hl7oE7iCAc+/L/cZPlgSBuTo1

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Formbook family

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • Xloader family

    • Xloader payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks