Overview

overview

10

Static

static

WW14.exe

windows7_x64

10

WW14.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    WW14.bmp

  • Size

    232KB

  • Sample

    220525-2qn7xsefc2

  • MD5

    5546c1ab6768292b78c746d9ea627f4a

  • SHA1

    be3bf3f21b6101099bcfd7203a179829aea4b435

  • SHA256

    93708ec7bc1f9f7581cc2e1310a46000ad38128e19eb1e92db88e59d425b3e15

  • SHA512

    90d341f42f80c99558b9659e6cc39f7211acaf4010234c51f7cc66d729102f25b50bf29688ee29b8a4031b4f35d4666617a278ba1754c96c26aa6759027f601f

Score
10/10
ffdroidersocelarsbootkitevasionpersistencespywarestealersuricatatrojanvmprotect

Malware Config

Extracted

Family

socelars

C2

https://sa-us-bucket.s3.us-east-2.amazonaws.com/hfber54/

Targets

    • Target

      WW14.bmp

    • Size

      232KB

    • MD5

      5546c1ab6768292b78c746d9ea627f4a

    • SHA1

      be3bf3f21b6101099bcfd7203a179829aea4b435

    • SHA256

      93708ec7bc1f9f7581cc2e1310a46000ad38128e19eb1e92db88e59d425b3e15

    • SHA512

      90d341f42f80c99558b9659e6cc39f7211acaf4010234c51f7cc66d729102f25b50bf29688ee29b8a4031b4f35d4666617a278ba1754c96c26aa6759027f601f

    Score
    10/10
    evasionspywarestealersuricatatrojanffdroidersocelarsbootkitpersistencevmprotect

    • FFDroider

      Stealer targeting social media platform users first seen in April 2022.

      stealerffdroider

    • FFDroider Payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars Payload

    • suricata: ET MALWARE Win32/FFDroider CnC Activity M2

      suricata: ET MALWARE Win32/FFDroider CnC Activity M2

      suricata

    • suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3

      suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3

      suricata

    • Downloads MZ/PE file

    • Executes dropped EXE

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks