fabookie | bbfe7a85b5e34c8b000529b0bac402a6d225ffd0eb2ffdad120326a34e4b7608

Analysis

max time kernel
120s
max time network
131s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28-01-2024 04:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7c34cf01cf220a4caf2feaee9a187b77.exe
Size

2.0MB
MD5

7c34cf01cf220a4caf2feaee9a187b77
SHA1

700230ccddb77c860b718aee7765d25847c52cbf
SHA256

bbfe7a85b5e34c8b000529b0bac402a6d225ffd0eb2ffdad120326a34e4b7608
SHA512

b2c24c363ce8bdda92c4def2afa57995cf0ed7b0feda1082a979f14edc73b87ce171adcf337dd85a9b5b5daaa90471a65a3f7506a02da3af92e2e7b56451baa3
SSDEEP

49152:pAI+GLL2AQz69OdZfqfQufZWVhqBRtK0P9aUlcaS:pAI+rAQzmOdZfqf1wEjPI0w

Score

10^/10

fabookie ffdroider discovery spyware stealer upx

Malware Config

Extracted

Family

ffdroider

http://186.2.171.3

Signatures

Detect Fabookie payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000016d8c-23.dat	family_fabookie
behavioral1/files/0x0007000000016d8c-25.dat	family_fabookie

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider

FFDroider payload 2 IoCs

resource	yara_rule
behavioral1/memory/540-123-0x0000000000400000-0x000000000062B000-memory.dmp	family_ffdroider
behavioral1/memory/540-146-0x0000000000400000-0x000000000062B000-memory.dmp	family_ffdroider

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie

Nirsoft 2 IoCs

resource	yara_rule
behavioral1/memory/2020-71-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/1344-119-0x0000000000400000-0x0000000000422000-memory.dmp	Nirsoft

Executes dropped EXE 5 IoCs

pid	Process
600	jooyu.exe
540	md8_8eus.exe
624	customer3.exe
2020	jfiag3g_gg.exe
1344	jfiag3g_gg.exe

Loads dropped DLL 7 IoCs

pid	Process
1888	7c34cf01cf220a4caf2feaee9a187b77.exe
1888	7c34cf01cf220a4caf2feaee9a187b77.exe
1888	7c34cf01cf220a4caf2feaee9a187b77.exe
600	jooyu.exe
600	jooyu.exe
600	jooyu.exe
600	jooyu.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0009000000016cfb-61.dat	upx
behavioral1/memory/2020-71-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/files/0x000e000000016cfb-110.dat	upx
behavioral1/memory/1344-119-0x0000000000400000-0x0000000000422000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	ip-api.com

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Company\NewProduct\Uninstall.ini	7c34cf01cf220a4caf2feaee9a187b77.exe
File created	C:\Program Files (x86)\Company\NewProduct\d	md8_8eus.exe
File created	C:\Program Files (x86)\Company\NewProduct\tmp.edb	md8_8eus.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\jooyu.exe	7c34cf01cf220a4caf2feaee9a187b77.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe	7c34cf01cf220a4caf2feaee9a187b77.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\customer3.exe	7c34cf01cf220a4caf2feaee9a187b77.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\Uninstall.exe	7c34cf01cf220a4caf2feaee9a187b77.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	540	md8_8eus.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1888 wrote to memory of 600	1888	7c34cf01cf220a4caf2feaee9a187b77.exe	28
PID 1888 wrote to memory of 600	1888	7c34cf01cf220a4caf2feaee9a187b77.exe	28
PID 1888 wrote to memory of 600	1888	7c34cf01cf220a4caf2feaee9a187b77.exe	28
PID 1888 wrote to memory of 600	1888	7c34cf01cf220a4caf2feaee9a187b77.exe	28
PID 1888 wrote to memory of 540	1888	7c34cf01cf220a4caf2feaee9a187b77.exe	30
PID 1888 wrote to memory of 540	1888	7c34cf01cf220a4caf2feaee9a187b77.exe	30
PID 1888 wrote to memory of 540	1888	7c34cf01cf220a4caf2feaee9a187b77.exe	30
PID 1888 wrote to memory of 540	1888	7c34cf01cf220a4caf2feaee9a187b77.exe	30
PID 600 wrote to memory of 2020	600	jooyu.exe	32
PID 600 wrote to memory of 2020	600	jooyu.exe	32
PID 600 wrote to memory of 2020	600	jooyu.exe	32
PID 600 wrote to memory of 2020	600	jooyu.exe	32
PID 600 wrote to memory of 1344	600	jooyu.exe	33
PID 600 wrote to memory of 1344	600	jooyu.exe	33
PID 600 wrote to memory of 1344	600	jooyu.exe	33
PID 600 wrote to memory of 1344	600	jooyu.exe	33

C:\Users\Admin\AppData\Local\Temp\7c34cf01cf220a4caf2feaee9a187b77.exe
"C:\Users\Admin\AppData\Local\Temp\7c34cf01cf220a4caf2feaee9a187b77.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Program Files (x86)\Company\NewProduct\jooyu.exe
  "C:\Program Files (x86)\Company\NewProduct\jooyu.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:600
- - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
    3⤵
    - Executes dropped EXE
    PID:2020
- - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
    3⤵
    - Executes dropped EXE
    PID:1344
- C:\Program Files (x86)\Company\NewProduct\customer3.exe
  "C:\Program Files (x86)\Company\NewProduct\customer3.exe"
  2⤵
  - Executes dropped EXE
  PID:624
- C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
  "C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  PID:540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Company\NewProduct\customer3.exe

Filesize
900KB

MD5
9499dac59e041d057327078ccada8329

SHA1
707088977b09835d2407f91f4f6dbe4a4c8f2fff

SHA256
ca607b3f03dd62f3ac9648087f30f502540be9944ef38b3ca622c2b9bcef06b9

SHA512
9d78de87d752902587a77d410de012b626dabf5d3a8576f90a9f1056f7a9866a442132defb3b99f2a12346571bcec29dccad5c27cdd59222a51518ceab3fc397

Download Submit
C:\Program Files (x86)\Company\NewProduct\customer3.exe

Filesize
758KB

MD5
3ead892c080cec066f1913b06c9eb84a

SHA1
27bfa923e021b5f8a096ac3cf47f3c47c2507e17

SHA256
8bc19c3b9b05ce615a1eb168bb20a547bfb2c081a729b4d9204cf9fd8e0a51e1

SHA512
b2d9f61296046b40d072dc31e3c09cb031f3b129dd81470901573fdb40135ed6a9ee7a8d613c994525e858bc0f0fd334ea2d674a13eb806405857627834eb82b

Download Submit
C:\Program Files (x86)\Company\NewProduct\jooyu.exe

Filesize
971KB

MD5
aed57d50123897b0012c35ef5dec4184

SHA1
568571b12ca44a585df589dc810bf53adf5e8050

SHA256
096021eb5950ee16b7ec51756abe05f90c3530206e16286e7610b8a5a544a85e

SHA512
ea0ee3a0762baa3539e8026a8c624ad897efe005faadcf1ff67ebfc555f29b912b24ad4342d5e0c209f36f5288867246bd1bdfed7df739e608a72fa7b4fa2d7c

Download Submit
C:\Program Files (x86)\Company\NewProduct\jooyu.exe

Filesize
833KB

MD5
4895c687596f2fbb7adba748d1b6501f

SHA1
9982320528cb0e075e1fcfd34a6ebc313b03369e

SHA256
cda734217d830b2c78c3798ffe16c31ba2412e888d0a3c4f66c81f8ada2bf291

SHA512
141d0e72e97632570b3ee45b34370db1e3a26e35b2d2b53bf1403ff8133755910d649e94e1bbc487657b01f5ebfb93a8b581bd86703210e008876c074d6a8845

Download Submit
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe

Filesize
921KB

MD5
a3ec5ee946f7b93287ba9cf7facc6647

SHA1
3595b700f8e41d45d8a8d15b42cd00cc19922647

SHA256
5816801baeff9b520d4dfd930ccf147ae31a1742ff0c111c6becc87d402434f0

SHA512
63efc7b19cd3301bdb4902d8ea59cae4e6c96475f6ea8215f9656a503ad763af0453e255a05dedce6dd1f6d17db964e9da1a243824676cf9611dc22974d687a6

Download Submit
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe

Filesize
765KB

MD5
5a0ae0c42f748aab1a129c92278f05d6

SHA1
ed15ff1b9f3569b9f414db08e146fc1047d98a98

SHA256
62f22b1b8a1da746e7e626a09d6aab765cbb30705ed928a3d8a4c16801ab88e3

SHA512
4c0f4059bd36358726b3a9f500a1f637228bc1d3d19f2d0c168f7c08c30c99b37b71a77d0d1aa7c4552892dae05becd05b01ee1fc476a8496f95b32ae21af8be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c2a6d41560a3137af0de48154b837b37

SHA1
afc1834d92ffaf6ec1bc9b11fceea7bf5e056179

SHA256
428fb376a8fc0e9118cfddaf13431eaee26910ec29b60bf17873a11af4c72441

SHA512
823e29a7cf086dd64dcd32abb6c224b285c7a0d7340e984a65f05811198cf4f843e709473560598b7b52ddc5dedc5433e326c4c48a8ecc2f2ad5234b627c494e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8AB5.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA6AC.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

Filesize
31B

MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
\Program Files (x86)\Company\NewProduct\md8_8eus.exe

Filesize
699KB

MD5
bc17f10c72f20ea7ca5a7dbf1edffd6b

SHA1
b991efedb84fa2cfada9f683f53ccc0cb171dbcd

SHA256
509d5a269e3af7aeb1093c33b116d3b7d710fd1f53f4399dcf4d52062b6c03f4

SHA512
4d47ccf0c1fec92ddcf7eeb6a47b3665ad160377f5ebe228fe0d619659f06c2d0e39fac77de6a93759c22fe179c66953cfcdd87f235610026d7d6130a05137df

Download Submit
\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

Filesize
184KB

MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

Filesize
61KB

MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
memory/540-40-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/540-123-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/540-124-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/540-136-0x0000000003680000-0x0000000003690000-memory.dmp

Filesize
64KB

Download
memory/540-146-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/540-41-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/540-130-0x0000000003020000-0x0000000003030000-memory.dmp

Filesize
64KB

Download
memory/600-120-0x00000000004B0000-0x00000000004D2000-memory.dmp

Filesize
136KB

Download
memory/600-128-0x00000000004B0000-0x00000000004D2000-memory.dmp

Filesize
136KB

Download
memory/600-116-0x00000000004B0000-0x00000000004D2000-memory.dmp

Filesize
136KB

Download
memory/600-68-0x00000000020F0000-0x000000000214B000-memory.dmp

Filesize
364KB

Download
memory/600-69-0x00000000020F0000-0x000000000214B000-memory.dmp

Filesize
364KB

Download
memory/600-126-0x00000000020F0000-0x000000000214B000-memory.dmp

Filesize
364KB

Download
memory/600-127-0x00000000004B0000-0x00000000004D2000-memory.dmp

Filesize
136KB

Download
memory/1344-119-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1888-35-0x00000000036E0000-0x000000000390B000-memory.dmp

Filesize
2.2MB

Download
memory/1888-39-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2020-71-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download