Overview

overview

10

Static

static

3

7c34cf01cf...77.exe

windows7-x64

10

7c34cf01cf...77.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    29s
  • max time network
    64s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-01-2024 04:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7c34cf01cf220a4caf2feaee9a187b77.exe

  • Size

    2.0MB

  • MD5

    7c34cf01cf220a4caf2feaee9a187b77

  • SHA1

    700230ccddb77c860b718aee7765d25847c52cbf

  • SHA256

    bbfe7a85b5e34c8b000529b0bac402a6d225ffd0eb2ffdad120326a34e4b7608

  • SHA512

    b2c24c363ce8bdda92c4def2afa57995cf0ed7b0feda1082a979f14edc73b87ce171adcf337dd85a9b5b5daaa90471a65a3f7506a02da3af92e2e7b56451baa3

  • SSDEEP

    49152:pAI+GLL2AQz69OdZfqfQufZWVhqBRtK0P9aUlcaS:pAI+rAQzmOdZfqf1wEjPI0w

Score
10/10
fabookieffdroiderdiscoveryspywarestealerupx

Malware Config

Signatures

  • Detect Fabookie payload 1 IoCs
  • FFDroider

    Stealer targeting social media platform users first seen in April 2022.

    stealerffdroider
  • Fabookie

    Fabookie is facebook account info stealer.

    spywarestealerfabookie
  • Nirsoft 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7c34cf01cf220a4caf2feaee9a187b77.exe
    "C:\Users\Admin\AppData\Local\Temp\7c34cf01cf220a4caf2feaee9a187b77.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:3296
    • C:\Program Files (x86)\Company\NewProduct\jooyu.exe
      "C:\Program Files (x86)\Company\NewProduct\jooyu.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1756
      • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        3⤵
        • Executes dropped EXE
        PID:2284
      • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:3832
    • C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
      "C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
      2⤵
      • Executes dropped EXE
      PID:4684
    • C:\Program Files (x86)\Company\NewProduct\customer3.exe
      "C:\Program Files (x86)\Company\NewProduct\customer3.exe"
      2⤵
      • Executes dropped EXE
      PID:2676

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Company\NewProduct\customer3.exe
    Filesize

    900KB

    MD5

    9499dac59e041d057327078ccada8329

    SHA1

    707088977b09835d2407f91f4f6dbe4a4c8f2fff

    SHA256

    ca607b3f03dd62f3ac9648087f30f502540be9944ef38b3ca622c2b9bcef06b9

    SHA512

    9d78de87d752902587a77d410de012b626dabf5d3a8576f90a9f1056f7a9866a442132defb3b99f2a12346571bcec29dccad5c27cdd59222a51518ceab3fc397

    Download Submit

  • C:\Program Files (x86)\Company\NewProduct\jooyu.exe
    Filesize

    971KB

    MD5

    aed57d50123897b0012c35ef5dec4184

    SHA1

    568571b12ca44a585df589dc810bf53adf5e8050

    SHA256

    096021eb5950ee16b7ec51756abe05f90c3530206e16286e7610b8a5a544a85e

    SHA512

    ea0ee3a0762baa3539e8026a8c624ad897efe005faadcf1ff67ebfc555f29b912b24ad4342d5e0c209f36f5288867246bd1bdfed7df739e608a72fa7b4fa2d7c

    Download Submit

  • C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
    Filesize

    921KB

    MD5

    a3ec5ee946f7b93287ba9cf7facc6647

    SHA1

    3595b700f8e41d45d8a8d15b42cd00cc19922647

    SHA256

    5816801baeff9b520d4dfd930ccf147ae31a1742ff0c111c6becc87d402434f0

    SHA512

    63efc7b19cd3301bdb4902d8ea59cae4e6c96475f6ea8215f9656a503ad763af0453e255a05dedce6dd1f6d17db964e9da1a243824676cf9611dc22974d687a6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
    Filesize

    31B

    MD5

    b7161c0845a64ff6d7345b67ff97f3b0

    SHA1

    d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

    SHA256

    fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

    SHA512

    98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
    Filesize

    1KB

    MD5

    83f395602cd1d8a52950001e01a55219

    SHA1

    74d13664e20cbb5a063b5360646f7832ba99d4e8

    SHA256

    37ab818686d3c56fb1ffc9bdb54c9a27b43d338099dfab18df73240fe4647bbe

    SHA512

    5a959b56e6be5ee162cab1a78a7fe3d5ff7c3fe83cf7bc6e13e8dfaecf7fad4d562bebeb50ce2d2edfbcb5b480187908aed7afc12dbed3aa8536ab03b800f1da

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
    Filesize

    184KB

    MD5

    7fee8223d6e4f82d6cd115a28f0b6d58

    SHA1

    1b89c25f25253df23426bd9ff6c9208f1202f58b

    SHA256

    a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

    SHA512

    3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
    Filesize

    61KB

    MD5

    a6279ec92ff948760ce53bba817d6a77

    SHA1

    5345505e12f9e4c6d569a226d50e71b5a572dce2

    SHA256

    8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

    SHA512

    213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

    Download Submit

  • memory/2284-56-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

    Download

  • memory/2284-51-0x0000000000400000-0x000000000045B000-memory.dmp

    Filesize

    364KB

    Download

  • memory/3296-52-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/3832-63-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3832-69-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4684-39-0x00000000001C0000-0x00000000001C3000-memory.dmp

    Filesize

    12KB

    Download

  • memory/4684-37-0x0000000000400000-0x000000000062B000-memory.dmp

    Filesize

    2.2MB

    Download