General

  • Target

    Fire in the Hole (Sped Up) - GD Sound Effect.mp3

  • Size

    25KB

  • Sample

    240222-sgbqssbh58

  • MD5

    afdd226c4578d5d24614a3f11a1adcfe

  • SHA1

    cc4179fe0a74bcf0047970537af9f56f8be80b09

  • SHA256

    69bb2e09a8eb98e7d5e4f923591a70218dc05ceb5bb21a17c0bb667ae63004ad

  • SHA512

    62578b5abbd2208404c116ef77dea53227d3d37194e7903f0fb3751f9c3f443cdb06461147f0e011df70dccac053faa28f0a61b436419439345ea0e208767009

  • SSDEEP

    384:q8aFqcbaTCDWdbwB+Rr1cnPF86irfPu590+ykKK6sbaevZFRGaE0ryYj:Yf2TCMCddirfPQ90XkysGCZFREcyYj

Malware Config

Extracted

Family

socks5systemz

C2

http://ejdbfag.ua/search/?q=67e28dd83e0ff228160df91f7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ce8889b5e4fa9281ae978f571ea771795af8e05c643db22f31dfe339426fa12a466c553adb719a9577e55b8603e983a608ef717c1ea959c3e

Targets

    • Target

      Fire in the Hole (Sped Up) - GD Sound Effect.mp3

    • Size

      25KB

    • MD5

      afdd226c4578d5d24614a3f11a1adcfe

    • SHA1

      cc4179fe0a74bcf0047970537af9f56f8be80b09

    • SHA256

      69bb2e09a8eb98e7d5e4f923591a70218dc05ceb5bb21a17c0bb667ae63004ad

    • SHA512

      62578b5abbd2208404c116ef77dea53227d3d37194e7903f0fb3751f9c3f443cdb06461147f0e011df70dccac053faa28f0a61b436419439345ea0e208767009

    • SSDEEP

      384:q8aFqcbaTCDWdbwB+Rr1cnPF86irfPu590+ykKK6sbaevZFRGaE0ryYj:Yf2TCMCddirfPQ90XkysGCZFREcyYj

    • Detect Socks5Systemz Payload

    • Socks5Systemz

      Socks5Systemz is a botnet written in C++.

    • Zloader, Terdot, DELoader, ZeusSphinx

      Zloader is a malware strain that was initially discovered back in August 2015.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops Chrome extension

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks