Overview

overview

10

Static

static

3

26f28bf2dc...18.exe

windows7-x64

10

26f28bf2dc...18.exe

windows10-2004-x64

10

setup_installer.exe

windows7-x64

10

setup_installer.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    26f28bf2dc2b6afc0dd99cb6ea3879b8_JaffaCakes118

  • Size

    3.4MB

  • Sample

    240329-tz5x2acd5v

  • MD5

    26f28bf2dc2b6afc0dd99cb6ea3879b8

  • SHA1

    9270b9f48e2d14cc2cbed61ee2e2389d5f69ce05

  • SHA256

    5f30eae71c1b0d08e7ec5adfc9a0dc98078595502b60a584a8df5cdf8cacf7fa

  • SHA512

    5a350373e87673c9ba39e5353bea1d7c1f2f7bc62a703ed13e892e69037008f3e2accadbdd0ec0bd976e54c68b79dfad6fb37517dd55448cac4d9d74ae8a037b

  • SSDEEP

    49152:Egt2s56svyN2jXEBd7L5wr25IUoEI2csF5eLH+wCkBEy882Ffa72hNLr7xup20ns:JuGy4QCqam5eLbCmEy8HFfacLY1ash4

Score
10/10
fabookiegcleanernullmixeronlyloggerprivateloaderredlinesectopratsmokeloaderanimedia12pub5sheaspackv2backdoordropperinfostealerloaderratspywarestealertrojan

Malware Config

Extracted

Family

privateloader

C2

http://45.133.1.107/server.txt

pastebin.com/raw/A7dSG1te

http://wfsdragon.ru/api/setStats.php

51.178.186.149

Extracted

Family

redline

Botnet

she

C2

135.181.129.119:4805

Attributes
  • auth_value

    b69102cdbd4afe2d3159f88fb6dac731

Extracted

Family

smokeloader

Botnet

pub5

Extracted

Family

gcleaner

C2

ggg-cl.biz

45.9.20.13

Extracted

Family

redline

Botnet

media12

C2

91.121.67.60:2151

Attributes
  • auth_value

    e37d5065561884bb54c8ed1baa6de446

Extracted

Family

smokeloader

Version

2020

C2

http://gmpeople.com/upload/

http://mile48.com/upload/

http://lecanardstsornin.com/upload/

http://m3600.com/upload/

http://camasirx.com/upload/
rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

ANI

C2

45.142.215.47:27643

Attributes
  • auth_value

    9491a1c5e11eb6097e68a4fa8627fda8

Extracted

Family

nullmixer

C2

http://hsiens.xyz/

Targets

    • Target

      26f28bf2dc2b6afc0dd99cb6ea3879b8_JaffaCakes118

    • Size

      3.4MB

    • MD5

      26f28bf2dc2b6afc0dd99cb6ea3879b8

    • SHA1

      9270b9f48e2d14cc2cbed61ee2e2389d5f69ce05

    • SHA256

      5f30eae71c1b0d08e7ec5adfc9a0dc98078595502b60a584a8df5cdf8cacf7fa

    • SHA512

      5a350373e87673c9ba39e5353bea1d7c1f2f7bc62a703ed13e892e69037008f3e2accadbdd0ec0bd976e54c68b79dfad6fb37517dd55448cac4d9d74ae8a037b

    • SSDEEP

      49152:Egt2s56svyN2jXEBd7L5wr25IUoEI2csF5eLH+wCkBEy882Ffa72hNLr7xup20ns:JuGy4QCqam5eLbCmEy8HFfacLY1ash4

    Score
    10/10
    fabookiegcleanernullmixeronlyloggerprivateloaderredlinesectopratsmokeloaderanimedia12pub5sheaspackv2backdoordropperinfostealerloaderratspywarestealertrojan

    • Detect Fabookie payload

    • Fabookie

      Fabookie is facebook account info stealer.

      spywarestealerfabookie

    • GCleaner

      GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

      loadergcleaner

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

      droppernullmixer

    • OnlyLogger

      A tiny loader that uses IPLogger to get its payload.

      loaderonlylogger

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • OnlyLogger payload

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      setup_installer.exe

    • Size

      3.4MB

    • MD5

      142e9310a455d1fffccf79e72115a389

    • SHA1

      9661f067ab05bec2cdcf29833e0d03dc91e67d13

    • SHA256

      b7331f5aa85435a4e4f478603fd399969a99fd46e063352289a400d331fb100b

    • SHA512

      3d9ee498135fad1b7f492f632bcac63580cac54cc5f9de4e4cfa0fc0aabaf39f8d037aec87d259be177e399139781b95ad23516599486aa3349ef7572a83d4ff

    • SSDEEP

      49152:xcB6EwJ84vLRaBtIl9mVM/7bKrcgkUv/6Zdn7h5D9wJEmS7BVgEDThnHirtWbo:xcCvLUBsgi6Ig5vS7LD9PFPF6p

    Score
    10/10
    fabookiegcleanernullmixeronlyloggerprivateloaderredlinesectopratsmokeloaderanimedia12pub5aspackv2backdoordropperinfostealerloaderratspywarestealertrojanshe

    • Detect Fabookie payload

    • Fabookie

      Fabookie is facebook account info stealer.

      spywarestealerfabookie

    • GCleaner

      GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

      loadergcleaner

    • NullMixer

      NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

      droppernullmixer

    • OnlyLogger

      A tiny loader that uses IPLogger to get its payload.

      loaderonlylogger

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • OnlyLogger payload

    • Blocklisted process makes network request

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Subvert Trust Controls

2
T1553

Install Root Certificate

2
T1553.004

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

5
T1012

System Information Discovery

6
T1082

Peripheral Device Discovery

2
T1120

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Web Service

2
T1102

Impact

Resource Development

Reconnaissance

Tasks