Extracted

Extracted

Extracted

• • Target

    4a67cb6ed0cf60ddcf3e45917898dec4_JaffaCakes118

  • Size

    5.1MB

  • MD5

    4a67cb6ed0cf60ddcf3e45917898dec4

  • SHA1

    b219ad475097853384d95a0924727389e8610ccb

  • SHA256

    cebf4c9af84506f3b683d5d4867b739244b6ba595772d583b3455781c4d91b74

  • SHA512

    aa9c91076de6a134df17ef9a2c2b78dc268b7f7dbb2eafa36b63fdfd20b329a58f08e096e2a61dcbbd85399bd8597e08a6e493d1ab1d54fd840918612ff01620

  • SSDEEP

    98304:h3OOqyTG+H9QG7l1rvQjPleoGI9Wek2WiCU+gw6pTslbqXD09r/:9pRl1L0P4or9ytiG6WlmD09r/

  Score

  10^/10

  fabookiegcleanerlgoogloaderonlyloggerpseudomanuscryptredlinesectopratvidar933saddownloaderinfostealerloaderratspywarestealertrojanxmrigminer

  • Detect Fabookie payload

  • Detects LgoogLoader payload

  • Detects PseudoManuscrypt payload

    loader

  • Fabookie

    Fabookie is facebook account info stealer.

    spywarestealerfabookie

  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    loadergcleaner

  • LgoogLoader

    A downloader capable of dropping and executing other malware families.

    downloaderlgoogloader

  • OnlyLogger

    A tiny loader that uses IPLogger to get its payload.

    loaderonlylogger

  • Process spawned unexpected child process

    This typically indicates the parent process was compromised via an exploit or macro.

  • PseudoManuscrypt

    PseudoManuscrypt is a malware Lazarus’s Manuscrypt targeting government organizations and ICS.

    loaderpseudomanuscrypt

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine payload

  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat

  • SectopRAT payload

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig

  • OnlyLogger payload

  • Vidar Stealer

    stealer

  • XMRig Miner payload

    miner

  • Blocklisted process makes network request

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Unexpected DNS network traffic destination

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2