General
-
Target
a8d5b4fa270a49cc070fcf42ab106ea6_JaffaCakes118
-
Size
4.2MB
-
Sample
240403-2s66hsfc3t
-
MD5
a8d5b4fa270a49cc070fcf42ab106ea6
-
SHA1
8ad8be3abdcc2c9fe315a8a72a5f26a3454b9abe
-
SHA256
5d7d978a1e749fa8208f5e159d94d283845a1850799afe80aeec4163eb063af1
-
SHA512
8feae0f3ae36d79683248e86c97fa03c383f5d715f9f7fecf55e5576b9c6fdddb5b6ebbfe836e48ed4e1eb641b679466e3418712998f4d1835d7deb10f839fd9
-
SSDEEP
98304:JgFGhIlJg12cL46XQjaIT8y+iAE+OqUgQ47jmhb:J0fJg1BcjXXxB+OqLb7+b
Static task
static1
Behavioral task
behavioral1
Sample
a8d5b4fa270a49cc070fcf42ab106ea6_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
a8d5b4fa270a49cc070fcf42ab106ea6_JaffaCakes118.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
nullmixer
http://hsiens.xyz/
Extracted
socelars
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.znsjis.top/
Extracted
vidar
41.2
916
https://mas.to/@serg4325
-
profile_id
916
Extracted
smokeloader
pub5
Extracted
gcleaner
ggg-cl.biz
45.9.20.13
Extracted
redline
media214
91.121.67.60:2151
-
auth_value
e37d5065561884bb54c8ed1baa6de446
Extracted
smokeloader
2020
http://gmpeople.com/upload/
http://mile48.com/upload/
http://lecanardstsornin.com/upload/
http://m3600.com/upload/
http://camasirx.com/upload/
Targets
-
-
Target
a8d5b4fa270a49cc070fcf42ab106ea6_JaffaCakes118
-
Size
4.2MB
-
MD5
a8d5b4fa270a49cc070fcf42ab106ea6
-
SHA1
8ad8be3abdcc2c9fe315a8a72a5f26a3454b9abe
-
SHA256
5d7d978a1e749fa8208f5e159d94d283845a1850799afe80aeec4163eb063af1
-
SHA512
8feae0f3ae36d79683248e86c97fa03c383f5d715f9f7fecf55e5576b9c6fdddb5b6ebbfe836e48ed4e1eb641b679466e3418712998f4d1835d7deb10f839fd9
-
SSDEEP
98304:JgFGhIlJg12cL46XQjaIT8y+iAE+OqUgQ47jmhb:J0fJg1BcjXXxB+OqLb7+b
-
Detect Fabookie payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
SectopRAT payload
-
Socelars payload
-
OnlyLogger payload
-
Vidar Stealer
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext
-
-
-
Target
setup_installer.exe
-
Size
4.1MB
-
MD5
285d53fb7033d07f7c78174e16051576
-
SHA1
06f1aeb9d198646a6fa35a40b3eeef8874539073
-
SHA256
ae66596008f62ccf929050a77e28a7c736db63b417d8319e8f6974151c00b4c8
-
SHA512
7b5c37fe655ab9d39b0fe297c217f70bbaa0ca996885266f965b61ea20ea567582f5eb44008464d60edfc7b62462d786674afff99a74c9feb2d4f9a7faa61b75
-
SSDEEP
98304:xOCvLUBsgMDQMoD5NXwSF4b8efwHNWznaRibQOoHInvcLB:xHLUCgMDQMADXwSo8e4tpibQBHIkB
-
Detect Fabookie payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
SectopRAT payload
-
Socelars payload
-
OnlyLogger payload
-
Vidar Stealer
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext
-