Extracted

Extracted

Extracted

Extracted

• • Target

    e39a5fa4c76264ae7d7343e41675a636_JaffaCakes118

  • Size

    2.6MB

  • MD5

    e39a5fa4c76264ae7d7343e41675a636

  • SHA1

    f32530047d0fa1bbdc009c56b2e24a11866370c9

  • SHA256

    d72dd5663947fc7e1bd8903030b3e2fd551d8d938fdc6417d8513a1c4cc49702

  • SHA512

    fbcc846582ea34c97d83accfed1f88fb3259d20ca7e61ab46e8da3f08e6d54bff61000919ed0c1b06f484e1109c654ceb7a946c0ec134a0e103677a421deed5b

  • SSDEEP

    49152:EgDym6jbrFi6tFbcAOtwUxtZcaTcDGBpbaJVyYD6gbbp+zHT8d:JDymKklAywUxtJTcDGBxaJVyIjbQC

  Score

  10^/10

  nullmixersmokeloadervidar933pub5aspackv2backdoordropperevasionspywarestealertrojan

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • NullMixer

    NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

    droppernullmixer

  • Process spawned unexpected child process

    This typically indicates the parent process was compromised via an exploit or macro.

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar

  • Vidar Stealer

    stealer

  • ASPack v2.12-2.42

    Detects executables packed with ASPack v2.12-2.42

    aspackv2

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2

• • Target

    setup_installer.exe

  • Size

    2.6MB

  • MD5

    8dc372ce5ee18b0b17a2dd684dafe3f4

  • SHA1

    79797774299499f48b73fd0b33886c3518939be4

  • SHA256

    8a1ac8fa80452bdf92dccba3b48a37286a3ccb6f2621209c699f5cb734599fa6

  • SHA512

    ac1a88ef641773e0f33ae6f73959e5138a8cdb86a24e2b33b95628831f45ab8914a4c7012150278cea0b8f31781de6a89995837548195f4a7044ff10f7b056b9

  • SSDEEP

    49152:xcBrPkZVi7iKiF8cUvFyPf9ttLwTXgp3oC2yI8spQSuJzlEwJ84vLRaBtIl9mTT6:xnri7ixZUvFyPf9ttLwTmn8QReCvLUBU

  Score

  10^/10

  nullmixersmokeloadervidar933pub5aspackv2backdoordropperevasionspywarestealertrojan

  • Modifies Windows Defender Real-time Protection settings

    evasiontrojan

  • NullMixer

    NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

    droppernullmixer

  • Process spawned unexpected child process

    This typically indicates the parent process was compromised via an exploit or macro.

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar

  • Vidar Stealer

    stealer

  • ASPack v2.12-2.42

    Detects executables packed with ASPack v2.12-2.42

    aspackv2

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  behavioral3behavioral4