General
-
Target
e9b89f25e9e8d52c313f26e0429068d8_JaffaCakes118
-
Size
2.6MB
-
Sample
240409-lvlplaca53
-
MD5
e9b89f25e9e8d52c313f26e0429068d8
-
SHA1
6b9509635732c7fff640d65911e5a32a01573d4a
-
SHA256
bc10525a0911ba2c9c472e9d7130242e9f4c2c97bb0fce53bc4b97e42f8a2b36
-
SHA512
a1902f04df52cfb0c0fa696beb1fcb69cf6e8eb97e223db2c13524e1057717bdad1552612abfa875e6ec74732bcf44af0d9bf75a4621a081fed7735a3302da74
-
SSDEEP
49152:xcBbPkZVi7iKiF8cUvFyPOtPe3ri/lkmc6dHHpt/KyfI1KV1byEwJ84vLRaBtIly:x7ri7ixZUvFyPcPe3rlwpLfTV1tCvLUZ
Malware Config
Extracted
nullmixer
http://lotzini.xyz/
Extracted
smokeloader
pub5
Extracted
smokeloader
2020
http://conceitosseg.com/upload/
http://integrasidata.com/upload/
http://ozentekstil.com/upload/
http://finbelportal.com/upload/
http://telanganadigital.com/upload/
Extracted
vidar
39.7
933
https://shpak125.tumblr.com/
-
profile_id
933
Targets
-
-
Target
e9b89f25e9e8d52c313f26e0429068d8_JaffaCakes118
-
Size
2.6MB
-
MD5
e9b89f25e9e8d52c313f26e0429068d8
-
SHA1
6b9509635732c7fff640d65911e5a32a01573d4a
-
SHA256
bc10525a0911ba2c9c472e9d7130242e9f4c2c97bb0fce53bc4b97e42f8a2b36
-
SHA512
a1902f04df52cfb0c0fa696beb1fcb69cf6e8eb97e223db2c13524e1057717bdad1552612abfa875e6ec74732bcf44af0d9bf75a4621a081fed7735a3302da74
-
SSDEEP
49152:xcBbPkZVi7iKiF8cUvFyPOtPe3ri/lkmc6dHHpt/KyfI1KV1byEwJ84vLRaBtIly:x7ri7ixZUvFyPcPe3rlwpLfTV1tCvLUZ
Score10/10-
Modifies Windows Defender Real-time Protection settings
-
NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Vidar Stealer
-
Modifies Installed Components in the registry
-
ASPack v2.12-2.42
Detects executables packed with ASPack v2.12-2.42
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Subvert Trust Controls
1Install Root Certificate
1